AT&T has suffered a data breach impacting the information of 73 million of its current and past customers. The dataset leaked on the dark web contains several fields of personal data belonging to AT&T’s customers from 2019 and earlier, the company said in a public statement released on Saturday.

The breached data, according to the company, affects approximately 7.6 million of its existing customers.

“AT&T has determined that AT&T data-specific fields were contained in a data set released on the dark web approximately two weeks ago,” the company said in the statement. “With respect to the balance of the data set, which includes personal information such as social security numbers, the source of the data is still being assessed.”

The company said it is unaware whether the data in those fields originated from AT&T or one of its vendors. Back in March 2023, the company suffered a breach of a similar scale that stemmed from a vendor exploit.

“AT&T has launched a robust investigation supported by internal and external cybersecurity experts,” the company said about its attempts to trace the leak.

Compromise of sensitive customer information

In addition to the 7.6 million existing customers, the dark web data also included the personal details of 65.4 million former AT&T account holders. “The information varied by customer and account, but may have included full name, email address, mailing address, phone number, social security number, date of birth, AT&T account number and passcode,” AT&T acknowledged.

In the 2023 data breach, the attackers specifically accessed and exfiltrated the customer proprietary network information (CPNI) data which pertains to critical subscribers’ information maintained by the telecommunication companies in the US. The CPNI consists of information on the services used, the amount paid for the services, and the type of usage opted for.

The compromised data, this time, does not contain personal financial information or call history, according to the company. However, the company admits it is aware that “a number of AT&T passcodes have been compromised.”

“The recent data breach at AT&T, which has exposed sensitive customer information like Social Security numbers, names, dates of birth, and possibly addresses, presents customers with a new set of risks distinct from previous breaches involving CPNI,” said Sakshi Grover, research manager at IDC. “This breach opens the door to various dangers, including financial fraud and identity theft, as Social Security numbers are prime targets for identity thieves, enabling them to open fraudulent accounts or file false tax returns.”

“As of today, this incident has not had a material impact on AT&T’s operations,” AT&T said in the statement issued on Saturday.

Vigilance cautioned

AT&T said it is reaching out to all 7.6M impacted customers and has reset their passcodes. “We encourage customers to remain vigilant by monitoring account activity and credit reports,” the company said.

Additionally, AT&T advised customers to set up free fraud alerts from global credit bureaus, including Equifax, Experian, and TransUnion.

The company’s failure to identify the source of the leak will likely affect customer trust and AT&T’s business in the long run. The huge corpus of recently breached data, along with CPNI data of 9 million customers hacked in 2023, ought to raise some eyebrows about AT&Ts internal and network security controls.

“Currently, AT&T does not have evidence of unauthorized access to its systems resulting in theft of the data set,” the company said. However, it is entirely possible that a threat actor had possession of the data from a past exploit and is only releasing them now.

“Data breaches often have delayed exposure. Cybercriminals may hoard pilfered data for various motives. They might await opportune moments to monetize it, leverage it for subsequent attacks, or prolong their concealment to evade detection,” IDC’s Grover said. “An intruder could have infiltrated AT&T’s systems earlier using a method that has since been mitigated. However, this still leaves customers impacted.”

Whether we’re aware of it or not, we’re all biased. It stems from our individual experiences, upbringings, and backgrounds. These biases, unfortunately, are pervasive in all aspects of everyday life, including the recruitment process. A study by Harvard Business Review showed if there’s one female candidate up against three male candidates, she has a 0% chance of being offered a job. 

Bias can manifest in several ways throughout the hiring process. For example, a candidate’s suitability for a role could be unfairly favored or unfavored based on their gender, ethnicity, or age. It can also play a role in how job advertisements are written and advertised, as the language used in a job posting may deter or appeal to certain applicants, and lead to a less diverse candidate pool. 

Overcoming bias can help fill the cybersecurity skills gap

However, the conversations around the need to address bias when it comes to talent acquisition of cybersecurity professionals have been shifting over the last few years. 

According to Tia Hopkins, eSentire chief cyber resilience officer and field CTO and Cyversity board member, cybersecurity organizations are beginning to realize that removing bias can help widen their talent search. She acknowledges that there is no doubt that bias has been a contributing factor to the industry’s global skills gap. “Biases are largely contributing to the skills gap that we have because there’s no way that we’ve got millions of jobs opening, but we’ve also got all these people saying, ‘I can’t find a job in cybersecurity’ — something’s broken,” she tells CSO.

Heller Search Associates managing director Kelly Doyle agrees the limited talent pool in the industry has forced companies to approach hiring strategies differently. A 2023 ISC2 study found that cybersecurity professionals value a diverse workforce, with 69% stating that an inclusive environment is essential for their team to succeed and 65% believe it is important that their security team is diverse. 

“Companies have learned through research and history that having a diverse leadership team is better for culture, profitability, customers and innovation,” Doyle tells CSO. “Over the last decade, we have seen a consciousness toward adding diversity to technology leadership. Today, doing this in cyber is particularly important because cyber threats are growing to the point where if an employee does not participate in a company’s cyber program, the entire company is at risk.” This is why, Doyle believes, companies need to hire a diverse cybersecurity workforce so employees can relate and react. “Having a range of different backgrounds on your cyber team will foster more variety in ideas and thoughts around threat protection.”

It’s just an unfortunate reality that it took a skills shortage for the cybersecurity industry to realize that bias recruitment has long been a problem and it needs to be addressed for the workforce to be more diverse, according to Michael Page Australia regional director George Kauye. “I think most of us in the workforce acknowledge that there needs to be more inclusive and diverse hiring, but the reality is it actually took more a commercial scenario where there’s a candidate shortage market with a high job demand to accelerate that process, rather than this is the right thing to do,” Kauye tells CSO. 

Hopkins cautions that when cybersecurity organizations address bias in their recruitment process, it needs to be more than just a box-ticking exercise to improve a company’s diversity, equity, and inclusion (DE&I) position.

“It’s important to understand that diversity and removing bias from processes stretches beyond the gender gap and … it also stretches beyond the race and ethnicity gap, which is also a large conversation that’s being had as well. There’s ageism, there’s ableism, there’s neurodiversity, there’s all these things that need to be considered,” Hopkins says. “I think part of the problem is we haven’t really, as an industry, landed on, accepted, or discussed what diversity actually encompasses … because what you’ll find is that there are very specific segments within diversity but at the corporate level, when you look at ‘how can I diversify my team?’, it’s not enough to say we’re going to do it with women or just Black people.” 

How to remove bias when hiring cybersecurity professionals

Make tweaks to job descriptions

When it comes to hiring new talent, there are several steps that cybersecurity organizations can take to remove bias from their recruitment process. One example Doyle points to is eliminating gendered language in job descriptions to ensure a role attracts a variety of talent. “Position descriptions should be reflective of the type of cyber professional you want to hire. Look for well-rounded talent who may have come up a different track in their security journey,” she says. 

She adds companies have begun focusing less on specific job requirements believing it potentially rules out talent that may have taken a different path into security, and instead are focused on applications that are skills-based. “Eliminate degrees and instead focus on certificates or the skills candidates bring to the table, as not all cyber professionals come up the same track,” Doyle says.

It’s an approach that Kauye agrees with. He points out how there is widely reported statistic that suggests men apply for a job when they meet only 60% of job qualifications, compared to women who will only apply for a role if they meet 100% of the criteria. “When it comes to non-negotiables with the key selection criteria, companies are always putting a long shopping list down. But what they should be doing is putting down three, four, or five absolute non-negotiables, and that’s a sensible number of skills that are generally required for a role,” he says.

Focus on the job application in front of you

In a bid to further anonymize the recruitment process and eliminate any potential room for bias creep, Hopkins says HR professionals are introducing policies that state recruiters are not allowed to look up candidates’ LinkedIn profiles. She says it removes any initial bias of whether a person is qualified for a role, particularly if a person’s LinkedIn profile is missing certain elements a recruiter is looking for. 

“Because [a LinkedIn profile] can tell you a lot about a person’s background, especially when you’re talking about underrepresented communities and individuals trying to break into cyber … but that doesn’t mean you’re less talented than the next candidate,” she says.

Introduce diversity to the panel — and the company

To remove bias from the hiring process, organizations need to have a diverse interview panel. Doyle says that having multiple perspectives on an interview panel can help identify and counteract bias when evaluating potential candidates. “If you want to hire diverse talent, your company should show up in the process with diversity on the interview panel, having interviewers share their unique stories and experiences.” 

Hopkins points out how common it is for cybersecurity candidates from diverse backgrounds to encounter a lack of representation in leadership roles. “Looking internally, you want to make sure your organization is presenting itself as an organization that is ready for diversity because candidates are doing their homework,” Hopkins says. “I can’t tell you how many people I’ve talked to who’ve said, ‘I’ve done some research, but I looked at their leadership team and what they’re doing, and I just don’t see anything that looks like it’s for me.’” 

But how can a company overcome bias without diversity to begin with? Doyle suggests cybersecurity firms partner with a variety of organizations or certain colleges and universities to train and bring in diverse cyber talent from entry-level and promote up. 

Hopkins makes a similar point, saying that cybersecurity firms can partner with organizations like Cyversity that aim to increase the number of women and underrepresented talent in cybersecurity. “Partnering with these companies can help organizations be more conscious about the bias that individuals may be facing as [Cyversity] gets feedback from candidates going through the hiring process,” she says. “It’ll help corporations reform the way they recruit, the way they support individuals as they come into the organization, and even the way they write their job descriptions and groom their talent once they’re on the inside.”

Organizations also need to be conscious of where the diversity within the company exists. Bias training for hiring managers to drive awareness can be helpful to the process as well as addressing bias is an “ongoing mission and not a trend”, according to Hopkins. “It needs to be a defined program with a defined leader with defined outcomes and metrics.”

There is nothing like attending a face-to-face event for career networking and knowledge gathering, and we don’t have to tell you how helpful it can be to get a hands-on demo of a new tool or to have your questions answered by experts. Fortunately, plenty of great conferences are coming up in the months ahead. If keeping abreast of security trends and evolving threats is critical to your job — and we know it is — then attending some top-notch security conferences is on your must-do list for 2024.

From major events to those that are more narrowly focused, this list from the editors of CSO, will help you find the security conferences that matter the most to you. We’ll keep it updated with registration deadlines and new conferences so check back often. While we don’t expect this calendar to be comprehensive, we do aim to have it be highly relevant. If there’s something we’ve missed, let us know. You can email your additions, corrections and updates to Samira Sarraf.

April 2024

BSidesMilwaukee, Milwaukee, Wisconsin: April 3

SecureWorld Toronto, Toronto, Ontario: April 3

BSidesParis, Paris, France: April 4

Philadelphia Cybersecurity Conference, Virtual and Philadelphia, Pennsylvania: April 4

SecureWorld Houston, Houston, Texas: April 4

BSidesAustin, Austin, Texas: April 4 – 5

SANS New2Cyber Summit 2024–Central US, Virtual: April 4 – 15

BSidesTampa, Tampa, Florida: April 5 – 6

Identity Management Day Virtual Conference, Virtual: April 9

Google Cloud Next ’24, Las Vegas, Nevada: April 9 – 11

ISC West, Las Vegas, Nevada: April 9 – 12

SecureWorld Charlotte, Charlotte, North Carolina: April 10

Hack Space Con ’24, Merritt Island, Florida: 10 – 13 April

Atlanta Cybersecurity Conference, Atlanta, Georgia: April 11

BSidesHBG, Harrisburg, Pennsylvania: April 12

Cybersecurity & Business Transformation Summit, Singapore: April 12

BSidesPR, San Juan, Puerto Rico: April 12 – 13

*CIO Cyber Security Summit Germany, TBD Germany: April 16

Cybersecurity Implications of AI Summit: North America West Summit, Seattle, Washington: April 16

*Security Forum Portugal, TBD Portugal: April 16

Expo Seguridad Mexico, Mexico City, Mexico: April 16 – 18

Black Hat Asia, Singapore: April 16 – 19

CISO Forum, California, US: April 17

SecureWorld Philadelphia, Philadelphia, Pennsylvania: April 17 – 18

Omaha Cybersecurity Conference, Virtual and Omaha, Nebraska: April 18

BSidesKC, Kansas City, Missouri: April 19 – 20

BSidesCharm, Towson/Baltimore, Maryland: April 20 – 21

*Security Summit UK, London, UK: April 22

GISEC Global, Dubai, UAE: April 23 – 25

IDC CISO Roundtable, Manama, Bahrain: April 24

SecureWorld Kansas City, Kansas City, Missouri: April 24

St. Louis Cybersecurity Conference, St. Louis, Missouri: April 25

BSidesCardiff, Cardiff, Wales: April 27

BSidesGoa, Goa, India: April 15 – 27

BSidesSeattle, Seattle, Washington: April 27

* This event is presented by Foundry, the parent company of CSO.

May 2024

Minneapolis Cybersecurity Conference, Minneapolis, Minnesota: May 2

OT/ICS Virtual Cybersecurity Conference, Virtual: May 2

BSidesSF, San Francisco, California: May 4 – 5

CSA AI Summit at RSAC, San Francisco, California: May 6

RSA Conference, San Francisco, California: May 6 – 9

IDC CISO Roundtable, Muscat, Oman: May 7

Identity Management (IDM) Nordics, Stockholm, Sweden: May 7

ItaliaSec, Milano, Italy: May 7 – 8

ECS Nordics Enterprise Cyber Security, Stockholm, Sweden: May 8

SANS Security West San Diego 2024, Virtual and San Diego, California: May 9 – 14

BSides312, Chicago, Illinois: May 11

SecureWorld Miami, Miami, Florida: May 13 – 17

Hack in the Box (HITB) Security Conference, Abu Dhabi: May 14 – 16

IDC CISO Roundtable, Dubai, UAE: May 15

Dallas Cybersecurity Conference, Dallas, Texas: May 16

SANS Cybersecurity Leadership Summit 2024 — Eastern US, Virtual: May 16

BSidesAdelaide, Adelaide, Australia: May 17 – 18

BSidesDublin, Dublin, Ireland: May 18

BSidesVitoria, Vitoria, Brasil: May 18

SIA GovSummit, Washington, DC: May 21 – 22

SecureWorld Atlanta, Atlanta, Georgia: May 22

Cloud & Cyber Security Expo Frankfurt 2024, Frankfurt, Germany: May 22 – 23

Tampa Cybersecurity Conference, Virtual and Tampa, Florida: May 22

BSidesBUD, Budapest, Hungary: May 23

Government IT Security Conference (GovSec) UK, London, UK: May 23

IDC Digital Strategy & Cybersecurity Roadshow Brazil, TBD, Brazil: May 23

BSidesKnoxville, Knoxville, Tennessee: May 24

SPHERE24, Helsinki, Finland: May 28 – 29

Identiverse, Las Vegas, Nevada: May 28 – 31

*Security Forum France, TBD France, May 29

BSidesBarcelona, Barcelona, Spain: May 29 – 30

CyberSec Europe, Brussels, Belgium: May 29 – 30

Cybsec-Expo, Piacenza, Italy: May 29-31

Financial Virtual Cybersecurity Summit, Virtual: May 30

SANS Ransomware Summit 2024 — Eastern US, Virtual: May 31

* This event is presented by Foundry, the parent company of CSO.

June 2024

BSidesCheltenham, Cheltenham, UK: June 1

Gartner Security & Risk Management Summit, National Harbor, Maryland: June 3 – 5

IDC Security Roadshow, Riyadh, Saudi Arabia: June 4

Confidential Computing Summit, San Francisco, US: June 5-6

Kansas City Cybersecurity Conference, Virtual and Kansas City, Missouri: June 6

SecureWorld Chicago, Chicago, Illinois: June 6

IDC Security Roadshow, Doha, Qatar: June 10

AWS re:Inforce, Philadelphia, Pennsylvania: June 10 – 12

AppSec SoCal, Santa Monica, California: June 12

Boston Cybersecurity Conference, Boston, Massachusetts: June 13

Cybersecurity Soiree, Paris, France: June 13

Montreal Cybersecurity Conference, Virtual and Montreal, Quebec: June 13

BSidesLeeds, Leeds, UK: June 15

ICS Security Summit & Training 2024, Virtual and Orlando, Florida: June 17 – 24

IDC Security Forum — Resilient Security: Evolving Strategies for 2024, Milan, Italy: June 18

Identity Management (IDM) UK, London, UK: June 18

OT Cybersecurity Summit, London, UK: June 18 – 19

Cybersecurity Summit: North America Midwest, Chicago, Illinois: June 20

Security LeadHER, Phoenix, Arizona: June 24 – 25

BSidesBangalore, Bangalore, India: June 26 – 28

BSidesTLV, Tel Aviv, Israel: June 27

Chicago Cybersecurity Conference, Chicago, Illinois: June 27

Orange County Cybersecurity Conference, Virtual and Orange County, California: June 27

Neurodiversity in Cybersecurity Summit 2024 — Eastern US, Virtual: June 27

July 2024

MSSP Virtual Cybersecurity Summit 2024, Virtual: July 11

Pittsburgh Cybersecurity Conference, Virtual and Pittsburgh, Pennsylvania: July 11

Healthcare Cybersecurity Summit, New York, New York: July 18

Phoenix Cybersecurity Conference, Phoenix, Arizona: July 18

BSidesCDMX, Mexico City, Mexico: July 19

BSidesAlbuquerque, Albuquerque, New Mexico: July 19 – 20

BSidesIndore, Indore, India: July 20 – 21

Gartner Security & Risk Management Summit, Tokyo, Japan: July 24 – 26

Denver Cybersecurity Conference, Virtual and Denver, Colorado: July 25

SLED/FED Virtual Cybersecurity Summit, Virtual: July 25

BSidesExeter, Exeter, UK: July 27

SANS Security Awareness Summit & Training 2024, Virtual and Norfolk, Virginia: July 29 – August 2

*CSO’s SecureIT New York, New York, New York: July 11

* This event is presented by Foundry, the parent company of CSO.

August 2024

Black Hat USA 2024, Las Vegas, Nevada: August 3 – 8

BSidesLV, Las Vegas, Nevada: August 6 – 7

Cybersecurity & Business Transformation Summit, Delhi, India: August 8

Denver Cybersecurity Conference, Denver, Colorado: August 8

DEF CON 32, Las Vegas, Nevada: August 8 – 11

AcceleRISE, Denver, Colorado: August 14 – 16

33rd USENIX Security Symposium, Philadelphia, Pennsylvania: August 14 – 16

Salt Lake City Cybersecurity Conference, Virtual and Salt Lake City, Utah: August 15

Virtual Cybersecurity Summit, Virtual: August 15

IDC Digital Strategy & Cybersecurity Roadshow Mexico, Virtual and TBD, Mexico: August 22

Washington DC Cybersecurity Conference, Virtual and Washington, DC: August 22

DFIR Summit & Training 2024, Virtual and Salt Lake City, Utah: August 22 – 29

Philadelphia Cybersecurity Conference, Philadelphia, Pennsylvania: August 29

September 2024

SecureWorld St. Louis, St. Louis, Missouri: September 4 – 12

Charlotte Cybersecurity Conference, Virtual and Charlotte, North Carolina: September 5

Blue Team Con 2024, Chicago, Illinois: September 6 – 8

SECtember 2024, Seattle, Washington: September 9 – 13

Identity Week, Washington, DC: September 11 – 12

DC/Baltimore Cybersecurity Conference, TBD, September 12

IDC Digital Strategy & Cybersecurity Roadshow Chile, Virtual and TBD, Chile: September 12

CrowdStrike Fal.Con, TBD: September 16 – 19

Cybersecurity Summit, London, UK: September 17

SecureWorld Detroit, Detroit, Michigan: September 18

*Security Forum Finland, TBD Finland: September 18

International Cryptographic Module Conference, San Jose, California: September 18 – 20

Des Moines Cybersecurity Conference, Virtual and Des Moines, Iowa: September 19

GRC Virtual Cybersecurity Summit, Virtual: September 19

IDC CISO Roundtable, Cairo, Egypt: September 23

Gartner Security & Risk Management Summit, London, UK: September 23 – 25

Global Security Exchange (GSX), Orlando, Florida: September 23 – 25

InfoSec World, Lake Buena Vista, Florida: September 23 – 25

International Cyber Expo, London, UK: September 24 – 25

*Security Forum Norway, TBD Norway: September 25

Relativity Fest, Chicago, Illinois: September 25 – 27

Cybersecurity Summit Africa, Virtual: September 26

*Security Forum Denmark, TBD Denmark: September 26

Cybersecurity Summit Canada East, Toronto, Ontario: September 26

BSidesCLT, Charlotte, North Carolina: September 28 – 29

IDC CISO Roundtable, Doha, Qatar: September 30

ECS UK Enterprise Cyber Security, London, UK: September TBD

* This event is presented by Foundry, the parent company of CSO.

October 2024

Identity Management (IDM) Europe, Utrecht, Netherlands: October 2

Columbus Cybersecurity Conference, Virtual and Columbus, Ohio: October 3

SecureWorld Dallas, Dallas, Texas: October 3

*Security Forum Netherlands, Amsterdam, Netherlands; October 3

Toronto Cybersecurity Conference, Toronto, Ontario: October 3

BSidesSantaFe, Santa Fe, New Mexico: October 5

Securing New Ground, New York, New York: October 8 – 9

IDC Digital Strategy & Cybersecurity Roadshow Colombia, TBD, Columbia: October 10

SecureWorld Denver, Denver, Colorado: October 10

POLAR, Quebec city, Canada, October 12

ISC2 Security Congress, Virtual and Las Vegas, Nevada: October 14 – 16

Authenticate 2024 The FIDO Conference, California, US: October 14-16

SentinelOne OneCon24, Las Vegas, Nevada: October 14 – 17

National Cyber Security Strategy Confex (CyberGov), London, UK: October 15

Boston Cybersecurity Conference, Virtual and Boston, Massachusetts: October 17

Government Cybersecurity Summit, Washington, DC: October 17

Vancouver Cybersecurity Conference, Vancouver, British Columbia: October 17

CISO Engage Offsite, TBD: October 18 – 19

*CSO50 Conference + Awards, Fort McDowell, Arizona: October 21 – 23

it-sa, Nuremberg, Germany: October 22 – 24

SecureWorld New York City, New York, New York: October 22 – 24

LASCON 2024, TBD: October 22 – 25

SecTor, Toronto, Ontario: October 23 – 26

*Security and Cloud Forum, Porto, Portugal: October 24

IDC CISO Roundtable, Riyadh, Saudi Arabia: October 29

Phoenix Cybersecurity Conference, Virtual and Phoenix, Arizona: October 30

CISO-CIO Forum, La Jolla, US: October 30

* This event is presented by Foundry, the parent company of CSO.

November 2024

BSidesChicago, Chicago, Illinois: November 2

Identity Management (IDM) UK, London, UK: November 5

SecureWorld Seattle, Seattle, Washington: November 6 – 7

Financial Services Cybersecurity Summit, New York, New York: November 7

Mexico City Cybersecurity Conference, Mexico City, Mexico: November 7

Cybersecurity Summit, Mumbai, India: November 13

Canada Virtual Cybersecurity Summit, Virtual: November 14

IDC Digital Strategy & Cybersecurity Roadshow Central America, TBD, Mexico: November 14

IT/OT Cybersecurity Summit: Germany, Frankfurt, Germany: November 14

Nashville Cybersecurity Conference, Virtual and Nashville, Tennessee: November 14

Tanium Converge, Virtual and Orlando, Florida: November 18 – 21

Identity Management (IDM) Nordics, Stockholm, Sweden: November 19

ISC East, New York, New York: November 19 – 21

San Diego Cybersecurity Conference, Virtual and San Diego, California: November 21

Global Cyber Conference, Zurich, Switzerland: November 26 – 27

Enterprise Security & Risk Management (ESRM) UK, London, UK: November 28

December 2024

Houston Cybersecurity Conference, Virtual and Houston, Texas: December 4

Dallas Cybersecurity Conference, Dallas, Texas: December 5

Virtual IOT and OT Security Summit, Virtual: December 5

Forrester Security & Risk, Baltimore, Maryland: December 9 – 11

Gartner Identity & Access Management Summit, Grapevine, Texas: December 9 – 11

Atlanta Cybersecurity Conference, Virtual and Atlanta, Georgia: December 11

Planet Cyber Sec Conference, Long Beach, US: December 11

Bedrock Security tackles risk created by cloud, generative AI

March 26: Bedrock Security has launched a data security platform designed to help organizations protect from data risk introduced by cloud and generative AI applications. The platform promises to continuously discovers, manages, and protects sensitive data using its AI Reasoning (AIR) Engine, which “understands” what data is critical to a company.

Bedrock AIR offers visibility including new data classifications, unlike rules-based systems, data detection and response facilitating to set up data perimeters to ring fence regulated data and core IP, ensuring the data is excluded from use in generative AI models. AIR is also designed to ensure risk surface minimization by reducing data and identity exposure including tracking source IP to prevent leakage to generative AI.

GitGuardian adds software composition analysis to code security platform

March 26: GitGuardian has launched its software composition analysis (SCA) module, which automates vulnerability detection, prioritization, and remediation in software dependencies. It also ensures code licensing and regulatory compliance, such as generating comprehensive SBOM (Software Bill of Materials). This addition to GitGuardian’s code security platform enables security engineers to identify all applications with unsafe dependencies, automatically prioritize incidents by severity, and prompt developers to fix them. Software engineers are provided with remediation guidance to maintain delivery speed and agility while elevating their security posture.

SCA evaluates and communicates the legal risks in the software supply chain helping prevent threats to organizations’ intellectual property and ensure compliance with license and security policies. 

Legit Security launches standalone enterprise secrets scanning

March 26: Legit Security has launched a standalone enterprise secrets scanning product that uses artificial intelligence (AI) to detect, remediate, and prevent secrets exposure across the software development process. The product is designed to enable secrets discovery beyond source code. The scanner works across developer tools such as GitHub, GitLab, Azure DevOps, Jenkins, Bitbucket, Docker images, Confluence, Jira, and others. Legit claims the AI-powered product drives highly accurate results; false positives are reduced by up to 86%.

Nametag aims to prevent AI-generated deepfakes

March 25: Nametag Autopilot is a self-service account recovery that aims to prevent AI-generated deepfake attacks by deflecting password and multifactor authentication (MFA) resets to self-service. Nametag claims that resetting MFAs take time with helpdesk agents and opens the door to AI-generated deepfakes. While most MFA verifies ownership of devices or phone numbers, Nametag authenticates the human behind the device stopping account takeovers and data breaches by verifying users at critical moments like account recoveries, MFA resets, and high-risk transactions.

For end users, Nametag Autopilot lets people reset their own MFA using any mobile device, avoiding the hassle of contacting the helpdesk. For the helpdesk, transitioning time-consuming calls and chats to a secure self-service workflow reduces the risk of breaches and account takeovers while cutting helpdesk costs by 30%, claims Nametag. Nametag Autopilot is already interoperable with technologies like Cisco Duo, Entra ID, Microsoft, Okta and Zendesk.

SDR from Cybereason and Observe addresses outdated SIEM issues

March 25: Cybereason and Observe have released a SIEM detection and response (SDR) software to address issues with outdated SIEM while improving SOC effectiveness with automated ingestion of data to gain visibility across systems. SDR consolidates data helping with detection, investigation, and response for fast breach detection. The open architecture allows organizations to ingest any structured and unstructured data to gain critical insights across all existing enterprise IT and security stacks.

SDR helps analysts build the full narrative of an attack from root cause through attack timeline, affected devices, users, and other identity, network, workspace and cloud assets.

IONIX creates centralized threat center

March 20: IONIX has revealed a centralized threat center to help faster response from secutiry teams to zero-day threats. IONIX continuously scans and track vulnerabilities which are then identified, analyzed and added to the threat center. IONIX runs “non-intrusive exploit simulations” on each customer’s unique environment to identify and validate exploitable assets, feeding this information through the threat center to its customers so they can take the appropriate measures. The company also provides remediation actions.

ConductorOne new functionality detects shadow apps

March 19: ConductorOne has released a shadow app detection functionality that monitors new, unmanaged apps that are then catalogued and flagged for review. It does this by detecting and monitoring employee logins to shadow apps, enabling security teams to bring those under full management. To sanction an app, teams simply assign the app an owner; then it can be managed like all other apps in ConductorOne. If the security team decides to ignore a shadow app, the ignored app usage continues to be monitored, providing insight into the number of users of that app and any recent changes in activity. Ignored apps can be brought under management at any time, according to ConductorOne.

Redjack launches cyber resilience platform

March 19: Redjack has launched its cyber resilience platform covering asset discovery and risk management and regulatory compliance. It promises a “complete, current and accurate” asset inventory and delivers visibility for cyber resilience, ensuring business continuity and operational resilience with the proof required by regulators. It is also designed to identify areas for enhanced security, provide data about current systems functionalities, and offers AI-enabled business insights, and on-premises, cloud, VMs and containers coverage.

Sonatype introduces SBOM manager

March 19: Sonatype has launched an SBOM manager designed to streamline control, monitor, and release workflows. Some of its features include generating both CycloneDX and SPDX SBOM formats, ingesting and importing SBOMs from third-party software, including VEX documents, and analyzing them to pinpoint components, vulnerabilities, and policy violations, monitoring for policy violations, managing vulnerability disclosures to partners and reporting on application risk. Users can create their own SBOM repository. It also has tools designed to ensure continuous compliance, advanced security that proactively identifies and mitigate vulnerabilities within the software supply chain. It is available as a SaaS solution, on-premise and air-gapped versions will be available in September.

Portnox new passwordless authentication enables unified access control

March 19: Portnox is offering Conditional Access for apps, a passwordless authentication, endpoint risk posture assesment and automated endpoint remediation service for applications. Accessible as part of Portnox Cloud or as a standalone subscription, Conditional Access for Applications uses digital certificates and cloud-native public key infrastructure (PKI) to enable organizations to eliminate passwords, improve user and admin experiences, and employ a better approach to access control.

Kasada’s bot detection API integrates with content delivery networks

March 19: Kasada has launched a bot detection API that integrates with content delivery network (CDN) edge computing platforms from Akamai, Amazon CloudFront, Cloudflare, Fastly, and Vercel. Users can also implement custom API integrations with application backends.

Deloitte builds platform to help organizations simplify cybersecurity management

March 18: Deloitte has launched CyberSphere, a platform designed to simplify organizations’ cyber program data, workflows, reporting and third-party technologies. It currently covers digital identity management, managed extended detection and response (MXDR), attack surface management (ASM), managed secure access services edge (MSASE) and incident response. CyberSphere uses automation, artificial intelligence and machine learning, and offers customers ways to visualize cyber risk metrics and workflows.

One Identity adds privileged access management to cloud platform

March 14: One Identity has launched Cloud PAM Essentials, a privileged access management software as-a-service product focused on cloud applications and infrastructure. PAM Essentials offers security teams controls to ensure only authorized individuals can gain access to sensitive systems and data. It provides full visibility into user activities and can be up and running “in minutes”, according to the company.

PAM Essentials monitors controls and records user sessions with remote access via SSH and RDP. It provides structured audit logs, protocol proxy session recordings and isolation of user sessions; central orchestration of auto-login, timely rotation of passwords and vaulting of local server accounts passwords reduce the risk of unauthorized access. PAM Essentials has native integration with OneLogin.

Perception Point improves human analysis with GPThreat Hunter

March 14: Perception Point has announced OpenAI’s GPT-4 model-based GPThreat Hunter, an AI-driven solution that augments traditional human analysis in both speed and accuracy along with the ability to identify new attack techniques.

GPThreat Hunter is activated when the Perception Point Advanced Threat Prevention solution flags a case as ambiguous. It compiles evidence from existing detection engines and the algorithms that marked the item as suspicious. This is then analyzed by custom multilingual LLMs which deliver an instant verdict along with a confidence score and a comprehensive explanation. The model also quarantines the threats and secures the system against similar future attacks.

New Relic updates its Interactive Application Security Testing

March 13: New Relic has updated its Interactive Application Security Testing (IAST) to include proof-of-exploit reporting for runtime application security, OWASP validation, risk exposure and assessment and instant impact analysis. Proof-of-exploit reporting combs through applications and tags them as safe, exploitable, or untested so security teams can determine which applications are vulnerable to being breached and how, and which applications are safe to deploy.

The new risk exposure and assessment identifies and provides visibility into every code change by showing potential against detected exposures. The instant impact analysis uses telemetry data derived from APM instrumentation and an integration with New Relic Vulnerability Management to provide an analysis of the number of applications impacted by a particular vulnerability, as well as a deep dive into specific applications and to understand the potential severity of the identified risk.

Upwind adds API security to its cloud security platform

March 13: The Upwind Cloud Security Platform can now detect and respond to API threats in real time at the runtime level, according to the company. The API Security solution catalogs and maps an enterprise’s APIs using real-time traffic analysis and extended Berkeley Packet Filter (eBPF) for better performance and visibility into the API catalog. Upwind also claims that the runtime context that eBPF provides cuts the number of alerts by 95% by filtering out noise.

Nightfall AI adds SaaS security posture management, other features to its generative AI DLP platform

March 11: Nightfall AI has enhanced its generative AI data loss prevention (DLP) platform with several new capabilities. SaaS security posture management provides real-time insights into SaaS security along with automated response capabilities. The DLP platform also offers client-side, content-aware encryption for SaaS apps via a browser plug-in. Data exfiltration prevention capabilities help ensure compliance with SOC 2, PCI-DSS, and other standards using a risk-based approach. Finally Nightfall now provides AI-powered data protection for sensitive customer and enterprise information through SaaS and email monitoring.

Ionix adds exposure validation to attack surface management platform

March 6: Ionix has introduced an automated exposure validation extension to its attack surface management (ASM) platform. The extension was designed to enable continuous exploitability testing on production environments without disruption. Some of its other features include attack surface validation, exploitable risk identification, automated validation and also promises to reduce the need for extensive manual testing.

Sweet Security updates its Cloud Runtime Security Suite

March 6: Sweet Security has added two new components to its Cloud Runtime Security Suite. Non-human identity (NHI) management is designed to help discover and manage the risks of non-human entities in an environment. According to Sweet, NHI management understands the context of non-human attempts to access assets and identity what activity is legitimate. Runtime posture management helps to prioritize cloud security posture management (CSPM) by providing information on the consequences of specific hardening tactics. It does so by identifying where roles and secrets are in use down to the microservice level. It then identifies the asset or service that was the destination of the microservice, which Sweet refers to as monitoring secrets in transit.

F5 adds automated reconnaissance and pentesting to cloud services

March 5: F5 has added automated reconnaissance and penetration testing capabilities into F5 Distributed Cloud Services as a result of the acquisition of Denmark-based Heyhack, announced without further details at AppWorld 2024. F5 Distributed Cloud Services customers can now scan for and discover vulnerabilities impacting their web applications across multicloud environments, which will be completed with recommend web application firewall rules and other appropriate remediations. 

Pentera launches automated cloud penetration testing product

March 5: Security validation firm Pentera has announced its Pentera Cloud product. The automated cloud penetration testing tool offers on-demand testing and resilience assessment of corporate cloud accounts against native cloud attacks. The company claims the new product will help guard against attacks originating from anywhere on the attack surface, including on-premises, external sources, and the cloud. Features include automated cloud attack emulation, cross attack surface testing, and evidence-based remediation. Pentera Cloud is part of the company’s security validation platform.

Network Perception adds zone-to-zone segmentation verification with NP-View 5.0 release

March 5: OT network cybersecurity audit and compliance solution provider Network Perception has rolled out a new version of its platform, NP-View 5.0. Its Zone Matrix feature now provides a view of communication among user-created topology zones and subnet and services information. The Interface Connectivity Matrix shows interface interconnectivity on network-connected devices and communication among security zones defined for each device. The company also claims enhanced reporting capabilities for devices and topology with three new tables: network device interface, routes on network devices, and Network Address Translation (NAT) table.

Cobalt launches dynamic application security testing scanner

March 5: Cobalt has launched a dynamic application security testing (DAST) scanner designed to continuously test web applications and APIs for security. This is helped by the integration with Cobalt’s pentest as-a-service platform. The DAST scanner promises to identify vulnerabilities that might get introduced in between manual pentests. It enables the creation of detailed reports that prioritize vulnerabilities for remediation and aid in compliance with regulatory requirements. DAST can be integrated into the software development lifecycle and DevOps pipelines.

Sentra announces generative AI assistant for cloud data security

March 5: Sentra has launched Jagger, a large language model assistant for cloud data security that helps analyze and respond to security threats. Users of Sentra’s Data Security Posture Management (DSPM) and Data Detection and Response (DDR) platform will benefit from Jagger’s insights and recommendations in plain language suitable to all levels of expertise. Sentra claims Jagger reduces up to 80% of the time required to accomplish tasks such as policy implementation and data store reporting.

Cohesity launches AI-powered enterprise search assistant

February 28: Cohesity has launched Gaia an AI-powered enterprise search assistant that brings retrieval augmented generation (RAG) AI and large language models (LLMs) to backup data within Cohesity. With current agreements to integrate Cohesity Gaia with AWS, Google Cloud and Microsoft Azure, users can ask questions and receive answers based on their enterprise data. By adding Gaia’s AI capabilities within the backup environment Cohesity claims to help organizations assess their level of cybersecurity, perform financial and compliance audit checks, answer complex legal questions and to serve as a knowledge base to train new employees.

VulnCheck gives community access to catalog of known exploited vulnerabilities

February 27: Exploit intelligence company VulnCheck has launched a catalog of known exploited vulnerabilities for those joining the VulnCheck Community. The company claims to track 81% more vulnerabilities exploited in the wild than CISA, and alerts customers before missing exploits are added to the CISA KEV catalog an average of 27 days earlier.

Radiant Logic updates its identity data platform, adds AI

February 27: Radiant Logic has released an update to its RadiantOne Identity Data Platform which connects and correlates data from any source, providing insight and visibility across diverse identity stores, including legacy systems. The update comes with a new user experience and introduces RadiantOne AI, an engine that uses LLMs augmented with advanced data visualization capabilities to deliver AI-driven analytics and decision making assisted by its GenAI chatbot AI Data Assistant.

Next DLP adds functionality to tackle shadow SaaS

February 27: Next DLP has added Reveal SaaS Access Security to its Reveal Platform to address shadow SaaS challenges. This new functionality offers a centralized dashboard and inventory with detailed insights into SaaS app usage, continuous monitoring of data transfers within SaaS applications, Real-time controls, including employee education, and a SaaS app inventory.

Entro adds new functionality to its secrets management platform

February 27: Entro has added Machine Identity Lifecycle Management to its context-based secrets management platform. The addition promises to provide security teams with tools to manage, actively monitor and control the entire lifecycle of a secret from creation to retirement. Entro announced new integrations of its platform with CIFS/SMB File Shares and Microsoft SharePoint to enable organizations that have been primarily on-premises and are shifting to the cloud to use the Entro platform to scan and monitor secrets in documents on traditional file shares or on-premises SharePoint.

Palo Alto Networks protects private 5G networks

February 26: Palo Alto Networks has announced partnerships with Celona, Druid, Ataya, Netscout, Nvidia, and NTT Data to help protect data travelling across private 5G networks. The security vendor is combining its enterprise grade 5G Security with its partners products.

Organizations building new private 5G networks with Celona, Druid, Ataya can secure radio networks through integrations with Palo Alto Networks 5G Security. Netscout’s pervasive, packet-level network visibility will combine at scale with Palo Alto Networks 5G Security, helping security teams gain deep visibility to make intelligent policy decisions. Nvidia’s scalable 5G security ensures that AI-powered applications are optimized for speed, security, traffic accuracy, and data isolation to maintain data sovereignty and achieve multi-terabit, cost-effective security for mobile networks. NTT Data’s complete technology stack, network infrastructure capabilities, and IT consulting and system integration services will help customers to deploy, manage, and secure their private 5G networks.

Cycode adds generative AI-based natural language queries to its Risk Intelligence Graph

February 21: Cycode has added new generative AI capabilities to the Risk Intelligence Graph (RIG) of its application security posture management (ASPM) platform. The enhancements allow security teams to use natural language queries to find answers to application security and development questions. The company claims this will help bridge gaps across AppSec siloes, allowing security and development teams to better predict and mitigate risks.

New Beyond Identity product shows security risk across devices

February 21: Passwordless MFA provider Beyond Identity has announced its Device360 product, a tool that the company claims will allow organizations to identify security risks such as vulnerabilities and misconfiguration in managed and unmanaged devices in real time. They can then remove suspect devices from the network. Device360 works without mobile device management or endpoint detection and response solutions. Other features include a centralized view of vulnerabilities and misconfigurations, real-time and scheduled device query, zero-trust access policy testing, and enforcement of device security compliance during authentication.

IndyKite looks to improve data trustworthiness with an identity-centric approach

February 21: IndyKite has announced a new version of its identity-powered AI enterprise data platform. The company claims its identity-centric approach improves trustworthiness of key data. An AI-driven risk score guides use of the data, and the platform also provides source and verification data for each data point. Real-time analytics and insight discovery features assist with decision making and threat detection and response, according to IndyKite.

Metomic adds “human firewall” features to scale data security workflows

February 20: Metomic has released new “human firewall” features to its data security platform. The features apply to SaaS applications such as Google, Slack, and Microsoft Teams and are designed to help security and compliance teams scale data security workflows for SaaS applications by involving employees in the risk remediation process. Sharing this task with employees will allow for a higher volume of potential violations to be reviewed and addresses, according to Metomic. The company also claims that the human firewall features will allow employees to report false positives to security teams or provide justification for sharing business data. The human firewall features are now available to all Metomic customers.

Vectra AI launches 24/7 managed extended detection and response service

February 15: Vectra AI has launched Vectra MXDR, a global managed extended detection and response service. Available 24/7, Vectra AI is designed to defend against attacks in hybrid and multi-cloud environments. It provides attack surface visibility across identity, public cloud, SaaS, data center, and cloud networks and endpoints by integrating with EDR vendors, according to Vectra AI. Features include AI-driven attack signal intelligence, remote response and remediation, managed security policy configuration, and end-to-end detection and response coverage. Vectra MXDR is available to current customers.

BigID adds access governance controls

February 15: BigID has announced new access governance controls for its cloud and hybrid data security and compliance platform. The new features allow customers to monitor and manage access across the cloud and on-premises environments. The company claims the new capabilities will allow organizations to automatically identify. investigate, and remediate access rights violations across structured and unstructured data. This will reduce the attack surface, mitigate insider risk, and enable a zero-trust approach, according to BigID.

Infoblox brings AI-powered security operations features to its BloxOne platform

February 15: Cloud networking and security services firm Infoblox has enhanced its BloxOne Threat Defense DNS detection and response solution with the AI-powered SOC Insights security operations solution. SOC Insights is designed to help security analysts better identify and investigate security events that matter and reduce response time. The company claims that SOC Insights consolidates individual alerts into insights that provide access to device, event, attacker infrastructure details, and Infoblox’s DNS intelligence data. SOC Insights is available now.

Eureka Security brings file-sharing product capabilities to its DSPM solution

February 15: Data security posture management vendor Eureka Software has announced that its DSPM solution has expanded to all major cloud services with the ability to address file-sharing applications such as Office 365, Google Drive, Box, and Dropbox. This allows the DSPM solution to provide visibility and insights into how users share, access, and us data across SaaS, IaaS, and PaaS solutions, the company claims.

Recorded Future releases generative AI assistant for threat intelligence

February 14: Intelligence company Recorded Future has released Recorded Future AI from beta. It is designed to aid human analysts in identifying global threats. Recorded Future AI is built on the company’s Intelligence Graph data model, and it is capable of monitoring and putting into context threats across cyber, physical, and influence operations domains. Recorded Future claims its AI assistant can help enterprises and governments define large, complex threat surfaces in both the physical and cyber worlds.

ReversingLabs Spectra Assure uses AI to detect software supply chain threats

February 13: Software and file security vendor ReversingLabs has released Spectra Assure, which uses AI with complex binary analysis to detect malicious code and malware embedded in software before it is deployed and without the need to have its source code. A build exam in the new tool identifies tampering and malware before deploying software across first-, second-, and third-party components, according to the company. Spectra Assure can report issues in large, complex software packages in minutes or hours, ReversingLabs claims.

Seal Security emerges from stealth with open-source vulnerability remediation solution

February 13: Seal Security has announced its presence with an LLM-powered open-source vulnerability remediation solution. It provides access to security patches across five languages, and the company claims it is able to remediate 95% of critical and high-severity vulnerabilities identified in the last five years. The tool is designed to automate and scale vulnerability remediation with centralized control over the vulnerability patching process.

Legit Security add AI discovery to its ASPM platform

February 13: Legit Security has announced the addition of AI-powered discovery capabilities to its application security posture management (ASPM) platform. The new feature is designed to detect where software developers use AI code. The company claims this gives security leaders and application security teams visibility into AI-related risks from the infrastructure to application layers across the application development pipeline so they know where to put security controls. The new AI capabilities include security policy enforcement, real-time notifications of generative AI code, and alerts on LLM risks.

Cyberhaven aims to stop insider threats with Linea AI

February 9: Cyberhaven has launched Linea AI, which uses the company’s proprietary large lineage model (LLiM) to detect insider threats. That LLiM analyzes workflows and predicts the next likely action or behavior to occur, flagging deviations. Cyberhaven claims the LLiM can look at the entire workflow across time for every data item within the enterprise. Features include risk detection and prioritization, incident summary, smart remediation that recommends responses, and guided prevention for real-time intervention.

Qualys TotalCloud 2.0 adds SaaS protection, supply chain risk mitigation, and more

February 8: The Qualys TotalCloud 2.0 version of its AI-based CNAPP platform now offers a single view of cloud risk and extended protection to SaaS applications. TruRisk Insights provides a single prioritized view of cloud risks, which Qualys claims will streamline the identification of high-risk assets. TotalCloud 2.0 has also incorporated SaaS security posture management with the CNAPP platform. Other new features include supply chain risk management where TotalCloud 2.0 scans open-source software pre- and post-deployment, and operationalized risk reduction, which the company claims removes siloes between IT and security with ITSM integrations. TotalCloud 2.0 is available now.

SailPoint announces two products to help build identity programs

February 8: SailPoint Technologies has introduced two offerings to its identity management portfolio. The SailPoint Identity Security Cloud Standard suite is targeted to companies just starting identity security initiatives. It has a set of core capabilities that centralizes identity-related data, allowing organizations to govern access for all identities across the enterprise in a scalable way, according to Sailpoint. The new Customer Success Portfolio offers three tiers of training and support, including configuration support, adoption workshops, and program oversight, assessment, and guidance.

AppViewX, Fortanix partner to deliver secure digital identity management and code signing

February 7: Machine identity management firm AppViewX and data security company Fortanix are combining their solutions to deliver cloud-based secure digital identity management with code signing in one package. AppViewX’s Digital Trust Platform and Fortanix’s Data Security Manager (DSM) together address two security use cases: the management of machine identities across hybrid multi-cloud environments and simplified secure code signing for improved software supply chain security, according to a joint press release. The combined offering is available through either vendor, joint channel partners, or the AWS Marketplace.

F5 announces new AI capabilities to protect AI-powered applications

February 7: Multi-cloud security firm F5 has enhanced its Distributed Cloud Services solution with API code testing and telemetry analysis. The company also announced that it is implementing AI across its entire product portfolio. The company claims these enhancements provide “AI-ready” API and application security. The AI enhancements are from technology F5 recently acquired from Wib, and they enable vulnerability detection and observability during the application development process and before production. F5 claims it can now offer API discover, testing, posture management, and runtime protection in one platform.

Akamai’s Content Protector aims to stop scraping attacks

February 6: Akamai Technologies has announced the availability of its Content Protector tool, which the company claims stops malicious scraper bots without blocking legitimate traffic. It is able to detect and mitigate those malicious scrapers. Featuresinclude protocol fingering that checks how visitors connect to your site to determine if they are legitimate, evaluation of JavaScript code, the ability to distinguish between human and machine behavior, and risk classification for traffic based on anomalies found.

Teleport Policy centralizes policy management for infrastructure access

February 6: Teleport, which specializes in infrastructure access, has launched Teleport Policy, a tool designed to unify access control and policy across an organization’s infrastructure. The new product provides visibility into how engineers, users, and workloads access infrastructure and data. The company claims this allows their customers to identify issues such as inappropriate privileges and remove them. Another feature is intended to speed investigations and responses via a unified Access Graph view of access relationships. Teleport Policy is an extension of the company’s Teleport Access platform.

Metomic launches Metomic for ChatGPT

February 5: Data security firm Metomic has introduced Metomic for ChatGPT, which the company claims will help protect sensitive data while using OpenAI’s generative AI tool. The new solution provides visibility to what data is uploaded to ChatGPT. Metomic for ChatGPT is a browser plug-in, allowing it to identify when an employee logs into the ChatGPT website. It then scans the data going into the generative AI platform in real time. It then alerts the security team if sensitive data is being moved.

OPSWAT enhances MetaDefender Kiosk line

February 5: Critical infrastructure protection company OPSWAT has announces enhancements to its line of MetaDefender Kiosk products. Described as “peripheral media scanning stations,” MetaDefender Kiosk products are devices that scans removable media for threats. OPSWAT has added a Kiosk Mini form factor to the line that is intended to be more accessible, portable, and versatile. It can also support tabletop and rugged environments. MetaDefender Kiosk is also now integrated with OPSWAT’s MetaDefender Sandbox and Media Firewall products, enabling adaptive threat analysis for zero-day threat detection. Finally, MetaDefender Kiosk Stand supports VESA-mountable Kiosks and devices. The three-bay stand supports multiple removable media types and includes a hard disk drive bay.

Varonis introduces managed detection and response for the data level

February 5: Varonis Systems’ new Managed Data Detection and Response (MDDR) service aims to identify and stop threats at the data level as well as endpoints. Features of the 24/7 monitoring service include an AI analysis engine that automates investigations, a 30-minute response window for ransomware and 120-minute response for other alerts, and a deployment time measured in hours, according to the company. MDDR is delivered on top of Varonis’s Data Security Platform and is available now.

Secureworks Threat Score uses AI to prioritize alerts

February 1: Secureworks has introduced its AI-powered Threat Score, which is intended to help security analysts prioritize security alerts. The tool identifies which alerts are most likely to have a negative impact based on the organization’s operations. The company claims that by filtering out noise in the alerts, Threat Score can reduce security analyst workloads by about 50%. Threat Score is available as part of Secureworks Taegis XDR.

OX aims to eliminate manual application security practices with new ASPM platform

January 31: OX Security’s new application security posture management solution, Active ASPM Platform, unifies application security practices by providing visibility, traceability, prioritization, and automated no-code workflow-driven response, which the company refers to as an “active approach” to AppSec. OX claims this approach results in a continuous and more accurate targeting of critical threats, which reduces alert fatigue. The solution also provides attack path analysis, active context analysis, and pipeline bill of materials.

Vade uses AI to enhance spear-phishing detection

January 31: Threat detection and response vendor Vade has improved its spear-phishing detection engine with generative AI. The company claims the new technology will allow its engine to better defend against advanced threats, including those created by AI, and provide a greater degree of confidence of detection. The spear-phishing engine has been trained on traditional and AI-created spear-phishing email messages. The new spear-phishing engine is now implemented in its Vade for M365 email security suite.

SentinelOne enhances threat hunting capabilities of WatchTower and WatchTower Pro

January 30: Sentinel one has announced the general availability of new machine-learning and advanced behavioral threat-hunting capabilities for its WatchTower and WatchTower Pro managed threat hunting services. The new capabilities include anomalous and suspicious behavior detection, expanded coverage against known and emerging threats, 24/7 real-time threat hunting, and access to WatchTower’s in-house threat intelligence library. As before, the new capabilities are backed by human experts.

New connector gives Varonis wider database support

January 30: Varonis has enhanced its data security posture management capabilities with the addition of a universal database connector, which enables its platform to integrate with connected databases hosted on-premises or in the cloud. The company claims this integration will allow its customers to use Varonis’s library of classifiers and scalable architecture to centralize data classification. The Varonis platform works with structured, semi-structured, and unstructured data.

Keyfactor offers PKI integration with Quantinuum Quantum Origin

January 30: Identity security provider Keyfactor has partnered with quantum computing firm Quantinuum to offer a public key encryption (PKI) platform that integrates with Quantinuum’s Quantum Origin quantum entropy solution. With this integration, Keyfactor EJBCA can now provide stronger root of trust to provide certificates, according to Keyfactor, and provides protection against potential misuse of quantum computing technology.

Deep Instinct Prevention for Applications 3.0 enhances file upload, application storage protections

January 25: Deep Instinct has announced the 3.0 version of its Deep Instinct Prevention for Applications (DPA) AI-based deep-learning framework. DPA 3.0, agentless on-demand anti-malware solution, now has improved file upload protections and application storage security. The new deep-learning capabilities use neural networks to avoid shortcomings of other solutions such as inadequate scanning, challenges presented by adversarial AI, or inability to stop unknown malware, according to the company. Unlike other tools that require frequent cloud connections to stay up to date on threat intelligence, DPA 3.0 requires updates only once or twice a year. This in part makes it suitable for use in air-gapped environments.

Black Kite introduces monthly ransomware dashboard

January 24: Black Kite, a provider of third-party cyber risk intelligence, has launch a monthly ransomware dashboard that shows graphs, data, trends, and attack patterns. The company claims it analyzes the top ransomware indicators to identify common vulnerabilities that ransomware threat actors exploit. Black Kite has also developed its Ransomware Susceptibility Index (RSI) using data and machine learning to provide an overview of industry-specific risks, according to the company.

Zscaler launches Zero Trust SASE built with AI

January 23: Cloud security provider Zscaler has announced its Zero Trust SASE. Build with Zscaler’s Zero Trust AI, the new SASE is designed to reduce the cost and complexity of implementing zero-trust security across users, devices, and workloads, according the the company. Zscaler also announced that its Zero Trust SD-WAN is now generally available along with new plug-and-play appliances that the company claims will help its customers modernize secure connectivity for its various facilities.

Mitiga boosts incident response with Kroll partnership

January 23: Cloud and SaaS incident response firm Mitiga has partnered with Kroll, adding that company’s incident response and litigation services to the Mitiga Cloud and Incident Response Automation (CIRA) solution. The company claims that the integration of Kroll’s services will allow its customers to better comply with new US Securities and Exchange Commission (SEC) regulations for incident reporting. Mitiga will also offer its customers other Kroll services at a discount, including red team exercises, penetration testing, and virtual CISO.

PQC Starter Kit from Thales and Quantinuum to help prepare for post-quantum cryptography

January 22: In collaboration with Quantinuum, Thales has launched the PQC Starter Kit, which is designed to help organizations prepare for post-quantum cryptography (PQC) challenges. The kit allows them to test quantum-hardened encryption keys and better understand the potential impact of PQC on the security of their infrastructure, according to Thales. PQC Starter Kit uses current NIST proposed algorithms that organizations can use to test security use cases such as PKI, code-signing, TLS, and internet of things (IoT). The first iteration of the kit incorporates Luna HSMs and Quantinuum’s quantum random number generator technology, which allows organizations to determine whether their keys are securely generated and stored while using PQC algorithms.

ArmorPoint announces cybersecurity program management solutions

January 20: ArmorPoint has expanded its cybersecurity services with a suite of cybersecurity program management solutions, called Managed Risk and Managed Strategy. The company said its goal was to provide a unified approach to cybersecurity by integrating risk management, strategic planning, and real-time threat detection. This allows organizations to take a “proactive and adaptive approach to cybersecurity,” according to the company.

VulnCheck IP Intelligence tracks attacker infrastructure and vulnerable IPs

January 18: Exploit intelligence company VulnCheck has launched its IP Intelligence feature set that tracks attacker infrastructure and vulnerable Internet Protocol (IP) addresses in real time. The new functionality cross-references internet-connected datasets against VulnCheck’s own exploit and vulnerability intelligence information, providing insight around those devices and attackers’ command-and-control infrastructure, according to the company. IP Intelligence provides a downloadable and searchable dataset to identify vulnerable internet-connected devices. It also generates lists of IP addresses for use in block lists.

Fortinet launches Wi-Fi 7-enabled secure networking solution

January 17: Network solutions provider Fortinet has announced what it claims to be the first secure networking solution integrated with Wi-Fi 7. Forti-AP 441K is a Wi-Fi 7 access point, and FortiSwitch T1024 supports Wi-Fi 7 bandwidth requirements with 10 gigabit Ethernet access and 90W Power over Ethernet (PoE) technology. Both are part of the Fortinet Secure Networking solution and integrate with AIOps and FortiGuard AI-Powered Security Services. Wi-Fi 7 is the latest wireless technology designed to support wireless devices running data-heavy applications.

Salt Security adds API posture governance to its API Protection Platform

January 17: API security firm Salt Security has enhanced its API Protection Platform, including the addition of an API posture governance engine, an API filtering and querying capabilities, and improved behavioral threat response capabilities. The API posture governance engine helps organizations to create corporate standards for API posture and assess compliance with those standards, industry best practices, and regulatory requirements. The company claims it will keep API lifecycle stakeholders in sync and ensure security standards are followed throughout the API lifecycle. New API filtering and querying capabilities allow for better API asset discovery and management while providing details about their purpose, usage patterns, and risks. Enhanced behavioral response will allow SecOps teams to better prioritize, triage, and analyze API-related security events, according to Salt. Other enhancements include better sharing of API intelligence and enterprise onboarding and operationalization improvements.

Living Security announces Unify Power Insights for risk operations

January 17: Human risk management firm Living Security has launched Unify Power Insights, which is intended to provide visibility into which employees are most vulnerable to risks such as phishing, account compromise, malware, or data loss. It does so by gathering intelligence data from multiple sources such as identity management and security tools. According to Living Security, Unify Power Insights allows security teams to observe grouping of user behavior and detect spikes in risky activities. The solution also provides suggestions to mitigate those risks.

Savvy launches Identity-First Security to manage IAM permissions

January 16: SaaS security platform provider Savvy has announced Identity-First Security, which is designed to discover risks associated with combinations of identity access management (IAM) permissions, user behavior, and business context. According to Savvy, Identity-First Security allows organizations to identify risks such as rogue administrators, compromised accounts, shadow identities, shared accounts, incomplete offboarding, and more. The solution also provides automated playbooks that set “security guardrails” that encourage users to mitigate risks before they become security incidents, the company claims.

GTT Communications brings Fortinet SASE to its MSSP offering

January 16: Managed network and security service provider GTT Communications now offers secure access service edge (SASE) capabilities powered by Fortinet. This includes Fortinet’s zero trust network access (ZTNA), firewall-as-a-service, cloud access secure broker (CASB), and secure web gateway (SWG) solutions, all working alongside GTT’s Managed SD-WAN offering. The Fortinet solutions are deployed within GTT’s network infrastructure and all traffic is maintained on the company’s global IP backbone. GTT claims this will reduce latency, jitter, and packet loss as well as improve availability.

Wiz AI-SPM now available for the OpenAI platform

January 11: CNAPP provider Wiz has announced an OpenAI SaaS connector that extends support for its AI-SPM AI security tool to the OpenAI API platform. The tool provides OpenAI developers with visibility into their OpenAI pipelines and allows them to better mitigate risks across the cloud and OpenAI via the Wiz Security Graph, the company claims. Security teams can now have visibility into new training jobs that AI developers create in a single view. AI-SPM also allows for attack path analysis to detect risks. The Wiz OpenAI SaaS connector for AI-SPM is available now.

Dasera adds Microsoft 365 to its data security posture management platform

January 10: Data security posture management (DSPM) firm Dasera has expanded its platform to include protections for Microsoft 365. This allows greater visibility of data across OneDrive, SharePoint, and Teams, according to the company, allowing organizations to better identify and manage sensitive data. With its DSPM platform, Dasera claims the enhancement will help optimize privacy processes using its policy engine as well as assess risk from files shared in Microsoft 365 apps.

Cohesity Cloud Services now supports Microsoft Azure workloads

January 9: Cohesity Cloud Services (CCS) has added support for Microsoft Azure workloads, specifically the backup and recovery of Azure virtual machines (VMs) and Azure SQL databases. The new Azure VM capabilities within CCS include backup and recovery of an entire VM in place or to an alternate location, region, or resource group, and support for Azure VM backup using private endpoints with a shared access signature. CCS Azure SQL database capabilities include full backups on a customizable schedule, automated backups, portability of SQL databases to and from the cloud, and immutable backups stored outside the tenant.

TitanHQ announces PhishTitan anti-phishing solution

January 9: Cloud-based email security solutions provider TitanHQ has launched PhishTitan Integrated Cloud Email Security (ICES). The solution works within Microsoft 365 to scan internal and external email messages. It has native and API-based integration with Exchange Online Protection (EOP) and Microsoft Defender. The company claims that PhishTitan ICES will block and remediate business email compromise, account takeover, VIP impersonation, and zero-day threats. The product is available now.

SpecterOps adds Active Directory Certificate Services protection to BloodHound Enterprise

January 9: SpecterOps has updated its BloodHound Enterprise (BHE) platform with new attack paths for Microsoft Active Directory Certificate Services (ADCS). The BHE platform is designed to remove identity attack paths in Microsoft Active Directory and Entra/Azure AD. The new ADCS attack paths focus on common misconfigurations that allow attackers to steal certificates, achieve account persistence, and gain control over Active Directory domains, according to the company.

LogRhythm releases updates to LogRhythm SIEM and LogRhythm Axon

January 4, 2024: LogRhythm has updated its self-hosted LogRhythm SIEM and cloud-native LogRhythm SaaS SIEM platforms. Enhancements to the former include more support for onboarding new Beats and Open Collectors from a single location, simplified Windows event log onboarding, improved analyst workflows while reviewing alarm notifications, and an expanded library of supported log sources. Enhancements to LogRhythm Axon include a new interactive single investigation screen that provides contextual case insights with drill-down of log sources and security analytics; an improved assisted search feature that suggests recent searches, search lists, and search queries; a new collector for Microsoft Office 365 Management API, and more efficient Axon Agent management for on-premises data collection.

Valimail launches Align to meet Google and Yahoo email authentication requirements

January 4, 2024: Valimail, a provider of DMARC, automated authentication, and anti-phishing solutions, has released Valimail Align, which is designed to validate compliance status for new sender authentication requirements from Google and Yahoo. Starting in February, Gmail and Yahoo bulk email senders will be required to authenticate outgoing mail or risk being blocked. Valimail claims that Align checks for alignment between the SPF and DKIM email protocols to meet the new requirements. Valimail’s automation suite can then be used to reach compliance in a matter of days, according to the company.

Mitiga announces Investigation Workbench to assess cloud and SaaS incidents

December 19: Mitiga has added Investigation Workbench to its line of cloud and SaaS incident response solutions. The company claims its new tool will provide more clarity on all multi-cloud and SaaS activities through a single view. Investigation Workbench, part of Mitiga’s IR2 cloud investigation and response automation (CIRA) platform, is designed to give security operation center teams visibility into chains of events across their cloud and SaaS environment. According to Mitiga, this allows for faster and simpler determination of materiality of a cyber event so that they can respond appropriately.

Kasada enhances it bot defense platform

December 19: Bot management firm Kasada has enhanced its bot defense platform and claims it can now better defend against the latest methods attackers use to evade detection. New features include randomized and dynamic defenses across its architecture to make them harder to bypass, machine language anomaly detection, integrity checks on client-side data collection, and attack analytics for classification, drill-down, and filtering. The new enhancements are available now to all Kasada customers.

AI-powered AskOmni bot designed to assist with SaaS security

December 19: SaaS security posture management (SSPM) firm AppOmni has introduced AskOmni, which it describes as an AI-powered SaaS security assistant. AskOmni works with the AppOmni SaaS security platform to allow natural language queries for common SaaS security decisions. Its generative AI technology helps security administrators to more quickly identify and remediate issues, the company claims. Other features include an context-sensitive chat interface and notifications, risk assessment, real-time threat intelligence, and automated code generation for issue resolution. AskOmni is now available as a tech preview and will be rolled out in phases during 2024

Safe Security adds module to assist in SEC Compliance

December 13: Safe Security has added a module to its platform to assist with achieving compliance with SEC reporting requirements. Safe Security, a specialist in AI-driven cyber risk management, said the SAFE Materiality Assessment Module will “enable security and risk leaders to achieve SEC compliance by estimating and tracking materiality of cyber incidents.”

The company said in a press release that the module is based on a tunable factor analysis of information risk (FAIR) materiality assessment model (MAM). “SAFE Materiality Assessment Module allows organizations to model estimated financial losses from top risk scenarios with FAIR-MAM to cost-effectively target security or cyber insurance investments,” said COO Pankaj Goyal. “This allows them to leverage the insights to prepare for the probable financial impact to follow. The SAFE Materiality Assessment Module is a game-changer for security and risk leaders.”

Telaeris announces RTLS emergency mustering system

December 13: Telaeris, a provider of handheld solutions for physical access control systems, has announced its XPressEntry Real-Time Location Systems (RTLS) Emergency Evacuation Mustering system. Powered by HID’d Bluetooth Low-Energy (BLE) beacons and gateways, the new product provides an automatic way to account for badged workers and visitors in emergency situations. Strategically placed BLE beacons keep track of badge locations, while gateways are placed at designated emergency assembly areas, so the system knows the location and identity of missing persons.

Google Cloud announces general availability of Duet AI in Security Operations

December 13: Google Cloud’s Duet AI in Security Operations is now generally available. Announced earlier this year at the RSA Conference, Duet AI in Security Operations can search through large data sets using natural-language queries, automatically generate summaries about case data and alerts, and provide context and recommendations for remediation.

Duet AI in Security Operations is included with Google Cloud’s Security Operations Enterprise and Enterprise Plus packages. Google Chronicle customers will have free access to Duet AI until March 5, 2024.

Perception Point launches security awareness training program

December 13: Threat prevention provider Perception Point said it has launched a new security awareness training program for its customers that will be integrated into its Advanced Email Security product. The program is intended to help organizations counter advanced social engineering attacks by focusing on employee behavior and tailoring cybersecurity training to specific needs, the company said in a press release. The training program leverage services from training services provider DCOYA and offers behavior-centric security awareness training to counter cyberattacks including advanced social engineering.

“The program leverages machine learning algorithms to seamlessly integrate best practices from behavioral psychology and marketing methods, automating training that is tailored to the specific needs of each employee,” the company said. “This reduces the likelihood of successful cyberattacks, data breaches, and other malicious activities.”

AI-powered analytics incorporated into Zscaler

December 12: Cloud security provider Zscaler has added Business Insights, an AI-driven analytics tool, to its Business portfolio. Business Insights will enable organizations to curtail SaaS sprawl and optimize office usage to improve workplace experience while saving money, the company claims.

The company said it has also incorporated enhancements to the wider portfolio include new AI-powered innovations within its Zscaler Risk360 and Zscaler Digital Experience Monitoring products. The additions were documented in a company blog.

Qmulos introduces real-time, data-driven compliance automation and auditing updates

December 12: Compliance, security, and risk management automation provider Qmulos has announced the general availability of its Q-Compliance V4.4.0 and Q-Audit V3.7.0 platforms. “The latest releases of both products add seamless workflow and ticketing capabilities to enable customizable processes for organization-specific security and compliance investigations, escalations, and approvals,” the company said in a press release.

Q-Compliance V4.4.0 introduces customizable system authorization workflows designed to provide organizations with streamlined authorization requests and approvals for their continuous authority to operate process, the company said. Q-Audit V3.7.0 includes alerting capabilities with ticketing workflows to provide real-time insights and actionable steps to fortify defenses against insider threats and other malicious activities. More information was made available on the company’s blog.

Censys adds threat-hunting tiers and enhancements

December 12: Threat-hunting intelligence platform Censys has added two new product tiers to its search tool, Censys Search Solo and Censys Search Teams. The additions are part of a series of strategic initiatives to enhance the security community, including the introduction of threat-hunting boot camps, the Censys Beta Workshop and significant upgrades to product infrastructure, the company said in a press release. Each tier is available month-by-month or on an annual basis, Censys said.

“Empowering the threat intelligence community is one of Censys’s biggest priorities, and with these two new product tiers, we can continue to help researchers enhance their threat hunting work, no matter the size of their team,” said Censys CEO Brad Brooks.

Descope Fine-Grained Authorization enables granular access control

December 12: Descope has launched an update to its authentication and user management software as a service platform by combining roles with relationships to create flexible access control.

With Descope’s SDKs and APIs, Fine-Grained Authorization (FGA) can define and assign permissions based on relationships between entities, enabling them to set up authorization systems that can match the nuances of their business. FGA allows organizations to add relationship-based access control (ReBAC) capabilities to their applications.

The new functionality allows organizations to define a schema listing out the types of entities and the possible relationships that exist within their app; store the schema so that it can be queried, managed, and updated as relationships evolve; build out relationships between specific entities based on the existing schema; and add checks within the app that can refer to the defined relationships before making authorization decisions.

Nedap launches Access AtWork SaaS access control system

December 11: Nedap has launched a software-as-a-service (SaaS) access control system called Access AtWork that the company claims will provide “companies looking to replace their outdated on-premises systems with modern and easy-to-use software that provides better insights with less effort and smaller investment.”

The new system will assist small to medium-size enterprises wanting in managing physical access across multiple sites, Nedap said in a post on its website. It operates on an authorization model that enables administrators to manage access based on hierarchical teams and zones. The solution is GDPR compliant and includes such security measures as redundant and secure hosting of data in certified datacentres within the European Union.

Fortinet adds Gen AI assistant to SIEM, SOAR platforms

December 11: Fortinet has added a generative AI assistant, Fortinet Advisor, to its FortiSIEM security information and event management solution and to FortiSOAR the security orchestration, automation, and response offering. According to Fortinet, Advisor is designed to help SecOps teams investigate and remediate threats faster.

Fortine Advisor features include interpreting security alerts and generating summaries, helps analysts by accepting natural language queries and returning useful results, suggests threat remediation plans and helps to generate playbook templates translating processes to actionable plans. The assistant will be continuously updated by Fortinet AI and product specialists with the latest threat information.

Nimbus-T Global introduces Nimbus-Key ID & Authentication System

December 11: Nimbus-T Global has added its Nimbus-Key ID & Authentication to the company’s line of identity and authentication products. It is an enterprise-level passwordless authentication solution that uses a dynamically encrypted Nimbus-Key ID. Each user gets their own global ID, which the system verifies using know-your-customer (KYC), AI, and biometrics methods.

Qrypt and Los Alamos National Labs develop quantum random number generator

December 7: Qrypt and Los Alamos National Labs (LANL) have developed Qrypt’s Quantum Random Number Generation (QRNG), which will be part of Qrypt’s cloud-based Quantum Entropy and Quantum Key Generation services by helping generate “true” quantum randomness. Qrypt and LANL use photon bunching to advance provable QRNG by meticulously filtering out classical noise, isolating the quantum effect essential for determining the system’s minimum entropy, according to Qrypt.

Netskope completes roll out of Localization Zones

December 7: Netskope has completed the rollout of Localization Zones to its NewEdge security private cloud, first introduced in February 2023. It provides a localized experience for over 220 countries and territories. The localization zones enable better digital experience as if going direct-to-net. It also provides native language and localized content support for websites, as well as access to geo-fenced content and applications, even if there is no in-country data center.

Coro 3.0 combines EDR, SASE, and email security into a single platform

December 6: Coro has launched its 3.0 version of its modular cybersecurity platform. Aimed at midmarket companies, Coro 3.0 has 14 integrated modules including endpoint detection and response (EDR), secure access service edge (SASE), email security, data governance, next-generation firewall (NGFW), and DNS filtering.

The company claims its new platform protects six key enterprise domains: cloud apps, endpoints, email, sensitive data, network, and users. All the modules can be managed and monitored through a single dashboard. Communication among the modules is handled by an AI-driven data engine that, according to Coro, automatically remediates threats and surfaces only the most critical events.

Coro sells each module individually or in bundles. Each module starts at $4 per user, per month. The cost for all 14 modules starts at less than $18 per user, per month.

Genetec announces new version of Security Center

December 5: Unified security, public safety, operations, and business intelligence provider Genetec has released a new version of its flagship Security Center platform, moving it to a continuous delivery approach.

The update adds new features including mapping enhancements, including a new map widget for dashboards and improved zoom behavior and configuration enhancements for authentication services. The company said it plans to release more features for Security Center throughout 2024 to enable advanced workflow activities.

Application security training provider Security Journey adds industry standard support

December 5: Coding and AppSec training provider Security Journey has added industry standard support capabilities to its platform. The company says it’s platform now includes support for Web Content Accessibility Guidelines (WCAG), System for Cross-Domain Identity Management (SCIM) and continued compliance with SOC2 Type 2.

“The new capabilities mean large enterprises can now provide application security education to their development teams from a platform that meets security, global accessibility, and automated user provisioning requirements,” Security Journey said in a press release.

These features ensure that in-depth training programs are provided to all learners including those who are sight and hearing-impaired, streamline user access and lifecycle management, and provide additional assurances on the rigorous security of the platform.

Cloudbrink adds firewall-as-service to zero-trust access platform

December 5: Cloudbrink has added firewall-as-a-service (FWaaS) to its zero-trust access solution that it says enables admins to set granular controls according to static and dynamic properties of end-users and their devices.

The company, which provides zero-trust application connectivity for hybrid workforces, claims that offloading remote-user security functions improves the stability of existing firewalls and the network performance experienced by remote users.

“Existing firewalls were never designed with a large work-from-anywhere workforce in mind,” Cloudbrink CEO Prakash Mana said in a press release. “Our FWaaS takes care of the remote users, leaving the existing firewall to do the jobs it was intended for — such as Layer 3 protection against DDoS attacks. If you’re only using a firewall to protect a remote workforce, the Cloudbrink service can replace it altogether.”

Cloudbrink’s FWaaS static properties include rules about what resources or applications can be accessed by individuals and the company said it plans to release dynamic properties covering device compliance as well as extended reporting capabilities enabling security and networking teams to spot anomalies based on user behavior and opportunities to tune application performance.

Varonis launches automated security for data in multi-cloud environments

December 5: Varonis has updated its cloud-native platform to help customers continuously discover regulated data, remediate misconfigurations and excessive access, and stop attacks on data in services such as Azure Blob and AWS S3, RDS, and unmanaged databases in EC2.

The update was designed to improve users’ access to a centralized overview of data and cloud security posture. It also aims to help discover and classify sensitive data stored in Azure Blob and AWS databases; identify and remediate exposure risk through excessive access, misconfiguration, and third-party applications; and monitor activity to detect and investigate threats across the cloud ecosystem.

Databarracks launches cloud-based recovery landing zone

November 30: Databarracks launched Jump-Start, a preconfigured, cloud-based disaster recovery landing zone. By using infrastructure as code, resources, networking, security, and governance can be activated for recovery.

Databarracks claims that deploying the disaster recovery in the cloud through infrastructure as code means it’s isolated, secure and unaffected by issues to production. “Recovery is accelerated because we bring the backups and the recovery environment together,” Databarracks MD James Watts said in a statement.

The benefit, according to the company, is that there is no need for alternative hardware available or a recovery site.

Uptycs announces Cross-Cloud Anomaly Detection Engine

November 29: Uptycs announced its Cross-Cloud Anomaly Detection Engine, which is, according to the company, capable of analyzing billions of events in near-real time. The tool helps identify potential breaches on workloads running on AWS and hybrid multi-cloud environments.

Uptycs uses machine learning techniques and correlates anomalies with MITRE Engenuity’s ATT&CK Evaluations: Enterprise detections to minimize the time to detect threat behavior.

Piiano launches code analyzer

November 29: Piiano has launched code analyzer Flows. The tool is designed to continuously analyze source code during the development process and to track when, where and how sensitive data is being used and stored. Piiano claims the tool finds potential data leaks inside source code and ensures that sensitive information is protected before the code reaches production.

A trial, limited version of Flows will be available for free until the end of 2023. After that the pricing model will depend on the number of scans and number of code repositories.

Skyhawk adds AI-based, autonomous purple teaming to platform

November 28: Skyhawk Security has introduced an AI-based, autonomous purple team to its platform to provide adaptive cloud threat detection and response.

The addition of its Continuous Proactive Protection feature to Skyhawk’s cloud threat detection and response Synthesis Security Platform continuously enhances the protection of a customer’s cloud, the company said in a press release.

According to Skyhawk, the new offering continuously analyzes customer cloud infrastructure, proactively runs attack simulations against it and uses the results to prepare verified detections, validated automated responses and remediation recommendations to ensure the cloud has the most up to date security defenses in place.

This process includes learning and automated adaptation of threat detection to enable security teams to take proactive and adaptive approaches to security strategy. The feature runs an AI-based red team against an AI-based blue team to discover least-resistance paths, simulating attacks against them and using the results to improve security.

Lacework launched gen AI assistant to support alert response

November 28: Lacework launched a generative AI assistant to help security teams respond to alerts from the Lacework platform. Assistive AI is designed to help teams understand why they should look at a particular alert and also offers guidance on how to investigate and address the issue.

The assistant combines the insights generated from Lacework Polygraph machine learning with the assistive technology from LLM’s. Lacework also uses generative AI model services from Amazon Bedrock, experimenting with different models.

Immuta integrates Data Security Platform with Amazon S3 

November 27: Data security firm Immuta has introduced native integration between its Immuta Data Security Platform and Amazon’s Simple Storage Service (Amazon S3) object storage service. This integration provides customers with streamlined data access control and security across storage and compute platforms using Amazon S3 Access Grants, a new Amazon S3 access control feature that enables customers to manage data permissions at scale for user identities managed by corporate directories.

“Immuta helps simplify data access and security for data stored in Amazon S3 so users can more safely leverage that data for their analytics and AI initiatives. This, paired with Immuta’s ‘write once, apply everywhere’ policy approach, helps customers democratize and increase data usage while still adhering to global regulations,” CTO Steve Touw said in a press release.

Amazon S3 stores more than 350 trillion objects with over 100 million requests per second to process a multitude of workloads including artificial intelligence and data analytics. The recently added AWS Access Grants feature maps identities in directories such as Active Directory, or AWS Identity and Access Management (IAM) Principals, to datasets in S3, helping to manage data permissions at scale by granting S3 access to end-users based on their corporate identity.

Trend Micro launches AI assistant

November 27: Trend Micro launched Trend Companion a generative AI tool designed to help analysts save time on manual risk assessment. The company claims the tool explains and contextualizes alerts, triages and recommends customized response actions, decodes and explains complex scripts and command lines, helps analysts develop and execute sophisticated threat hunting queries, and helps incident responders develop OSQuery queries in the IR and forensics module.

The combination of adaptive, model-driven threat alerts in Trend Vision One and Companion’s gen AI capabilities can accelerate incident response times by 30%, reduce incident reporting by up to two hours per report, and drive more complete attack containment, according to Trend Micro.

Sumo Logic adds new features to its platform to better integrate with AWS services

November 27: SaaS analytics platform Sumo Logic has added new features and updates to its platform to expand and accelerate troubleshooting and security across AWS environments.

The new features include Sumo Logic Log Analytics for AWS, which “delivers a curated view and a single pane of glass for monitoring and troubleshooting AWS services easily and effectively,” the company said in a press release. “The zero-configuration solution automatically collects logs and metrics data from 12 core AWS services including EC2, Lambda, ECS, RDS, DynamoDB, API GW, and Load Balancers, in one single step.”

Sumo has also added Cloud Infrastructure Security for AWS, designed to provide insight into active threats, non-compliant security controls, and suspicious activity across complex AWS environments.

The company said it has added several new features to its artificial intelligence and machine language models:

• AI-Driven Alerting uses advanced anomaly detection, machine learning, and intelligent playbooks to reduce the noise of daily alerts and false alarms by highlighting the most critical issues that require immediate attention.
• Global Intelligence for AWS CloudTrail DevOps gives insight into AWS performance and configuration.
• Global Intelligence for AWS CloudTrail SecOps enables the detection of potentially malicious configuration changes in AWS accounts by using a machine-learning model to compare CloudTrail events against a cohort of AWS customers.

Fortanix launches Key Insight hybrid multi-cloud environment risk tool

November 27: Data security firm Fortanix has launched the Key insight as an included capability in its Fortanix Data Security Manager platform. Key insight is designed to discover, assess, and remediate risk and compliance gaps across hybrid multi-cloud environments.

Key Insight provides consolidated insights and control of all cryptographic keys to protect critical data services, the company said in a press release. “Security, cloud and developer teams can collaborate to assess risk posture and remediate compliance gaps consistent with policies, regulatory mandates, or industry standards (NIST, GDPR, PCI, etc.),” Fortanix said.

Wiz brings native AI security capabilities to its CNAPP

November 16: CNAPP vendor Wiz has introduced Wiz for AI Security, which adds native AI security capabilities to its cloud-native application protection platform. It has four main components: AI Security Posture Management (AI-SPM), an AI security dashboard, and AI extensions for Wiz’s Data Security Posture Management (DSPM) and Attack Path Analysis capabilities.

AI-SPM is designed to mitigate the risk of shadow AI by providing visibility into all resources and technology in an organization’s AI pipeline. The company claims it can detect AI services across cloud services, SDKs, and AI technologies such as AWS SageMaker, GCP Vertex AI, and Azure Cognitive Research.

By extending DSPM to AI, Wiz aims to identify and protect AI training data in the cloud by providing out-of-the-box controls. Attack paths that risk data leakage or poisoning can then be removed.

Attack Path Analysis can now assess AI pipeline risk across vulnerabilities, identities, data, misconfigurations, and more. Those risks can then be correlated on the Wiz Security Graph and potential attack paths can be removed.

Wiz’s new AI security dashboard is intended to help AI developers understand their AI security posture. It provides a prioritized list of risks as well as an AI inventory and known AI SDK vulnerabilities.

IONIX adds exposure management features to its attack surface management platform

November 16: IONIX has announced the launch of Threat Exposure Radar, which the company calls the first threat exposure management capability. IONIX will integrate the new technology with its attack surface management (ASM) platform. IONIX claims that Threat Exposure Radar provides a unified view of exposure to threats across the enterprise including cloud, on-premises, SaaS, and third-party systems.

The new solution consolidates security findings into a single view with two options: a radar-like visualization and a summary table from which users can drill down for more explanation or instructions for mitigating the exposed assets. Data is color-coded to highlight urgent items needing attention.

Living Security announces Human Risk Operations Center

November 15: Living Security has announced the Human Risk Operations Center (HROC), a combination of the security operations center (SOC) security awareness and training, and governance, risk, and compliance (GRC) teams. HROC is powered by the company’s Unify platform and aggregates and correlates employee behaviors using data from an organization’s existing security tools.

The company claims it offers one pane of glass with real-time visibility into a company’s riskiest people, departments, and programs. This helps SOC and GRC teams plan next actions and measures the impact of improving policies and behaviors. It supports API integrations for some of the most popular security tools including CrowdStrike, Microsoft, Proofpoint, and Zscaler.

HROC is available now and can be deployed in existing Security Operations Centers or as a standalone offering worldwide, and it is priced based on the size of the organization.

SecureAuth announces new release of Arculix access management and authentication platform

November 15: SecureAuth has released a new version of its Arculix access management and authentication platform. The new release includes enhancements to its Orchestration Engine and improved integration with some Citrix applications and Microsoft Entra ID (formerly Azure). Orchestration Engine improvements include a no-code, drag-and-drop environment to more easily integrate and deploy identity services. Administrators can customize the end-user identity lifecycle including registration, verification, authentication, and post-authorization. Orchestration Engine is available to customers who use the premium version of Arculix, which is sold on a per-user/monthly active user basis.

By integrating with Citrix through its Device Trust solution, Arculix can provide what SecureAuth promises to be a “frictionless login experience.” Arculix can now authenticate users directly against Microsoft Entra ID, allowing for pass-through authentication.

Sophos adds three new threat detection and response solutions

November 14: Cybersecurity-as-a-service vendor Sophos has announced three new solutions and capabilities designed to protect against active threats. Sophos Firewall v20 software with Active Threat Response will identify, stop, and block attacks without the need to add firewall rules, according to the company. The new version also integrates with Sophos’s Zero-Trust Network Access (ZTNA) gateway, which allows secure remote access to applications behind the firewall. The company has also enhanced the network scalability of Sophos Firewall to support distributed environments, and it has improved ease-of-use management.

Sophos Extended Detection and Response (XDR) and Managed Detection and Response (MDR) customers now have access to Sophos Network Detection and Response (NDR) with XDR. Sophos NDR scans network activity for potentially malicious traffic patterns.

Finally, Sophos has enhanced its XDR solution with more third-party integrations to connect security data across multiple sources for faster detection and response, according to the company. Security operations and analyst workflow and case management features have also been improved to better filter alerts and provide visibility from a single console.

OneSpan adds passwordless authentication to its DigiPass Authenticator line

November 14: Digital agreements security company OneSpan has announced an enhancement to its Digipass Authenticators line. DIGIPASS FX1 BIO enables passwordless authentication via a physical passkey and fingerprint scan. The company claims this combination of biometric authentication and public-key cryptography will help companies meet compliance requirements, reduce phishing and other social engineering attacks, and improve the user experience. DIGIPASS FX1 BIO is based on the FIDO standard.

Stream Security announces Cloud Twin cloudsecops platform

November 14: Stream Security (formerly Lightlytics) has announced three new features for its Cloud Twin engine, a cloud security operations (cloudsecops) platform that can help detect and investigate threats and exposures in their cloud environments. The company claims it can now map cloud dependencies in real-time rather than periodically, allowing security and operations teams to better cooperate to address security gaps.

The new features, which will be automatically available to existing customers, are:

• Azure integration: Cloud Twin now supports Microsoft Azure, which Stream Security claims allows it to model all the possible paths and traffic between different cloud platforms.
• Vulnerability correlation: The platform can help security teams prioritize efforts by correlating vulnerabilities with their exploitability level.
• Threat anomaly detection: Cloud Twin now has threat anomaly detection capabilities to identify malicious behavior and unauthorized access.

Kasada launches KasadaIQ attack prediction services

November 14: Threat detection and management firm Kasada has launched a new attack prediction platform designed to counter bot fraud. The KasadaIQ suite debuted with its first service, KasadaIQ for Fraud, with plans to add more capabilities in the future.

KasadaIQ for Fraud is designed to provide businesses with insight into how bots target digital channels and customer data by offering visibility into non-traditional data sources and adversary communities through the “capability to detect attacks before they happen and confirm threats that would otherwise go undetected,” the company said.

Core functions of KasadaIQ for Fraud include:

Unconventional sourcing: Kasada monitors activity within non-traditional sources — including resale marketplaces, fraud groups, proxy providers, account generation groups, and hosting providers.

Early warnings: Kasada’s analysts first identify and vet current and emerging threats within its data system, then send out advance alerts. 

Bot acquisition and analysis: Kasada secretly purchases bots in circulation and extensively analyzes how they work.

Stolen credential analysis: Kasada purchases and evaluates stolen credential sets from criminal marketplaces to help the customer remedy security gaps and online fraud.

Dedicated analyst hours: Customers receive a set amount of analyst hours for Kasada to investigate what’s most relevant to their needs, such as intel on fraud groups or reverse-engineering attacks.

Professional services: Kasada will scope custom requirements and provide expert guidance on how to best achieve the desired outcomes.

Cycode debuts ConnectorX with application security posture management capability

November 14: Application security posture management (ASPM) provider Cycode has launched its click-and-consume third-party ASPM connector platform ConnectorX and announced significant enhancements to its risk intelligence graph (RIG) for risk-based prioritization. The platform aims to foster improved collaboration between security and development teams. It includes more than 40 software development lifecycle integrations, including the introduction of support for Wiz and Black Duck.

The Cycode platform provides companies with the choice to use its native ASPM tools or maximize investments in their existing AppSec tools. Companies can plug in any AppSec solution and “within minutes,” gain accurate, real-time visibility into their security posture, according to the company.

DirectDefense ThreatAdvisor 3.0 aims to streamline security operations with SOAR technology

November 14: Information security services company DirectDefense has launched ThreatAdvisor 3.0, a major update to its proprietary security orchestration, automation, and response (SOAR) platform. ThreatAdvisor 3.0 is designed to improve the speed, efficiency, and accuracy of DirectDefense’s Security Operations Center (SOC), the company said in a press release.

The platform offers customized continuous security monitoring and management, automates manual processes, and includes an extensive knowledge base for compliance, security events and mitigation techniques. ThreatAdvisor 3.0 integrates with other solutions to provide a single interface for threat management with more data and better context, the company claims. The platform collects and processes vulnerability and asset data from several sources and compiles them into a holistic view of an organization’s security posture, supporting penetration testing, operational technology (OT) and industrial control systems (ICS) assessments, vulnerability management, managed detection and response (MDR), compliance assessments, and enterprise risk management.

Lacework Code Security expands coverage to full application lifecycle 

November 14: Cloud security firm Lacework has added the Code Security product to its infrastructure-as-code (IaC) suite to unify code and cloud security with the aim of allowing enterprises to innovate and deliver secure cloud-native applications with increased speed.

Lacework Code Security introduces two forms of static program analysis — software composition analysis (SCA) targeted at third-party code in customers’ repositories, and static application security testing (SAST) targeting first-party code. The Lacework platform now encompasses code as it is written, infrastructure as code, containers, identity and entitlement management, and runtime across clouds.

Lacework added that customers will have access to always-up-to-date software bills of materials (SBOMs) for every application and continual visibility into their software supply chain, as well as an understanding of open-source license risk.

Palo Alto Networks updates Cortex XSIAM

November 13: Palo Alto Networks has announced Cortex XSIAM 2.0, an updated version of its existing product that now has a command center, MITRE ATT&CK Coverage Dashboard and bring your own ML (BYOML) among other updates.

The new features are:

• XSIAM Command Center: With a more user-friendly design, XSIAM Command Center offers a comprehensive overview of SOC operations, including visibility into all data sources being consumed by XSIAM, security alerts and incident information, such as the number of resolved or open security incidents.
• MITRE ATT&CK Coverage Dashboard: This is designed to allow mapping coverage directly to MITRE ATT&CK, providing detailed visibility of detection and prevention coverage across tactics and techniques into the MITRE ATT&CK framework.
• Bring your own ML: For organizations that want to build their own custom ML model, XSIAM ingests complete security data across hundreds of supported sources to enable better out-of-the-box AI/ML analytics. SOCs can use this to create and customize ML models as well as integrate their own models.
• Contextual in-product help assistant: Access to product help and documentation without the need to navigate out of the product.
• New security protection: Improve detection and protection coverage capabilities with new modules for early detection of threats targeting macOS ransomware, Kubernetes(K8s) and master boot records (MBRs).
• Network detection (NDR) coverage: Expand the network coverage of the endpoints with over 50 new detectors covering generic and specific protocol-based threat detection.
• Advanced Local Analysis for macOS and Linux: Provides enhanced coverage for local analysis of macOS and Linux file systems, leveraging ML models to provide accurate and adaptive responses to evolving threats.
• Free text search: A simplified search that enables analysts to query the entire security data set, without the need to craft specific XQL queries.
• New attack surface management (ASM) policies: New ASM policies added to the existing library of over 700 policies.

Researchers warn that thousands of servers have been compromised over the past seven months because of lack of authentication by default in an open-source compute framework called Ray, which is used to distribute machine learning and AI workloads. The framework’s developers don’t recognize the lack of built-in authentication as a vulnerability since it’s an intentional and documented design decision, but this hasn’t stopped organizations from exposing deployments to the internet.

“Thousands of companies and servers running AI infrastructure are exposed to the attack through a critical vulnerability that is under dispute and thus has no patch,” researchers from runtime application security firm Oligo said in a report this week. “This vulnerability allows attackers to take over the companies’ computing power and leak sensitive data.”

So far Oligo has identified compromised servers from organizations in many industry sectors including education, cryptocurrency, biopharma, and video analytics. Many of the Ray servers had command history enabled, meaning attackers could easily discover sensitive secrets that were used in previous commands on those servers.

Ray is often used to run workloads that are used for training, serving, and tuning AI models and some of the jobs include Python scripts and bash commands that can contain credentials needed to integrate with third-party services. “An ML-OPS environment consists of many services that communicate with each other, inside the same cluster and between clusters,” the researchers said. “When used for training or fine-tuning, it usually has access to datasets and models, on disk or in remote storage, such as an S3 bucket. Oftentimes, models or datasets are the unique, private intellectual property that differentiates a company from its competitors.”

An intended feature with security implications

Last year security researchers from Bishop Fox found and reported five vulnerabilities in the Ray framework. Anyscale, the company that maintains the software, decided to patch four of them (CVE-2023-6019, CVE-2023-6020, CVE-2023-6021 and CVE-2023-48023) in version 2.8.1, but claimed that the fifth one, assigned CVE-2023-48022, was not really a vulnerability so it was left unfixed.

That’s because CVE-2023-48022 is actually directly caused by the fact that the Ray dashboard and client API do not implement authentication controls. So, any attacker who can reach the API endpoints can submit new jobs, delete existing jobs, retrieve sensitive information, and essentially achieve remote command execution.

The problem is, as a framework whose main goal is to facilitate the execution of workloads across compute clusters, “remote command execution” is essentially a feature and the lack of authentication is also by design. “Due to Ray’s nature as a distributed execution framework, Ray’s security boundary is outside of the Ray cluster,” Anyscale said in its advisory. “That is why we emphasize that you must prevent access to your Ray cluster from untrusted machines (e.g., the public internet). This is why the fifth CVE (the lack of authentication built into Ray) has not been addressed, and why it is not in our opinion a vulnerability, or even a bug.”

The Ray documentation clearly states that “Ray expects to run in a safe network environment and to act upon trusted code” and that it’s the responsibility of developers and platform providers to ensure those conditions for safe operation. However, as we’ve seen with other technologies in the past that lacked authentication by default, users don’t always follow best practices and insecure deployments will make their way on the internet sooner or later. While Anyscale doesn’t want users to put all their trust in an isolation control like authentication inside Ray instead of isolating the entire framework and clusters with external controls, it has decided to work on adding an authentication mechanism in future versions.

Insecure-by-default configurations

Until then, however, many organizations are likely to continue to unwillingly expose such servers to the internet because, according to Oligo, many deployment guides and repositories for Ray, including some of the official ones, come with insecure deployment configurations. Misconfigurations are also made easier by the fact that by default the Ray dashboard and the Jobs API binds to 0.0.0.0, which basically means all available network interfaces on a system and opens port forwarding in the firewall to all of them.

“AI experts are NOT security experts—leaving them potentially dangerously unaware of the very real risks posed by AI frameworks,” the researchers said. “Without authorization for Ray’s Jobs API, the API can be exposed to remote code execution attacks when not following best practices.”

Despite the dangers posed by new threats like generative AI, a new study from Cisco found that security teams are “overconfident” and comfortable in their ability to cope with a rapidly changing threat landscape.

The study published today surveyed more than 8,000 cybersecurity decision-makers around the world, and found that nearly three-quarters of them expected a cybersecurity incident to disrupt their business sometime in the next two years. Fully 80%, however, said that they were anywhere from “moderately confident” to “very confident” in their ability to deal with such incidents.

Cisco’s own analysis rated respondent organizations on the maturity of their security posture, from “beginner” at the low end to “mature” at the high end. Most rated as “formative,” or a step above beginner, with the bottom two categories making up 71% of organizations polled.

Part of the problem that most companies are facing, according to Cisco, is the complicated nature of their security stacks. More than two-thirds of respondents said that their company had more than 10 separate offerings in their security stack, and a quarter said they had 30 or more.

“This reflects the way in which the industry has evolved over the years,” the report read. “As new threats emerged, new solutions were developed and deployed to counter them, either by existing vendors or new ones.”

Frank Dickson, group vice president for IDC’s security and trust research practice, said that the concern about complicated tool stacks is far from a new one.

“We’ve been having that debate in security for ten years,” he said.

Efforts to centralize security systems have been around for just as long, he said, but for too long, the offerings peddled as “platforms” weren’t really anything of the sort — more bundles of interrelated products than true foundations for all-around security.

That’s finally beginning to change, however, Dickson said.

“We’re really starting to see big vendors offering truly integrated products that are decreasing complexity,” he noted. “And companies are now realizing that this ‘best-of-breed’ approach is untenable.”

The rise of generative AI, as well, represents a key threat to the security posture of the enterprise, according to the report. There are a number of different ways that generative AI may contribute to a worsening security landscape, including data theft and spam, but, according to Dickson, the biggest concern may be iterating on the present day’s most popular technique for initial compromise.

“The number-one way bad actors get into our networks is phishing emails, and it’s now a lot easier to send convincing ones,” he said.

To combat this and other threats, Cicso recommended several courses of action to businesses, including investment in cybersecurity, closing vulnerability gaps created by unmanaged devices, and keeping a weather eye on developments in generative AI technology.

Iran launched its own campaign targeting Israel as the war commenced on October 7. Initially, Iran’s efforts were reactive, and its influence campaign focused on disseminating misleading information.

Iranian and Iran-affiliated groups quickly grew more coordinated in their efforts, adding targeted cyberattacks to add to the confusion and mayhem about the situation on the ground. As time has worn on, this two-pronged approach is expanding its reach worldwide to involve more nations and impact the global dialogue about the ongoing conflict.

The evolving nature of Iran’s campaign presents both a present concern and a template for future attacks against organizations and society as a whole. For defenders, understanding how these threats unfold across three distinct phases may help identify vulnerabilities and attack vectors.

Phase 1: Reactive and misleading

Immediately after the conflict began, Iran’s state media and affiliated news agencies began by making claims that turned out to be provably false or unrelated, such as the boast that a hacking group successfully attacked an Israeli power company at the same time as the initial attack by Hamas. Old news reports of power outages and undated screenshots were the only proof offered. The same hacking group claimed to later leak documents from another Israeli power plant; an examination of the documents revealed they had been leaked more than a year earlier.

Along with reusing older material, Iran-affiliated threat actors used credentials gathered in earlier attacks to leak unrelated information in order to add to the confusion. Personal data from an Israeli university was leaked on October 8, although there appeared to be no connection to Hamas’s attack, suggesting that the target was opportunistic.

The influence campaign’s reach was widest early on

The reach of Iranian state-affiliated media surged during the early days of the war. Microsoft AI for Good Lab’s Iranian Propaganda Index rose by 42% that first week, reflecting additional traffic visiting Iran’s state and state-affiliated news sites. English-speaking countries made up much of that increase, in particular Australia, Canada, and the U.K. A month later, worldwide traffic to these sites remained at nearly 30 percent higher than before the war.

An important element in the early stage of the influence campaign was speed. Multiple actors moved quickly, spreading misleading messages within hours or days of the start of the conflict. This may reflect the ease of launching a cyber-enabled influence campaign, as opposed to a full-blown cyberattack strategy.

Phase 2: All-hands-on-deck

As fighting continued through October, more Iranian groups turned their focus on Israel. More critically, these threat actors evolved their tactics to include active cyberattacks against specific targets. Data deletion and ransomware surged, and IoT devices were targeted. At this point, groups became increasingly coordinated in their efforts.

At the beginning of the war, nine Iranian groups were targeting Israel, but by the end of the second week, Microsoft Threat Intelligence tracked 14 groups. Some of these attackers went after the same targets using both cyber and influence techniques. This suggests coordination or common goals.

Iran quickly linked threat actors and techniques

Cyber-enabled influence operations also increased over the first several weeks, with more than twice the activity as at the start of the conflict. For example, one group used ransomware to impact some security cameras in parts of Israel; the same group then used an online persona to say those cameras were on an Israeli Air Force base. This false claim was meant to overstate the Iranian group’s capabilities.

By the end of October, Iran’s operations became more extensive and sophisticated in their use of inauthentic amplification. Using multiple false or stolen online personas (“sockpuppets”), they sent emails and texts to spread fabricated messages, often using compromised accounts to add a veneer of authenticity.

Phase 3: Expanding geographic scope

As the conflict wore on, the Iranian groups widened their cyber-enabled influence activities to target nations they saw as providing support to Israel. Cyberattacks targeted Bahrain, the U.S., and possibly Ireland. In the U.S., Iran-affiliated groups targeted industrial computers made in Israel, including one such device at a water authority in Pennsylvania.

Meanwhile, their cyber-enabled influence campaigns grew more nuanced, with updates to their sockpuppets’ profiles. The groups also began using AI to create new content for these online personas to distribute, along with hacking streaming television channels to show AI-generated “news reports.” These hacks were reported to impact viewers in the UAE, Canada, and the UK.

Understanding the evolving threat

Over time, the Iranian groups refocused their efforts from quick, opportunistic responses to more coordinated, multi-pronged operations. Multiple groups worked in concert to deploy both cyberattacks and cyber-enabled influence campaigns, becoming more destructive while growing in scope. For defenders worldwide, it is essential to raise awareness of this expanding threat environment while actively tracking the widening array of participants and threat actors.

To learn more about Iran’s cyber-influence operations, read this Microsoft Security Insider Nation state report or listen to the Microsoft Threat Intelligence Podcast.

Cybersecurity preparedness and financial success are strongly correlated with companies that maintain strong security measures, outperforming peers with only basic defenses by as much as 372% in shareholder returns, according to a report by Diligent and Bitsight.

The report, which analyzed data from more than 4,000 global companies, found that over a three-year period, the average total shareholder return for companies with advanced security performance ratings was 67%, compared to 14% for companies with only basic ratings.

Over a period of five years, companies in the advanced performance range showed an average total shareholder return of 71%, while those in the basic performance range recorded an average return of 37%.

“Some of the companies with high cybersecurity scores are in high-growth sectors, such as technology, that have had strong financial performance over the last several years,” the report’s authors said. “Additionally, the improved performance may also stem from the fact that companies in the advanced security performance bracket also possess robust governance fundamentals.”

While it might be a stretch to draw a direct link between better financial performance and good cybersecurity, “we know that the insurance industry is beavering away to pool actuarial data together,” Gareth Lindahl-Wise, CISO of managed detection and response provider Ontinue, told CSO. “What is indisputable is the positive advantage organizations derive from perceived and actual high levels of cybersecurity performance on reputation.”

Risk and audit committees linked to better cybersecurity performance

The report also found that companies with specialized risk or audit committees demonstrated a more robust cybersecurity performance than those without either. The report’s rating system assessed companies a cybersecurity rating between 250 and 900 — those with specialized risk committees received a median rating of 730 and those with audit committees a median rating of 720.

The report emphasizes the direct involvement of cybersecurity experts within these committees as a critical factor. Companies with cybersecurity experts on either audit or specialized risk committees achieve an average security performance rating of 700, significantly higher than the 580 rating for companies with such experts only on the general board.

The report also highlights that highly regulated industries typically outperform others. The healthcare sector led with an average security rating of 730, while the financial services sector accounted for a significant proportion (33%) of companies that demonstrated advanced security performance, with an average rating of 720. Conversely, 24% of companies with basic security performance came from the industrial sector. The communications sector, according to the report, has the lowest overall performance rating at 630.

Highly regulated companies and industries traditionally adopt cyber programs and best practices more quickly because they’re used to, and better at, managing their risk, said Dave Gerry, CEO of cybersecurity firm Bugcrowd. “Ensuring that they are in compliance with the regulatory requirements they face is in their culture; adding cyber is simply another requirement they need to comply with,” he added.

More board involvement means more internal scrutiny

Companies with audit committees typically fare better than others when it comes to cybersecurity because of internal scrutiny, Lindahl-Wise said. “An informed audit (and more often an audit and risk committee) is more aware and aligned to the actual risks organizations are facing and will hold them to remediation plans than generic risks regulations focus on,” he said. “One envisages that the time to remediation of risks will be quicker with organizations with active audit committees in place.”

Companies with robust cybersecurity measures are not only taking concrete measures to protect their systems and sensitive data, but modern, next-generation solutions can also streamline operations and make employees more efficient, said Patrick Tiquet, vice president of security and architecture at Keeper Security. For example, a digital password manager can autofill passwords and reduce help-desk costs by significantly lowering the number of password-reset requests. “Automating routine tasks like these allows organizations to free up valuable resources they can then direct towards their business growth and strategic initiatives.”

Cyberattacks on utilities more than doubled from 2020 to 2022. It’s likely the case that the rapid growth of connected assets is outstripping security capabilities. One analyst firm predicts that by 2026, industrial organizations will have more than 15 billion new and legacy assets connected to the cloud, internet, and 5G.

Security and IT leaders at utilities should consider a Zero Trust approach as they confront this threat. Zero Trust is a popular cybersecurity strategy that eradicates implicit trust and continuously validates every stage of a digital interaction. It’s a practical and helpful way to keep networks, assets, and remote operations secure.

Three factors complicating utility cybersecurity  

Utility companies rely heavily on operational technology (OT) networks, which today contain many legacy devices that weren’t intended to be connected to the internet and so they weren’t built with security in mind. These are technologies that largely lie behind the scenes and go unpatched and non-updated. This can make securing utilities especially challenging.

Another factor adding to the challenge is the rise of remote operations as it requires granting access to employees, vendors, and partners who may be accessing data, devices, and facilities from anywhere in the world.

Many industrial control systems (ICS) and SCADA assets possess external connections. Some third-party vendors, for instance, remotely support, update, and maintain industrial equipment and systems. They can efficiently and effectively find and fix issues, which reduces downtime so that critical infrastructure can remain in continuous operation. Yet ironically, this activity also creates a security vulnerability. 

Creating a Zero Trust environment

The Zero Trust model helps to create a full inventory of connected devices and informs security teams about any anomalous network behavior. This model makes it easier for Utilities to keep their remote workers secure across a broad swathe of functions and responsibilities. This is possible because Zero Trust provides a standardized framework for safeguarding the plethora of devices and sensors within and outside a plant.  

Three of the main Zero Trust principles that help utilities are:

1. Begin with comprehensive visibility: You can’t protect what you can’t see. Get a comprehensive and accurate view of your OT threat surface for your organization.
2. Implement least-privilege access control and segmentation: Partition your OT networks so that they are separated from the internet and corporate IT. Make sure every user has the least access possible to fulfill their job roles.
3. Constantly verify trust and inspect security: Make sure your security system can continuously inspect all network traffic and verify the security of all users, OT assets, and applications.

Improving remote operations with Zero Trust   

Utilities, which the federal government considers part of the nation’s critical infrastructure, must get these authentication, access, and connectivity issues solved. Attacks against these entities aren’t theoretical. Earlier this year, 22 energy firms were hacked in a coordinated effort against Denmark’s critical infrastructure. The attack was discovered quickly, without impact on customers, but it could have left more than 100,000 people in Denmark without power in a worst-case scenario.

And similar types of attacks will continue to occur, making vigilance and secure remote access critical. With a thorough Zero Trust framework, utilities can better:

• Create secure remote work access – Both in-house and remote workers benefit from a Zero Trust approach, from design engineers to sales staff to business partners and other third parties. Contractors or other third parties could be using unmanaged devices, which makes this approach particularly important.
• Have dependable access and management – Across all cloud applications, OT, and IT, users only have to learn one interface, and network admins only have to manage one system. This approach minimizes potential loss of data and errors by limiting access to only what users need to do their jobs.
• Continuous inspection – A total Zero Trust framework not only controls access, but continuous and advanced security inspection allows legitimate traffic while foiling threats.

Because Zero Trust helps lower the time related to buying, implementing, and operating a distributed remote access environment, this approach also benefits an organization’s bottom line. 

Making remote work in utilities secure

As utilities manage an expanded network surface and more remote and hybrid employees, it’s becoming increasingly difficult for security and IT staff to address all the new challenges that these changes bring. The saying “trust, but verify” may have made sense before the age of computers, but not anymore. Today, organizations are better served by a new saying: trust nothing, verify everything. 

The critical infrastructure sector, of which utilities are a part, must adopt the Zero Trust approach as ongoing cyberattacks by remote threat actors – or innocent employee and partner mistakes – escalate the threat level. The journey of a thousand miles begins with a single step, and this journey towards Zero Trust can take some time, but it’s one that utilities must take.

To learn more, visit us here.

Employees in the US are opening themselves and their organizations to a range of cyberattacks as a vast majority is found to be using corporate devices, with sensitive access to corporate resources, for personal browsing, according to a CyberArk study.

The study, which asked browsing-related questions to more than 4000 office workers in the US, found that more than 97% of them used the same devices, including phones, laptops, tablets, and desktops, for both work and personal activities.

“We are often blind to what is going on within a web browser and we assume the best, but security-by-assumption is a risky proportion,” said Michael Sampson, an analyst at Osterman Research. “With so many activities in the enterprise being undertaken from a browser – rather than a rich client – it’s a treasure chest for cyberthreat actors if they can figure out ways to compromise sensitive information.”

Cyberark has also launched an identity-centric secure browser to help employees adopt safe browsing with an enterprise-grade, custom-built browser.

Employees need secure browsing regimes

The study revealed that 17% of employees are always using the same device for workplace as well as personal browsing, while 78% of them have done so at least once.

When asked what could be leading to such oversight by workers, Archit Lohokare, GM for Workforce Solutions at CyberArk, provided two possible explanations.

“Firstly, people may have both personal devices and work devices but device management or policy from the IT team might mean each device is equally able to access corporate resources, or there is no such policy, so employees would just use whichever is most convenient,” Lohokare said. “The second big reason would be the continued Bring Your Own Device phenomenon exacerbated by the move to hybrid working, where desktop computers in use when employees are in the workplace are supplemented or replaced by portable devices used by employees that are far more mobile in terms of how and where they perform their role.”

More than two-thirds (68%) of respondents admitted to using the same password for both workplace and personal applications. Another 59% save workplace logins and passwords in the web browser used to perform their job.

“Unless firms are providing another way of doing this (e.g., password management, SSO), it’s too easy for an employee to click to save that information,” Sampson reasoned for 59% saving the login credentials in the browser.

Additionally, despite 92% of respondents having MFA or other safe browsing policies implemented in their respective administrations, 68% said they needed to violate such policies to get their job done.

“Many insecure workarounds that users adopt stem from a greater need for efficiency and convenience,” Lohokare added. “Workers may take shortcuts that allow them to be more productive because they feel that they cannot accomplish their tasks without doing so.”

Cyberark’s new secure browser

Cyberark has made a new identity-centric secure browser publicly available through its CyberArk Identity Security Platform, to tackle browser-related security risks.

The enterprise-grade browser is designed to safeguard an organization’s valuable resources by enabling a passwordless experience, and easy access to privileged information and assets, and help prevent breaches resulting from cookie theft and session takeover attacks.

“The CyberArk Secure Browser was purposely built for the enterprise and its unique security needs,” Lohokare said. “It provides enhanced security, privacy, and productivity for organizations while delivering the familiar Chromium browsing experience that users know and expect.”

The benefits promised by CyberArk’s new browser include access segmentation privilege and integration into an organization’s IAM and security architecture, securing corporate access from personal or unmanaged devices, separating personal and work applications and domains, and compliance with regulatory and audit requirements. 

“With data breaches, credential theft, and other cyberattacks continuing to succeed, organizations need to do as much as they can to safeguard what they have,” Sampson said. “Tackling browser-based risks head-on is an important component of a cybersecurity re-evaluation.”

In a revelation stemming from a recently unsealed court document, Meta, formerly Facebook, is being sued by a group of advertisers for its alleged secret project, “Project Ghostbusters,” a moniker seemingly inspired by Snapchat’s ghost logo. This project raises concerns about digital espionage and competition tactics.

The crux of the matter, as outlined in the court filing, revolves around Meta’s In-App Action Panel (IAAP) program, which was active between June 2016 and May 2019. “The IAAP program, launched at the request of Mark Zuckerberg (CEO of Meta), used a cyberattack method called ‘SSL man-in-the-middle’ to intercept and decrypt Snapchat’s — and later YouTube’s and Amazon’s — SSL-protected analytics traffic to inform Facebook’s competitive decision-making.”

This project reportedly began in 2016 when Facebook, under Zuckerberg’s leadership, started intercepting and deciphering data traffic from Snapchat users. The aim was purported to gather insights into user behavior, potentially granting Facebook a competitive edge by accessing sensitive data. The method allegedly involved wiretapping communications between Snapchat users and the app’s servers, raising concerns about the potential impact on Snapchat’s advertising business.

The roots of this accusation trace back to June 9, 2016, when Zuckerberg reportedly communicated with top executives about the lack of “Snapchat analytics” data, prompting urgent action to rectify the situation. Documents presented in court filings reveal discussions among executives and legal counsel regarding potential methods to obtain this data, including the controversial SSL decryption tactic facilitated by Onavo, a company specializing in mobile utility apps acquired by Facebook in 2013.

Meta wrote targeted code based on Onavo tech

In a separate court filing by Facebook advertisers, it’s alleged that by July 2013, Facebook had access to detailed intelligence on 30 million Onavo users. By 2017, Onavo’s mobile apps had been downloaded an estimated 24 million times, with Facebook reportedly collecting and leveraging all the data obtained. Furthermore, by February 2018, Onavo apps had been downloaded 33 million times across both iOS and Android platforms.

In its defense, responding to inquiries from the Committee on the Judiciary and Subcommittee on Antitrust, Commercial and Administrative Law regarding Onavo, Facebook stated in 2019 that the purpose of Onavo was to enhance products and cater better to consumer needs, with data collection based on user consent. The company maintained that Onavo did not collect proprietary competitor data but instead gathered information from users who consented to share their device usage data. Facebook emphasized that such data collection practices are standard in the industry and crucial for product improvement.

However, the latest court documents indicate that Meta’s IAAP program expanded to target encrypted analytics traffic from competitors beyond Snapchat, including YouTube and Amazon. Allegations suggest that Facebook employees developed customized client and server-side code based on Onavo’s VPN proxy app and server stack.

The code included a client-side “kit” that installed a “root” certificate on users’ mobile devices, enabling Facebook to intercept SSL traffic. Additionally, custom server-side code, utilizing an open-source web proxy known as “squid,” was employed to create fake digital certificates. These certificates were used to impersonate trusted analytics servers of Snapchat, YouTube, and Amazon, redirecting and decrypting secure traffic for Facebook’s analysis. As outlined in the court filings, this process underscores Facebook’s strategic and technologically advanced approach to data interception and analysis.

Moreover, the Advertisers Plaintiffs assert that Meta’s legal team was intricately involved in designing, implementing, and expanding the IAAP program throughout its duration. They argue that this level of legal oversight implies complicity in the alleged criminal conduct.

Central to the Advertisers’ argument is the violation of the Wiretap Act, which criminalizes the intentional interception and use of electronic communications without consent. They contend that Meta’s actions breached this statute and interfered with competitors’ contractual relations with their users.

Nothing new here: Meta

“There is nothing new here – this issue was reported on years ago. The plaintiffs’ claims are baseless and completely irrelevant to the case,” a Meta spokesperson said. Meta has also responded to the plaintiffs’ filing in its own court filing.

“Snapchat’s own 30(b)(6) witness on advertising confirmed that Snap cannot “identify a single ad sale that [it] lost from Meta’s use of user research products,” does not know whether other competitors collected similar information, and does not know whether any of Meta’s research provided Meta with a competitive advantage,” Meta said in the filing.

When someone asks a CISO, “Are you okay,” it’s more than just a polite inquiry. It’s an acknowledgment of the visible strain that our intense, high-stakes environment can have on us. This question, especially coming from colleagues in non-technical roles, often reflects their observation of the weariness and preoccupation that our challenging role can imprint on us.

Every day in the life of a CISO involves a relentless stream of challenges: staying ahead of evolving cyber threats, aligning security strategies with business and IT goals, and managing crises that demand immediate and effective action. This constant state of vigilance and the pressure to protect not just data, but the integrity of entire organizations, often stretches our capacities. It’s a demanding role, requiring not just technical expertise but also immense mental resilience and emotional strength.

The burden of this responsibility is significant, and it can sometimes manifest in our demeanor. We may appear weary or absorbed, prompting the concern “Are you okay?” from those around us. Beneath what might seem like a fatigued exterior is a mind in constant motion, a professional continuously balancing the multifaceted aspects of cybersecurity management.

Despite these challenges, there lies a profound sense of purpose and satisfaction in our role. The knowledge that our efforts are crucial in safeguarding the company and its stakeholders offers a unique fulfillment. There’s also the thrill of problem-solving, where each new cybersecurity challenge is a puzzle waiting to be unraveled with innovative solutions. Moreover, the sense of camaraderie among fellow CISOs is a great source of strength — a community of professionals who share the weight and understand the significance of the role we play.

The path of a CISO is not without its vulnerable moments. Some days, the question “Are you okay?” hits closer to home, especially during times of crisis – be it an attack from an external bad actor or an internal challenge where we find ourselves accountable for decisions or outcomes beyond our direct control.

For instance, there are times when, despite our best efforts and stringent security protocols, our organizations fall prey to sophisticated cyberattacks. These moments can be particularly challenging, testing our resilience and problem-solving skills under immense pressure. In such situations, the responsibility weighs heavily upon us, and the question of our well-being takes on a more profound significance.

Similarly, business or resource decisions, often made outside the realm of the cybersecurity team, sometimes lead to vulnerabilities or compromises. Accepting accountability in such scenarios is a part of our job, but it doesn’t make it any less challenging. It requires a delicate balance of maintaining a strong security posture while navigating the complexities of organizational dynamics.

In sharing these vulnerabilities, we open a window into the less-discussed aspects of our role. It’s in these moments of adversity that the strength and resilience of a CISO are truly tested. The path we tread is not just about technical expertise or strategic planning; it’s also about managing the emotional and mental toll that comes with the territory.

Steps to consider when the CISO is not okay 

You may be asked if you’re okay, and your only truthful option on that day is to say “no.” When the burden of the role starts to feel like too much to bear, there are a few paths you can take: 

• Ask for help: See if members of your team can take the more mundane tasks off of your plate while you focus on the most urgent items at hand. 
• Take mental health days or book paid time off: Even if you have nothing planned, days to disconnect and reset can be invaluable in avoiding burnout. If you can’t take time immediately due to a security crisis, be ready to request it as soon as you possibly can.
• Talk to someone: Whether it’s your family, your friends, peers in the CISO community, or a therapist. There is no shame in asking for advice or support, getting help compartmentalizing, or just venting to quiet your mind. 
• Evaluate your department budget: This one is tricky with monetary constraints but see if there is room to hire support or invest in automated security tools that can take work off you and your team, allowing you to prioritize more complex tasks. 

Ultimately, it’s important to remember “this too shall pass,” and find ways to alleviate stress where you can.

We might not always say it, but for the most part, yes, we’re okay. We’re more than okay; we’re committed, we’re resilient, and we’re proud of the pivotal role we play in shaping a secure digital future.

A platform called Top.gg that’s used to publish bots for the popular Discord chat app recently had one of its GitHub repositories poisoned with malicious code as part of a larger software supply chain attack. The incident highlights the snowball effect that even one malicious package dependency could have in the larger open-source ecosystem.

“This campaign is a prime example of the sophisticated tactics employed by malicious actors to distribute malware through trusted platforms like PyPI and GitHub,” researchers from application and supply chain security firm Checkmarx said in an analysis of the attack. “This incident highlights the importance of vigilance when installing packages and repositories even from trusted sources. It is crucial to thoroughly vet dependencies, monitor for suspicious network activity, and maintain robust security practices to mitigate the risk of falling victim to such attacks.”

The attackers used a combination of malware delivery techniques, from publishing rogue packages to PyPI, the main public registry for Python packages, to setting up rogue repositories on GitHub and using code obfuscation and typosquatting to avoid detection. The end goal was to deploy a trojan program designed to steal login information and authentication tokens from browsers and other applications installed on the compromised systems.

The compromised credentials gave attackers access to GitHub accounts belonging to developers, which then allowed them to inject a malicious dependency into legitimate repositories. One example was a repository belonging to Top.gg, a Discord bot publishing platform whose community includes over 170,000 users.

Using padding to hide malicious code

The attackers chose to trojanize a legitimate Python package called Colorama that has over 150 million monthly downloads because they hoped its popularity will not raise suspicions when it’s downloaded as a dependency for other packages. They then inserted a malicious function in the package’s init.py file which is used by the pip package manager when the package is installed. However, to make the malicious code harder to notice by anyone opening the file in a code editor, they added empty spaces before the function to push it out of the screen’s view.

To take their deception further, they registered a domain name called pypihosted.org and stored the file rogue variant on the files.pypihosted.org subdomain. Legitimate packages uploaded and listed on PyPI will be hosted and downloaded from a subdomain called files.pythonhosted.org. By creating a similar sounding domain like pypihosted.org, the attackers hoped that when they add their malicious package as a dependency to other packages it will be harder to notice.

Multiple malware distribution methods

One method to distribute their trojanized Coloroma package was to publish other packages on PyPI that would specify it as a dependency and would download it during the installation process. Packages that the Checkmarx researchers identified included yocolor, coloriv, colors-it, pylo-color, and others with random looking names. While yocolor was published in March, some of these packages go back as far back as November 2022, suggesting this campaign has been going on in different variations for a long time and the hackers behind it have gained a lot of experience.

A second distribution method was to also set up GitHub repositories under different identities and insert the rogue Colorama package as a dependency to them. One example was documented earlier this month by backend developer and cybersecurity researcher Mohammed Dief, who had his own system compromised after installing code from a repository called Valorant-Checker.

Dief tracked down the rogue Colorama version in the project’s requirements.txt as well as the domain name it was downloaded from. He then searched all GitHub projects for mentions of files.pypihosted.org and identified others that were either set up by the attackers or were poisoned. Amongst them was one called top-gg/python-sdk which is the official repository for a Python library for developers to interact with the Top.gg API.

Credential theft leads to repository poisoning

According to an analysis by Checkmarx, the python-sdk Top.gg repository had the malicious code committed from a GitHub account called editor-syntax. This is a legitimate account that belongs to the Top.gg maintainer and he was unaware that his account was compromised and was used to contribute malicious code. Other developers alerted Dief to the malware via the Top.gg community Discord server and the commits took him by surprise.

“The GitHub account of ‘editor-syntax’ was likely hijacked through stolen cookies,” the Checkmarx researchers said. “The attacker gained access to the account’s session cookies, allowing them to bypass authentication and perform malicious activities using the GitHub UI. This method of account takeover is particularly concerning, as it does not require the attacker to know the account’s password.”

While the full attack chain that resulted in editor-syntax’s account being compromised is not known, it’s probably no coincidence that the end goal of the malicious Coloroma package is to install an information stealing trojan on systems. The installation happens in multiple stages that involve Python scripts being downloaded from different attacker-controlled servers and then executed on the system. The code is obfuscated using multiple techniques including using Chinese and Japanese character strings, zlib compression and misleading variable names.

The trojan deployed on the system has a wide range of data theft capabilities. It searches for specific directories inside the Opera, Chrome, Brave, Vivaldi, Yandex and Edge browsers and extracts authentication cookies, autofill information, browsing history, bookmarks, credit card information and login credentials.

The trojan also attempts to steal files associated with cryptocurrency wallets, Discord tokens that can provide access to Discord accounts, Telegram session tokens, computer files with specific keywords in their names, Instagram account details. The malware also has a keylogger component that captures the victim’s keystrokes and uploads them to the command-and-control server.

It’s safe to assume that if any of the stolen credentials or access tokens provide attackers with access to GitHub accounts with commit privileges to different repositories, they will try to abuse those privileges to further distribute their trojan. Unfortunately, these compromises might not be easy to spot.

The Checkmarx researchers point out that when they added their rogue Coloroma package to a project’s requirements.txt file, the commits also included legitimate code contributions and changes. In fact, their rogue repositories hosted copies of legitimate and functional projects.

In fact, after the pypihosted.org domain was reported and taken down, one user opened a bug ticket on one of the rogue repositories to report that he was getting an error related to pypihosted.org being down when trying to install it. This shows how convincing these attacks can be and the snowball effect they can have on the ecosystem, especially if developers from legitimate projects have their accounts hijacked as a result.

If you hear the term “microbranch,” you probably picture a small banking location with a handful of ATMs. For many years, this term was specific to the financial industry, but as remote work and internet-connected devices have grown more common, the definition has evolved to include any small remote office associated with a larger corporation. This could be a home office, a shared workspace for a handful of employees, or a remote industrial location.

Modern enterprises must protect and manage hundreds of sites, including data centers and high-traffic branches, and address pressing needs like new Software-as-a-Service (SaaS) applications and Internet-of-Things (IoT) devices. Because of this, it could be tempting to ignore microbranches and focus on seemingly more significant priorities.  

But malicious actors are getting better at sniffing out security gaps and leveraging them to infiltrate the network at large. This means one of the most important things a company can do to protect against sophisticated cyberattacks is to ensure its security posture is unified across all locations and environments. Without addressing microbranches within their cybersecurity approach, enterprises can unwittingly create opportunities for attackers to exploit. As the saying goes, “a chain is no stronger than its weakest link.”

The role of the microbranch

Microbranches within enterprise networking aren’t as well understood or commonly discussed as the campus or branch, but with the rise of hybrid work following the pandemic, small offices have become more prevalent. Think of all the people you know who use flexible workspaces or work from home.

Depending on the industry, a microbranch may include IoT and operational technology (OT) devices such as smart lightbulbs, security cameras, and programmable logic controllers (PLCs), which collect critical systems data. Think of a retail kiosk in a shopping center with a single point-of-sale terminal or a remote wind turbine on the top of a mountain. 

When it comes to modern networks, the volume of microbranches and their importance will only continue to grow.

Using SASE to protect the microbranch

Of course, it’s easy for me to write about the importance of microbranch security but it’s much more challenging to build a strategy to protect these environments. Networks vary widely, as do microbranches, so there’s no one-size-fits-all approach. 

Unified secure access service edge (SASE) has emerged as one of the best and most thorough ways to protect your microbranches. The solution delivers converged networking functionality with cloud-delivered security to all users and edges within the network. 

Here are a few things to keep in mind when assessing SASE solutions for microbranch security:

• The strength of a platform approach: Microbranches often don’t require expensive, dedicated solutions with elephant flows and top-of-the-line throughput. Instead of deploying new products that will add complexity, expanding solutions already deployed within the network is ideal. For example, if you already use Fortinet FortiAP wireless access points (APs) to connect the microbranch, you can leverage Fortinet Unified SASE to intelligently offload traffic from microbranches to a SASE location. This allows for comprehensive security inspection at scale for all devices within the microbranch and brings enterprise-grade, AI-powered, cloud-delivered security to these locations via APs. 

• Simple deployment and management: Because microbranches have few IT resources and often no on-site technical support, leveraging a security solution with intuitive provisioning and simple management is critical. This will ensure the security at the microbranch can be managed and maintained remotely so the site remains online and protected. With a SASE solution, organizations can access this functionality through a central SASE console. 

• OT and IoT devices: Microbranch security needs to cover all users and devices at the location, including agentless OT and IoT devices. SASE solutions can forward traffic from these devices to SASE locations for a full security inspection, ensuring they aren’t hiding anything malicious.

• Granular identity verification with ZTNA: Despite a microbranch’s small size, there will likely be an employee or device at the location that needs to access the overall network or cloud-based applications. SASE includes zero-trust network access (ZTNA) which provides granular, session-based access to specific assets within the network. This limits access to the specific applications and data a user or device needs to complete its job rather than allowing unlimited access to the network, minimizing the potential impact should a bad actor steal login credentials. 

Fortinet Unified SASE can protect your microbranch

Microbranches are here to stay, and their security is paramount to your organization’s overall security posture. Fortinet Unified SASE is an ideal method to ensure the microbranches within your network are visible, protected, and well-managed. This solution combines all the components needed to converge networking and security for zero implicit trust everywhere.

Learn more about Fortinet Unified SASE and how it can increase the security of your microbranches.

Telesign, a customer identity and engagement solutions provider, has integrated multiple user verification channels into a unified, silent verification offering, Verify API, to help organizations defend themselves against cyberfrauds.

The “omnichannel API” will help integrate seven commonly preferred authentication channels, including SMS, Silent Verification, Push, Email, WhatsApp, Viber, and RCS (Rich Communication Services).

“In today’s digital economy, fraud is prevalent in every corner, and safeguarding end-users from potential online threats is more important than ever,” said Chris Steffen, vice president of research at Enterprise Management Associates. “Integrated solutions that deliver more protection and an enhanced user experience not only protect businesses but also foster trust among its end-users.”

Telesign uses machine learning and data science for authenticating and defending digital identities, and verifies over five billion phone numbers a month, according to the company.

Single unified API

According to the company, the new offering will allow developers to connect only to a unified API to run authentications across different channels. Once implemented, Verify API allows for the end-user to be verified on their preferred channel, without the customer having to extend development resources for multiple channels.

Additionally, the offering features “Automatic fallbacks” to the customer’s preferred channel in case of authentication failures to ensure that the end-users receive the one-time password (OTP), no matter their original verification method or geographic location.

“With Verify API, businesses can customize the verification and authentication experience by market needs, customer preferences, or business priorities with peace of mind—and with automatic multichannel fallback,” the company said in a press release.

Verify API also allows custom routing to help customers build routing rules for tailored delivery across all channels and markets.

Arms against fraud, social engineering, and phishing

Verify API is designed to help organizations to defend against cyberfrauds looking to take advantage of weak authentication regimes and compromised devices and SIMs.

Promising built-in defense against SMS vulnerabilities, such as social engineering, phishing, and SIM-based attacks, the Verify API claims to offer a more secure end-user verification experience. The verification is done without OTPs and silently behind the scenes, according to Telesign’s website.

“Verify API equips businesses with a diverse range of authentication channels that provide a more predictable cost structure,” the company said. “This cost-effective approach not only helps in mitigating risks associated with over-reliance on any single communication channel but also ensures that businesses can maintain affordability without compromising on security.” VerifyAPI is generally available to customers and the company already has a few early signups, including AstroPay, OfferUp, Amount, and Mamba.

Nearly every organization in the world depends on software as a service (SaaS). Medium- to large-sized companies can have more than 130 SaaS applications and for those employing more than 10,000 people, that number might exceed 400. When data is stored in so many places and handled by many parties, it’s not uncommon for security issues to arise, especially if the contracts with the providers have not been negotiated properly.

It recently happened to Bloomtech co-founder Austen Allred, who found himself unable to export his company’s data from Slack without agreeing to a new, costly contract. While the situation was ultimately resolved, it highlighted the potential complications associated with data stored on SaaS platforms, serving as a cautionary tale for other businesses.

“SaaS was supposed to be: I give you money with my right hand, and I take a software as a service with my left hand,” says Shiva Nathan, CEO of app development startup Onymos. “But I have to give money and data for the software as a service to work.”

This opens the door to challenges related to data management. In Bloomtech’s case, it was an issue of access to data, but other problems can be related to privacy, compliance, and data sovereignty. This is why companies that use SaaS solutions need to take proper security measures, pay attention to contract language, and involve security teams in the procurement process whenever possible. “You don’t want to be held hostage by a SaaS provider that you’ve given your data to,” Nathan tells CSO. “If you’re sitting in the C-suite, data is the number one priority in 2024, and probably the next few years till we get our act together. Data is so important that people have to start worrying about it.”

Think of data availability and exit strategy from the start

Before using a SaaS solution, organizations need to know exactly what they want and carefully evaluate the terms and services provided by the vendor. These documents can be riddled with problems — they are long and have convoluted language, which makes the act of reading them daunting and impractical. “Click-through agreements are the bane of the software industry,” Nathan says. “You don’t find click-through agreements when you buy a car or anything else.”

Behind that legalese there are often critical details that can significantly impact how an organization uses the service. Andrei Dumitru, co-chair at the Institute of Operational Privacy Design, says that before striking a deal with a SaaS provider, organizations need to establish an exit strategy. “It is important to ensure data can be taken out at a known and manageable cost and in a portable format that can be used with an alternative service,” he says.

Key questions to consider here include whether there’s a grace period for data retrieval and if there’s a definite process for deleting data to prevent it from remaining on the provider’s servers. End-of-contract obligations should outline the data export format, which can help a company have a smoother transition to an alternative service. “Companies should have a clear understanding of the costs and time frame of taking the data out,” Dumitru says. “In general, it’s free to put data in, but very expensive to take data out of a SaaS.”

Another key aspect companies need to know is whether they can have full control of their data and what happens to it. “How was your data defined in the Terms of Service? Who owns it? Who controls it? How is it going to be used?” are some of the questions that should be asked, Nathan says.

Zegal co-founder Daniel Walker agrees. “Go through the terms with a fine-tooth comb. It’s wise to set up your own data backups so you’re not entirely reliant on the SaaS provider.”

Alternatively, organizations could opt for locally deployed solutions that offer the same functionalities. Security and IT teams could work together to identify providers that offer no-data architecture and full ownership over licensed source code.

Bad contract language to pay attention to

Typically, contracts serve the vendor’s interests, so companies that want to use SaaS solutions must be mindful of the red flags that can be hidden in legalese. Walker remembers a case his company worked on a few years ago that involved a rapidly expanding organization that decided to integrate a SaaS solution for customer relationship management. This company failed to fully understand the contract it signed. “The contract was vague on several critical points, particularly regarding the terms of service and data handling policies,” Walker says.

A few months after the agreement came into effect, the SaaS provider announced changes to the terms, altering the data usage rights and introducing additional fees for features the client had come to rely on. “The new terms not only imposed unexpected costs but also raised concerns about the security and privacy of customer data,” Walker says. “The vague original contract gave the company little leverage to contest these changes or seek alternatives without incurring substantial losses.”

Recently, some SaaS providers have taken advantage of the complex contract language to get more money from customers. “It’s a recent and a very ‘vile’ trend in our industry to keep security features behind an additional paywall,” says Eyal Manor, VP of product management at Check Point Software Technologies. “Putting basic security features behind a more expensive contract feels like asking people to pay extra to add seat belts to their cars.”

Manor sees several concerning situations, in addition to data access in exchange for money. “For example, some software companies won’t audit logins or allow you to use SSO without a more expensive product,” he says.

To prevent some of these issues, the companies using SaaS solutions should make sure that the contracts are clear. Any vague language in this area “could lead to headaches down the line,” Walker says. “If it’s not crystal clear that your organization retains ownership of its data, that’s a big red flag.”

All this legalese can sound confusing, but generative AI can help, says Manor. “Fun fact: you can ask these tools to check things in the terms of service,” he explains. “For example, asking something like ‘Can the company resell my data if I use this app?’ leads to a pretty easily readable answer.”

If there are sections in the contract that require amendments, organizations should take the time to discuss those with the SaaS provider. “Always negotiate terms, seek legal advice to protect your interests and minimize risks,” says Nigel Gibbons, director and senior advisor at NCC Group.

A contract is more than mere formality; it is essential. “It’s not just paperwork,” Walker says. “It’s your safety net — it ensures that the SaaS provider has skin in the game when it comes to keeping your data safe.”

Pay attention to privacy and security compliance

Compliance is, without a doubt, another stringent issue companies that use SaaS solutions need to pay attention to. Some of the rules they need to follow are included in the European Union’s GDPR and California’s CCPA, but new ones keep emerging in different geographical locations. Organizations need to make sure that the SaaS solutions they use keep up with everything that’s happening on this front.

“Currency with compliance is one of the fastest growing challenges, as compliance standards and regulations are becoming so dynamic,” NCC’s Gibbons says. To address this, organizations need to make sure they use the right tools and have the right people in place to monitor changes in legislation and adapt their compliance strategies accordingly.

Companies that operate across borders must navigate complex regulatory landscapes, ensuring compliance with varying laws and standards in each jurisdiction, which often requires specialized knowledge and strategies. “For example, if you’re storing data in a country that allows government access to data for national security reasons, but you’re from a country with stricter privacy protections, you could find yourself in a pickle,” Zegal’s Walker says.

While large SaaS providers have started to offer more local data storage options, the problem is not solved entirely. “In Europe, at least, there is still work to be done to create an ecosystem of SaaS alternatives that could compete with the established platforms overseas and fulfill sovereignty requirements,” Dumitru says.

When considering adopting a SaaS application, companies should aim for “a cautious approach,” as Gibbons put it, which involves vetting providers for compliance and security, making regular application assessments, and paying attention to every detail.

Involve the security team in procurement

Most experts say that security teams need to play a central role in the procurement process of SaaS solutions whenever possible. This would allow companies to ensure that vendors meet high standards for security, data protection and compliance. “This involves checking for organizational compliance such as recognized security certifications like ISO 27001 or SOC 2, encryption practices, and adherence to regulations such as GDPR or HIPAA,” Gibbons says. 

Security teams can assess vendors’ policies on data handling, incident response, data regionalization, and privacy. They can evaluate a service-level agreement for things like availability and security metrics. They can also scrutinize the vendor’s security culture and practices, including third-party audits, and confirm features like multifactor authentication and data recovery. Ideally, companies should do real-time security assessments of these products, and be as thorough as possible. “For high-risk SaaS solutions vendors may be subjected to a red teaming exercise for robustness,” Gibbons says.

Dumitru concurs. “While few SaaS will agree to be pen tested, it is still a question worth asking,” he says. “It is a good sign if a SaaS is able to answer all the data protection and information security questions and gives details on how it protects the data, ensures availability, and disaster recovery.”

Sadly, though, according to Manor, including security teams in the procurement process is not very practical in many cases. “A lot of the SaaS used today follows the Product Lead Growth methodology, which allows a user to use the product for free before buying, or for very cheap,” Manor adds. “As such, many SaaS services are being used in the organization before it gets to the procurement phase, and then it might be too late to back down.”

One way to address this is to have security teams keep an eye on SaaS products at all times, not just during the procurement process. “Oversight of the SaaS used is more important than gatekeeping what is going to be used,” Manor says. “The right thing to do, usually, is to use a product that helps you track risk of different SaaS services in use in your organization.”

Another avenue would be to look for more ethical SaaS providers. “The better solution to the problem is to reinvent SaaS one service at a time,” Nathan says. “Have [vendors say] we will provide you the software as a service on the data that you own and control wherever you keep the data, and we will not see the data. That’s the new thing that’s coming up, and in five years, I think that software as a service will be reinvented.” 

With the explosive rise of digital information, the continued success of modern enterprises has become inextricably bound to the effective use and management of data. However new efficiency-driving technologies, global interconnectivity, and remote work have also introduced several significant and high-profile information risks.

The specter of risk is leaving organizations with no choice but to improve the overall management of various cyber risks. What follows is a step-by-step process (based on the Information Security Forum’s IRAM2 methodology) that cybersecurity and risk practitioners can leverage to assess and manage information risk.

Step 1: Scoping exercises

The objective of a scoping exercise is to provide a business-centric view of an identified risk. This involves achieving alignment and agreement between stakeholders on the business scope (intellectual property, brand or reputation, organizational performance) and the technological scope of the assessment (information architecture, user profiling, assessment of a technology or a service).

This exercise can help determine which party will be responsible for assessing the various risk domains and the mandate behind a particular risk assessment. For example, choosing who will handle the introduction of a new business service or technology or address management concerns about a particular area of the business.

Step 2: Business impact assessment (BIA)

A BIA is used to determine the potential business impact should any information asset or system have its confidentiality, availability, or integrity compromised. The first step in a BIA is to identify all relevant information assets, such as customer and financial data, and information used for the operation of services and systems, across all environments and across the entire information lifecycle (input, processing, transmission, storage).

Once assets are identified, a value (rank or priority) can be assigned to them. Then the extent of any potential security incident can be determined by comparing realistic scenarios comprising the most reasonable impact with worst-case scenarios for each asset.

Step 3: Threat profiling

This phase helps to identify and prioritize threats and understand how they can manifest. Threat profiling starts with the identification of potentially relevant threats through discussion with key stakeholders and analyzing available sources of threat intelligence (e.g., an internal threat intelligence team or external commercial feeds).

Once the threat landscape is built, each threat it contains should be profiled. Threats can be profiled based on two key risk factors: likelihood of initiation — the likelihood that a particular threat will initiate one or more threat events — and threat strength, or how effectively a particular threat can initiate or execute threat events.

Threats can also be further profiled by separating them into an overarching group: adversarial, accidental, or environmental.

Step 4: Vulnerability Assessment

Once threat profiling is completed, the next phase is to identify the degree to which information assets are vulnerable against each identified threat. A vulnerability assessment is used to examine the extent of the relevance of each key control as well as the performance and quality of its implementation.

Each vulnerability must be assessed and expressed in terms of its relative strength of controls. The strength of controls can be calculated based on the stakeholder rating for that control, along with supporting information such as control characteristics, performance, deficiencies, and documentation.

At the end of the assessment, the practitioner will have gained a solid understanding of which information assets are vulnerable against which threat event.

Step 5: Risk evaluation

By evaluating risks, organizations can map how likely threats are to succeed, what the worst-case business impact would be, and how these can fit into their overall risk management plan.

The first step is to choose the most relevant impact scenario for each risk. This means deciding between a realistic outcome, considering the threat’s strength, or a worst-case scenario.

Secondly, it’s crucial to identify existing or planned controls that might lessen the threat’s impact. Like other control assessments, judging how much these controls reduce the inherent impact is subjective. Here, the experience of the risk practitioner and key stakeholders plays a vital role.

Step 6: Risk treatment

This step explores various approaches to managing information risk:

Mitigation: To build stronger defenses, improve existing controls and implement new ones to lessen the impact of a potential attack.

Avoidance: Avoid or eliminate any activities that could trigger or lead to potential risk.

Transfer: Allow another party to shoulder some level of risk, for example, obtaining cyber insurance.

Acceptance: Acknowledge the possibility of the risk happening and its potential fallout, but take no further action based on the organization’s risk tolerance.

Risk treatment should be guided by an organization’s risk appetite. Evaluate each risk individually to determine whether it exceeds the organization’s risk tolerance. When all risk treatment options are clear, create a risk treatment plan. Follow through with executing the plan and monitoring the results to ensure that risk management efforts are successful.

Using the six steps of risk assessment

At the end of the sixth step, the risk assessment process is effectively complete. The practitioner has gained a better understanding of the assessed environment. This includes a clear picture of the relevant threats, the associated vulnerabilities, and the prioritized risks. A risk treatment plan has been developed and implemented to reduce risks to an acceptable level.

It’s important to remember that the world of information security is dynamic; threat events, vulnerabilities and their impacts on the business are fluid and evolving. Practitioners and stakeholders should consistently evaluate risks especially when the organization or the environment undergoes major changes or mitigation efforts.

Researchers warn that a cyberespionage group linked to Russia’s foreign intelligence service, the SVR, has recently launched a spear-phishing campaign targeting one of Germany’s major political parties. This is a departure from the group’s typical targeting of government agencies and foreign diplomatic missions and could expand to other countries beyond Germany.

According to an analysis by incident response firm Mandiant, the phishing attacks impersonated Germany’s Christian Democratic Union (CDU) party and invited recipients to a dinner reception. A malicious link in the email directed users to a malware dropper that eventually deployed a new variant of a backdoor program recently added to APT29’s arsenal.

“As highlighted in our previous research detailing APT29’s operations in the first-half of 2023, these malware delivery operations are highly adaptive, and continue to evolve in lockstep with Russia’s geopolitical realities,” researchers from incident response firm Mandiant said in a new report. “We therefore suspect that APT29’s interest in these organizations is unlikely to be limited to Germany. Western political parties and their associated bodies from across the political spectrum are likely also possible targets for future SVR-linked cyber-espionage activity given Moscow’s vital interest in understanding changing Western political dynamics related to Ukraine and other flashpoint foreign policy issues.”

From ROOTSAW malware dropper to WINELOADER backdoor

The malicious links prompt users to download a .zip archive that contains a malware dropper, which Mandiant calls ROOTSAW, that has been part of APT29’s toolkit since at least 2021. This dropper, also known in the industry as EnvyScout, contains obfuscated JavaScript code that reaches out to an attacker-controlled domain and downloads a file called invite.txt that is actually an encrypted archive.

This file is first decrypted using the Windows certutil utility and is then decompressed with tar. The archive contains a new backdoor variant that Mandiant named WINELOADER, which is sideloaded with the legitimate Microsoft SqlDumper.exe that’s part of SQL Server.

WINELOADER was analyzed for the first time in February by researchers from security company Zscaler who found it after analyzing a PDF uploaded to VirusTotal from Latvia. The PDF masqueraded as a letter from the Ambassador of India inviting diplomats to a wine-tasting event in February 2024, a lure that’s similar to the new one impersonating the German CDU party. In fact, the whole infection chain is very similar to what Mandiant observed and the new attack also drops a decoy PDF with the rogue CDU invitation.

Similarities with older APT29 backdoors

While Zscaler did not link the January attack to any APT group, the researchers believed at the time it was the work of a nation-state threat actor looking to exploit diplomatic relations, which is typical of APT29 targeting. Going further, Mandiant has not established clear similarities in design and code to two older backdoors tracked as BURNTBATTER and MUSKYBEAT that are only associated with APT29.

“However, the code family itself is considerably more customized than the previous variants, as it no longer uses publicly available loaders like DONUT or DAVESHELL and implements a unique C2 mechanism,” the researchers said in their analysis. “Additionally, WINELOADER contains the following shared techniques with other code families used by APT29: The RC4 algorithm used to decrypt the next stage payload; process/DLL name check to validate the payload context (in use since early BEATDROP variants) and Ntdll usermode hook bypass (in use since early BEATDROP variants).”

WINELOADER is executed using DLL sideloading techniques into a legitimate Windows executable, which is meant to make detection harder. It then proceeds to decrypt a portion of code using the RC4 cipher. The backdoor is modular, and this code represents the main module which also includes configuration data and the part that communicates with the command-and-control (C2) server.

The malware connects to the server using HTTP with a custom user agent and registration packets inside the requests. The attackers can issue instructions to load additional modules or to establish persistence on the system if they consider the system important enough.

The Mandiant report includes MITRE ATTACK Framework TTPs as well as custom detection rules based on indicators of compromise.

As cloud adoption rates continue to rise, security leaders are beginning to rethink the way they approach cybersecurity. What once worked for on-premises networks is no longer sufficient for complex, interconnected hybrid and multicloud environments.

In addition to deploying security best practices throughout the full application lifecycle, CISOs also need to be able to obtain insights that can help them to make smart decisions when addressing risks across their hybrid and multicloud environments. At the same time, they also need to bridge the gap between security admins and developers and overcome existing tool silos to gain deeper insights.

For CISOs that are looking to adapt their security approach to fit the demands of a cloud-centric threat landscape, cloud-native application protection platforms (CNAPPs) are a quick and effective way to drive impact. Read on to learn how.

Go beyond CSPM to achieve a proactive state of security

Until recently, cloud security posture management (CSPM) was the go-to solution in cloud security. And while CSPM is still critical, it doesn’t deliver the dynamic, proactive state of security that can be achieved with a CNAPP. This is because CSPM is limited to static security insights based solely on the security posture of your cloud workloads.

By contrast, CNAPP can integrate your most critical cloud security platforms (including CSPM itself) under a single umbrella. This allows it to cross-reference information across workloads, virtual machines, code scanning, infrastructure, and more to deliver deeper security insights.

For instance, consider the example of two storage accounts that are exposed to the internet. One has confidential company information stored on it, the other contains harmless text files. If you only examine the storage accounts from one dimension, then you’d assume it was equally important to protect both accounts. However, what if you had 200 storage accounts rather than just two? How would you prioritize them then?

For security teams that are already struggling with an ongoing workforce shortage, having an automated way to prioritize security recommendations based on their potential impact on the business could be the difference between remediating a vulnerability before it becomes an incident or overlooking the warning signs for the next big company breach. And because CNAPPs offer end-to-end visibility across your entire cloud estate, they can also proactively identify and disrupt potential attack paths before adversaries ever have a chance to exploit them. This level of insight simply is not possible when you’re operating under a network of siloed security tools.

Why implement a CNAPP in your environment?

In addition to enabling proactive security through prioritized insights and disrupting potential attack paths, CNAPPs serve a number of other functions. For example, CNAPPs act as a guardrail to enforce security best practices during the application development stage and encourage better collaboration between developers and security teams.

Some CNAPPs can even leverage a combination of agentless and agent-based protections to deliver robust, flexible, and immediate protection. As soon as a resource is onboarded, agentless security begins scanning the resource and providing insights. Then, a software agent can be installed at a later date depending on the resource’s potential risk factor to deliver real-time threat protection and more comprehensive monitoring. This ensures that there’s no open window of time when adversaries could compromise a new resource before it’s been fully onboarded. At Microsoft, we also leverage the power of our 65 trillion daily threat signals to equip our CNAPP with the latest attack vectors and threat intelligence.

For CISOs specifically, though, CNAPPs provide a bird’s eye view of their security state across multiple workloads. Not only can CISOs leverage this visibility to monitor their security posture from code all the way to runtime, but they can also identify overarching trends on the types of attacks their company is experiencing, how frequently incidents are occurring, their team’s response time for mitigating threats, and more. In doing so, they ultimately drive a more secure cloud state for all.

To learn more, visit us here.

AI has the power to transform security operations, enabling organizations to defeat cyberattacks at machine speed and drive innovation and efficiency in threat detection, hunting, and incident response. It also has major implications for the ongoing global cybersecurity shortage. Roughly 4 million cybersecurity professionals are needed worldwide. AI can help overcome this gap by automating repetitive tasks, streamlining workflows to close the talent gap, and enabling existing defenders to be more productive.

However, AI is also a threat vector in and of itself. Adversaries are attempting to leverage AI as part of their exploits, looking for new ways to enhance productivity and take advantage of accessible platforms that suit their objectives and attack techniques. That’s why it’s critical for organizations to ensure they are designing, deploying, and using AI securely.

Read on to learn how to advance secure AI best practices in your environment while still capitalizing on the productivity and workflow benefits the technology offers.

4 tips for securely integrating AI solutions into your environment

Traditional tools are no longer able to keep pace with today’s threat landscape. The increasing speed, scale, and sophistication of recent cyberattacks demand a new approach to security.

AI can help tip the scales for defenders by increasing security analysts’ speed and accuracy across everyday tasks like identifying scripts used by attackers, creating incident reports, and identifying appropriate remediation steps—regardless of the analyst’s experience level. In a recent study, 44% of AI users showed increased accuracy and were 26% faster across all tasks.

However, in order to take advantage of the benefits offered by AI, organizations must ensure they are deploying and using the technology securely so as not to create additional risk vectors. When integrating a new AI-powered solution into your environment, we recommend the following:

1. Apply vendor AI controls and continually assess their fit: For any AI tool that is introduced into your enterprise, it’s essential to evaluate the vendor’s built-in features for fostering secure and compliant AI adoption. Cyber risk stakeholders across the organization should come together to preemptively align on defined AI employee use cases and access controls. Additionally, risk leaders and CISOs should regularly meet to determine whether the existing use cases and policies are adequate or if they should be updated as objectives and learnings evolve.
2. Protect against prompt injections: Security teams should also implement strict input validation and sanitization for user-provided prompts. We recommend using context-aware filtering and output encoding to prevent prompt manipulation. Additionally, you should update and fine-tune large language models (LLMs) to improve the AI’s understanding of malicious inputs and edge cases. Monitoring and logging LLM interactions can also help security teams detect and analyze potential prompt injection attempts.
3. Mandate transparency across the AI supply chain: Before implementing a new AI tool, assess all areas where the AI can come in contact with your organization’s data—including through third-party partners and suppliers. Use partner relationships and cross-functional cyber risk teams to explore learnings and close any resulting gaps. Maintaining current Zero Trust and data governance programs is also important, as these foundational security best practices can help harden organizations against AI-enabled attacks.
4. Stay focused on communications: Finally, cyber risk leaders must recognize that employees are witnessing AI’s impact and benefits in their personal lives. As a result, they will naturally want to explore applying similar technologies across hybrid work environments. CISOs and other risk leaders can get ahead of this trend by proactively sharing and amplifying their organizations’ policies on the use and risks of AI, including which designated AI tools are approved for the enterprise and who employees should contact for access and information. This open communication can help keep employees informed and empowered while reducing their risk of bringing unmanaged AI into contact with enterprise IT assets.

Ultimately, AI is a valuable tool in helping uplevel security postures and advancing our ability to respond to dynamic threats. However, it requires certain guardrails to deliver the most benefit possible.

For more information, download our report, “Navigating cyberthreats and strengthening defenses in the era of AI,” and get the latest threat intelligence insights from Microsoft Security Insider.