Ransomware Attacks in India Decline

According to Sophos, there has been a drop in ransomware attacks this year, compared to the previous year. The Sophos survey also highlighted that 67% of Indian organizations whose data was encrypted paid a ransom to get back their data compared to last year, when 66% paid a ransom.

The Sophos report states, “In fact, Indian organizations were the most likely to pay a ransom of all countries surveyed: the global average was just under one third (32%).”

While ransomware attacks in India saw a dip this year, various research reports show that attackers are taking a more targeted and organized approach. There are new vulnerabilities; zero-day attacks are now common. Ransomware hackers have now zeroed in on blockchain, cryptocurrencies, and cryptocurrency exchanges. EC-Council’s Cyber Research cell will be releasing a report on this next month.

According to the Microsoft Security Endpoint Threat Report 2019, Asia Pacific continued to experience a higher-than-average encounter rate for malware and ransomware attacks – 1.6 and 1.7 times higher than the rest of the world, respectively.

India registered the seventh-highest malware encounter rate across the region, at 5.89% in the past year. This was 1.1 times higher than the regional average. The report also found that India recorded the third-highest ransomware encounter rate across the region, which was two times higher than the regional average.

This was despite a 35% and 29% decrease in malware and ransomware encounters, respectively, over the past year.

Cryptojacking Attacks Increasing

The Microsoft report states that crypto-hacking, malware, ransomware, and drive-by download attacks have high cybersecurity challenges in India. In fact, India recorded a cryptocurrency mining encounter rate that was 4.6 times higher and drive-by download attack volume that was three times higher than the regional and global average.

It’s a well-known fact that millions of Indians have taken to cryptocurrency trading via hundreds of exchanges around the world. And since cryptocurrency is linked with ransomware, it’s not surprising that new attack vectors like crypto-hacking, cryptojacking, and illegal cryptomining are picking up in the region.

Cryptocurrency is generated through crypto mining, which requires a lot of computing power. During cryptojacking attacks, the victims’ computers are infected with cryptocurrency mining malware, which enables criminals to leverage the computing power of victims’ computers without their knowledge, to mine cryptocurrency. Pro-Ocean, which was discovered by Palo Alto Networks, is an example of cryptocurrency mining malware.

New Vulnerabilities Found

In its Q2 Index Update, Cyber Security Works reveals new vulnerabilities in the ransomware arsenal. Its research shows that six vulnerabilities have become associated with seven ransomware strains; among them are the infamous Darkside, Conti, FiveHands, and the newly christened, Qlocker.

“With this update, the total number of vulnerabilities associated with ransomware has increased to 266. We have also noticed a 1.5% increase in the number of actively exploited vulnerabilities that are trending currently, reiterating that a risk-based approach for the remediation of vulnerabilities is the need of the hour.

One of the most compelling observations during this quarter was the exploitation of zero-day vulnerabilities even before vendors published their discovery or released patches,” said Ram Movva, Chairman and Co-founder of Cyber Security Works.

More Targeted Attacks

Another trend we observe is that the attacks are getting more targeted. Going forward you can expect to see attackers going after niche sectors rather than trying to pull off large scale attacks on everyone.

“Ransomware threats actors have been constantly evolving their tradecraft to increase the odds of the ransom payment. The most infamous ransomware variants such as WannaCry, NotPetya were more of opportunistic attacks than targeted. However, the ransomware incidents and attacks from 2020 and 2021 are much more focused, planned, and targeted and are becoming ‘Human-Operated’. They leverage known information such as vulnerabilities/ stolen credentials/ phishing attempts to launch initial attacks. These newer ransomware variants are also including ‘cyber extortion’ angle in the mix along with ransomware rendering the data backups/ restoration controls implemented by organizations less effective,” said Prateek Bhajanka, Sr Principal Analyst, Gartner.

He continued, “In many cases of ransomware incidents, the encryption of data may not even occur, and the threat actor would issue a ransom note saying, we have stolen your regulatory, client and other sensitive information, here is the sample, and if you don’t pay, we will also encrypt your data. The ransomware threat actors are going to various lengths to increase the odds of the payment and even resorting to launching/ threaten a DDOS attack if the organization doesn’t pay, called ‘Triple extortion attacks'”.

Bhajanka also said there will be an increase in the volume of attacks due to emergence of Ransomware as a Service (RaaS) in the dark web, which makes it much easier to target specific organizations. He said the attacks are going to be directed at specific industries.

“In 2020, Healthcare and Pharmaceutical industries were the most sought-after targets and now we are also observing increase in attacks in Retail and education sectors. Alongside, the threat actors are targeting the technology service providers such as Managed service providers (MSPs) and Managed Security Service Providers (MSSPs) to use them as a vector/pivot to large number of victim organizations,” he added.

The post Indian Organizations Among Most Targeted for Ransomware; Most Pay Ransom appeared first on CISO MAG | Cyber Security Magazine.

By Brian Pereira, Editor-in-Chief, CISO MAG

By Gartner estimates, in 2019, there were 365 million desktops used in offices worldwide. Today, over 1 billion people work from home – employed by 90% of organizations. Employee endpoints have tripled. In recent months, the demand for PCs, laptops, and tablets shot through the roof – there are times when retailers run out of stock. But the apprehensions are not due to the shortage of devices and poor connectivity at home; the bigger concern is inadequate security of those devices that could lead to data breaches.

Enterprise networks and devices behind corporate firewalls are protected by technology stacks and layers of security controls, governed by security policies and compliance. Security and operating system updates are regularly pushed to devices. USB ports and selective network ports are blocked. Storage and backups are frequently conducted on enterprise-approved cloud services. Protective firewalls encircle the network and there are various tools like identity and access management. But at home, it’s a different scenario, akin to leaving your front door open for anyone to walk in.

As employees transitioned to their home offices, there was little time to reconfigure laptops and enforce new controls and security policies. The cybersecurity strategies for most organizations are not designed for remote work environments and need major changes to address the cyber threats posed by remote work.

Home networks and endpoints operate in non-trusted environments and definitely up the risk quotient for corporate networks. Zero trust? Ha! The threat of data leakage looms high. There are all kinds of threats posed by remote workers. The probability of remote workers violating corporate security policies is high. And that’s a worry for organizations that have intellectual property and customer data.

The responsibility of managing endpoint security fell squarely on the remote worker. Months later, security may have vastly improved as IT enforced new policies and controls. But, what’s to stop an employee from clicking on a malicious link or malicious attachment in a phishing e-mail? Is the IT team really checking if an employee is using the office laptop to watch a movie on Netflix, or watching something far worse? How many adopt URL filtering or block social media? And what’s to stop an employee from backing up enterprise data to their personal cloud storage or removable storage media? Then there are home routers with factory-default passwords, susceptible to hacking from that kid next door (step-by-step instructions on YouTube and other websites)

To counter these challenges, some organizations opted for VDI (Virtual Desktop Infrastructure) and desktop-as-a-service. But could this solution entirely prevent risks like data leakage? How do you stop an employee from using their phone camera to take snapshots of what is shown on the screen? Keep the webcam on all day?

IT mandated the use of corporate-approved VPNs and anti-malware. A CISO MAG 2020 survey found that one in three employees do not use a VPN. In any case, VPNs are notorious for their rigid rules and cannot check abnormal user behavior.

Changing Attack Surface

Cybercriminals are taking advantage of the surge in remote work to exploit new attack vectors exposed by reliance on telework infrastructure with weak infrastructure. CISO MAG online reports on attacks on remote workers with COVID-related themes. The numerous scams are themed on fake news about the spread of the virus, and availing N95 masks and PPE kits in bulk, at “dirt cheap” prices. These days there are BEC (Business Email Compromise) attacks with themes around COVID vaccine research breakthroughs and the availability of vaccines. These scams are engineered to exploit a human weakness — FUD (fear, uncertainty, and doubt).

Operation Falcon conducted by INTERPOL is a recent example. Three Nigerian BEC scammers, who are part of a larger cybercriminal group dubbed TMT, were arrested in the city of Lagos. The analysis of their operations has revealed that the gang focuses on the distribution of phishing emails that contain popular malware strains under the guise of purchasing orders, product inquiries, and even COVID-19 aid impersonating legitimate companies. The attackers then use Gammadyne Mailer and Turbo-Mailer to send out phishing emails, which are then tracked using MailChimp, to see whether a recipient victim has opened the message. This is another example of an attack through the endpoints.

“The most common attacks are the results of using the endpoint segment as an entry vector, to get into the organization,” says Prateek Bhajanka, Senior Principal Analyst, Gartner. “It is ransomware campaigns and the ransomware infections that we generally know about — WannaCry, NotPetya, and other ransomware campaigns and infections. Besides ransomware, there are phishing campaigns, spear-phishing campaigns, attacks like social engineering, and business email compromise. Data breaches result in data exfiltration and these propagate through an endpoint segment.”

And as you connect the endpoint to the corporate network, these attacks spread laterally. Hackers target endpoints as an entry point, with the intention of moving laterally in the network, to take over privileged accounts.

Evolving Technology

Over the years, endpoint protection has evolved from prevention (antivirus, data encryption, intrusion prevention, data loss prevention) to detection and response (EDR). So, we now have various types of endpoint security and endpoint security tools and endpoint services.

“When we talk about endpoint security technology, it is not just the anti-virus that we need anymore. We need a technology stack that can protect the organization across the layers, not just endpoint, and not just from malware, but also from phishing attacks. It should protect the endpoints from malicious websites that you may be browsing on a daily basis,” says Bhajanka.

The attacks on endpoints may result in account takeover and credential theft. That’s why endpoint security goes beyond antivirus.

A New Approach

Traditional approaches to protecting endpoints from behind corporate firewalls are no longer applicable in today’s context and need a new approach.

“There is no perimeter anymore, and the organization has become boundary-less,” says Bhajanka. “And at the same time, the attack surface of an organization has also become wider and endless for the reason that now you may have one associate working from different locations in different cities. That makes endpoint security a top priority for CISOs and security professionals.”

Bhajanka suggests that security should be deployed in such a way that it should not matter where you work from – it should offer the same level of security.

According to Check Point, a modern-day endpoint security strategy must include the following:

Prevention-first Approach: The number and sophistication of cyberthreats are growing rapidly. A focus on prevention is essential to ensuring that lean security teams are not overwhelmed and for minimizing the cost and impact of cyberattacks on the organization.

AI-driven Security: Security teams lack the ability to scale to meet their growing workloads. Leveraging AI to automate and expedite threat detection, investigation, and response maximizes the efficiency and effectiveness of limited security personnel.

Strong Remediation and Recovery Capabilities: With a remote workforce, employee computers will be compromised by cybercriminals. Security teams need to have the policies, procedures, and tools required to rapidly, and effectively remediate a security incident.

Consolidated Security: Reliance on an array of standalone security solutions means that security analysts waste valuable time switching between dashboards and lack the comprehensive visibility required to detect and respond to incidents. Next-generation security requires a consolidated security architecture with single-pane-of-glass visibility and management.

Strong Real-Time Threat intelligence: The cyber threat landscape evolves rapidly, with many campaigns active for only minutes or hours. Access to real-time, strong threat intelligence is essential to an organization’s ability to protect against the latest threats, not ones from days or weeks ago.

Unified to Reduce TCO: Deploying separate solutions for EPP, EDR, NGAV (next-gen antivirus), VPN, etc. creates a complex environment that is difficult and expensive to configure and maintain. Deploying a unified security solution is essential to minimizing the total cost of ownership (TCO) of enterprise cybersecurity.

Cloud-Based: As corporate resources move to the cloud it is essential that cybersecurity solutions follow. A cloud-based security solution provides native protection to cloud assets as well as taking advantage of the flexibility and scalability offered by the cloud.

Additionally, it should be policy-driven. Ensure that there are tight security controls at all endpoints, backed by stringent security policies. Apply a zero-trust, least privilege access for all endpoints by default.

Conclusion

Traditional approaches to endpoint protection are no longer adequate in a distributed or remote work environment. Organizations need to deploy enterprise-grade security controls and update security policies for remote working.

There are various endpoint solutions available in the market. Look for a unified solution to simplify the management of- and increase the effectiveness of endpoint security solutions. Deploying a unified security solution is essential to minimizing the total cost of ownership (TCO) of enterprise cybersecurity.

Create a rapid action task force and strategy to remediate and protect endpoints.

As corporates move more infrastructure to the cloud, one needs to think holistically — to not just secure endpoints but also “workloads” and infrastructure. Deploy “intrinsic” security with AI, analytics, and predictive capabilities. And take a prevention-first approach.

This story first appeared in the December 2020 issue of CISO MAG.

About the Author

Brian Pereira is the Editor-in-Chief of CISO MAG. He has been writing on business technology concepts for the past 26 years and has achieved basic certifications in cloud computing (IBM) and cybersecurity (EC-Council).

The post Endpoint Security: Protecting Businesses and Remote Workforce in the New Reality appeared first on CISO MAG | Cyber Security Magazine.

By Matias Katz, Founder and CEO, Byos

The report “Rise of Initial Access Brokers” examines the new role that Initial Access Brokers are playing at the top of the cyberattack kill-chain funnel.

IABs are de facto ‘middlemen’ whose business model is exactly what the name implies: they breach as many companies’ networks as they can. They then sell to the highest bidders that access victims. The buyers are often ransomware groups.

IABs have been proliferating lately largely because of the pandemic and the ensuing Work-From-Home migration. Workers who are logging into systems remotely and connecting from untrustworthy Wi-Fi networks create an exploitable vector of attack. Cybercriminals are exploiting this by scanning at scale for vulnerabilities which allow remote access, such as in virtual private networks (VPNs), and selling this access.

The $7,100 average selling price for access takes into consideration a victimized organization’s revenue, the type of access sold, the number of employees, and the number of devices accessible. RDP (remote desktop protocol) access, the most frequently listed access type for sale, let a threat actor take over a victim’s computer. RDP access typically goes for around $9,800.

The FBI notes that ‘RDP is still 70-80% of the initial foothold that ransomware actors use.’ RDP is believed tied to the Oldham Florida Water Treatment Facility attack, in which attackers attempted to alter the chemicals added to the public water supply.

Beyond the Remote User – As IoT Continues to Grow, So Do System Vulnerabilities

IABs are seeking to expand their offerings by also targeting a new threatscape: IoT devices. They see them as “low-hanging fruit” points of entry to corporate networks.

IoT devices are used as an entry point into the larger corporate networks, where the most valuable data resides because they aren’t built with security in mind. Legacy IoT devices such as servers, modems, PLCs, controllers, and networked medical devices are especially vulnerable as they are incompatible with modern security software agents.

Understanding the traffic at the edge of the corporate network is something that network administrators have long desired since they know their devices are exposed when connecting to any network.

A lot of remote access tools/protocols require local network and device configuration changes, which creates additional risk by exposing internal endpoints directly to the internet – a simple Shodan search confirms this. Once the attacker gains initial access to these exposed endpoints, it is difficult to remove this foothold from the network, let alone prevent it from spreading laterally, highlighting why IABs have become so prevalent.

Because of this, some organizations have even gone so far as to ban remote access to their systems altogether, forcing administrators and technicians to service endpoints physically on site. In a remote-friendly world, a better solution is necessary.

Securing Endpoints: Blocking Access to the Corporate Network

One strategy for mitigating risks of initial access at the edge is micro-segmentation using a secure endpoint edge device.  The main premise behind micro-segmentation asserts that the endpoint is never directly exposed to the network – it is isolated onto its own “micro-segment of one.” It enables organizations to own control of their edge by ensuring the traffic that flows to and from the endpoint flows to it on its own micro-segment.

Micro-segmentation also allows for Zero Trust Remote Access through what is called the “Secure Lobby”; Instead of an administrator configuring the perimeter to allow traffic to the endpoint directly, the secure endpoint edge acts as the gatekeeper to the endpoint, while maintaining full isolation from the rest of the network.

With Secure Lobby, both the remote user and secure endpoint edge “meet” in the lobby through an encrypted connection. The administrator can now remotely access the micro-segmented endpoint securely and perform any type of monitoring, updating, or patching necessary, without exposing the endpoint to the internet.

This is game-changing for secure remote management because attackers will no longer have direct access into endpoints, thus helping to eliminate the business of Initial Access Brokers all together.

About the Author

Matias Katz is the founder and CEO of Byos. Matias has 15+ years of experience in information security. He founded Mkit in 2008, which provided defensive and offensive security solutions, and is an official CISSP instructor. He has presented his research at cybersecurity conferences around the world and has a popular TEDx talk. He is the author of “Redes y Seguridad” (Networking and Security) and founded the Andsec international hacking conference.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Initial Access Brokers Are Breaking Into Corporate Networks and Selling Access to Bad Actors appeared first on CISO MAG | Cyber Security Magazine.

By Jamie Brummell, Founder & CTO, Socura

But what are the emerging types of threats and threat vectors, and what do CISOs need to do to put in place strong foundations to secure the new, hybrid ways of working? I will outline my top five tips on how to tackle threats in a new era of sophistication.

Prioritize endpoint security for home workers

At its core, cybersecurity is a people problem. Phishing has become a top threat vector for attackers precisely because it works so well. You can have the most advanced email security system in the world, but if a phishing message slips through the net, it takes just one untrained user to click through and your organization can be exposed to crippling ransomware or large-scale data theft.

The people factor has become even more critical because of the rise in remote working. There’s strong evidence to suggest that those at home are more likely to click through on something suspicious. The problem is amplified by the fact that many home workers may be connecting to company networks from personal devices which aren’t suitably protected.

One global study found that even though most (72%) remote workers say they are more conscious of their organization’s cybersecurity policies since the start of the pandemic, large numbers are using non-work apps on corporate devices (56%), or a work laptop for personal browsing (80%) and are often, or always, accessing corporate data from a personal device (39%).  All these scenarios represent varying degrees of security risk.

Gain full visibility of the ‘Internet of Things’

And it’s not just the remote laptops and tablets, there’s also the rise of IoT to consider as well. According to forecasts from leading analyst house Gartner, the world will be filled with as many as 25 billion connected “things” by the end of 2021. A big part of this surge is down to the Internet of Things (IoT): programmable gadgets, machines, sensors, and other bits of hardware that collect data and transmit it to cloud servers for analysis and processing.

There’s no denying the potential for such devices to deliver an increasingly connected future, but these devices also represent a major security risk. Why? Because they may be more difficult to patch or may not be protected with adequate access controls, whilst visibility gaps and a lack of network segmentation also increase the risks. Further, many IoT devices will only run old, unpatched (and often ‘unpatchable’) operating systems with lax security configuration and no security agents protecting them.

Gaining full visibility and control is critical, with IT leaders, in my experience, requiring a better understanding of where their assets are and how devices are being used to effectively manage cyber risk.

The good news for CISOs is that the security of consumer IoT devices is being bolstered by the introduction of new international standards, such as ETSI EN 303 645. The standard covers 13 areas designed to put in place a baseline level of security for connected devices. For example, it requires IoT manufacturers to provide transparency on the minimum time for which the product will receive security updates. It also provides guidance on best practice cryptography to ensure confidentiality of personal data transiting between a device and a service.

A key strategy to address endpoint security for managed devices includes the adoption of Endpoint Detection and Response (EDR) agents that record all activity, including network connections that are no longer seen by centralized network security systems when users are working remotely. With traditional antivirus vendors building EDR capability into their agents, endpoint security investigations have been simplified and their visibility has improved. The visibility into all endpoints is further enhanced with Extended Detection and Response (XDR), where activities across endpoint, network, identity, and cloud are stitched together for even deeper insight.

Tackle escalating ‘social engineering’ in critical services

One prominent target for compromise right now is the cold supply chains associated with vaccine rollout. A global phishing campaign uncovered by IBM involved sending out phishing emails to organizations associated with Gavi, The Vaccine Alliance’s Cold Chain Equipment Optimization Platform (CCEOP) program. This was a ‘spear’ phishing attack involving precision targeting where messages were developed to specifically appeal to certain individuals.

Along with precision targeting, spear-phishing campaigns are grounded in thorough research of information available online, such as social media profiles, to create a credible email with a strong call to action.

Phishing is a tried and tested tool in any cybercriminal’s toolbox but during the pandemic, we have seen the emotional appeal exploiting the fear surrounding COVID-19­­ evolving into precision ‘social engineering’.

Creating a positive security culture that raises awareness and provides the necessary training so that victims feel empowered to report an attack are all essential measures but don’t go far enough. CISOs need to limit threat surfaces by ensuring that employees only have access to data and systems that are fundamental to doing their job.

Establish transparent supply chains

Data breaches are a pressing concern not just in ‘physical’ supply chains of vaccine supplies but also in software supply chains spanning an organization’s third-party relationships.

Supply chain breaches are not new, but their severity and ramifications have certainly become more far-reaching, as recently demonstrated by SolarWinds.

The challenge can only be addressed through industry-wide collaboration. An interoperable metadata approach based on the Software Bill of Materials (SBOM) helps manage supply chain risk through increased transparency. SBOM is a record of various components used in building software that enables faster identification and remediation of vulnerabilities.

An important, recent initiative aimed at managing vulnerabilities in an open-source ecosystem has been introduced by Google. OSV is a database for open-source vulnerabilities that automates the triage workflow for an open-source package consumer, making it easier for users to identify which vulnerabilities impact them. Such initiatives are essential if the cybersecurity industry is to reduce the growing trend of key software supply chains being compromised.

Clearly define shared responsibilities in the cloud

With the rise in remote working further accelerating cloud adoption, cloud misconfiguration has become one of the biggest sources of cyber risk today—often providing an open goal for attackers. Threat actors are constantly scanning for exposed cloud systems to compromise, with frequent success, so the trend of cloud-related breaches is unlikely to abate in the future.

When used appropriately and configured correctly, the public cloud can be more secure than on-premises environments. But there are two key sources of risk. The first one is a shortage of skills that have already led to countless cloud data breaches and leaks through misconfiguration, exposing highly sensitive customer data and IP. The second important cause is an insufficient understanding of the Shared Responsibility Model, leading to a misconception of the demarcation between the security responsibilities of cloud providers and those of their customers.

Security teams must ensure they clearly define what the cloud provider is securing, and what they are responsible for. The ‘grey’ areas of the Shared Responsibility Model that normally require extra clarification include applications, operating systems, network controls, and identity and directory infrastructure.

What next for CISOs?

Addressing security challenges and visibility gaps in the post-COVID era is no mean feat. Aside from securing adequate resourcing and funding, CISOs need to put in place the tools and processes to tackle the growing levels of threat as well as their evolving sophistication.

Zero Trust, conceived by John Kindervag, has been co-opted by a multitude of security vendors, often focussing on only one part of the ‘never trust, always verify’ concept. However, the NSA has recently published official guidance on the Zero Trust Security Model, giving it the much-needed neutrality and endorsement it deserves.

By assuming that a breach is inevitable or has likely occurred, organizations are set to constantly limit access to only what is needed and monitor for suspicious activity. In a supply chain breach, for example, a Zero Trust model would adopt a deny-by-default security policy, for all users, systems, and applications. Real-time protective monitoring would detect suspicious activity and provide an alert on any unauthorized attempts to access an application.

Managed threat detection and response (MDR) services can be helpful here as they have accrued all the necessary expertise, experience, and threat context through visibility of multiple customer environments with a laser focus on security operations and incident response.

This focus also enables them to apply optimal automation alongside human analysis, adding human context and intelligence to decision making. The end result is a faster response to threats and a reduction in attacker dwell time and risk.

WRITE FOR CISO MAG

Do you want to write for CISO MAG? Please read our guidelines here.

About the Author

Jamie Brummell is Founder and CTO of Socura (www.socura.co.uk). He is a cybersecurity leader with over 20 years of experience working with multinational organizations, security vendors, and systems integrators. Responsibilities have included security design, engineering, consultancy, and strategy.

Jamie works with senior executives, architects, analysts, and engineers alike; helping them manage cyber risk and improve their cyber defense capability.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post Cybersecurity Post-COVID: A New Era of Sophistication appeared first on CISO MAG | Cyber Security Magazine.

The global endpoint security market is projected to reach $30.83 billion by 2027, growing at a CAGR of 8.68% from 2020 to 2027.

A key trend from an earlier study by CISO MAG pointed that endpoint protection is now moving to the cloud, with SaaS-based services for monitoring endpoints.

The demand for endpoint security services also increased as cloud security improved. The report concluded that organizations are increasingly adopting advanced endpoint security solutions to counter the increased sophistication and volume of threats to endpoints.

To get a better understanding of the current trends, CISO MAG conducted a Market Trends Survey on Endpoint Security in December 2020. This survey has been formulated into a Market Trends Report and offers an in-depth analysis of the global market trends in Endpoint Security along with qualitative and quantitative analysis, history, and estimated projections about the market size and share during the forecast period.

The post Market Trends Report on Endpoint Security – 2020 appeared first on CISO MAG | Cyber Security Magazine.

The following predictions offer insights into how cybersecurity will evolve in 2021:

By Jason Lee, CISO, Zoom

1. Data protection for the hybrid workforce will become increasingly complex.

• Many companies have embraced a fully remote workforce during this challenging time. Next year, many of these same companies will need to adapt to a hybrid workforce with some employees re-entering the office, and others staying remote.
• Security leaders will need to reevaluate their network security posture, maintain an effective data protection strategy on endpoints, and consider mobile device management (MDM). Corporate network congestion could also become a big issue for companies that have a lot of employees heading back to the office in addition to a large remote workforce.
• Companies with many remote employees will also need to support more endpoints than ever before. Protection of the data on these endpoints will be critical. Programs like BYOD will offer those employees secure access to the tools they need to stay productive.

2. Companies will move toward personal device authentication.

As we continue to practice social distancing in 2021, companies will move away from shared/communal computers, and shift toward supporting employees on their personal devices. Security teams will also need to deploy consistent authentication practices that support both in-office employees and those staying remote. Multi-factor authentication for corporate-owned and/or BYOD-supported mobile phones will be the most popular solution. Additionally, we will see a move toward passwordless access and leveraging other factors.

3. The war for cybersecurity talent will continue to heat up.

• This past year, many companies began hiring cybersecurity professionals remotely–no matter where they live. In 2021, cybersecurity pros will continue to be able to work from wherever they want. In particular, Zoom will continue hiring employees in the office and remotely for its cybersecurity team.
• One of the most effective ways to increase an organization’s security capabilities is to arm its development teams with rich training. Zoo m will be significantly investing in security training for its developers. The company supports continuous learning via secure code training, “capture the flag” competitions, and other gamification techniques to train its development organization on security.

4. The Zero Trust security model will be a primary focus in 2021.

With the Zero Trust model, employees must be authenticated and validated before given access to appropriate applications and the right level of data. As companies look to support a hybrid workforce, this approach will become even more attractive for security leaders, as it provides continuous checks as to whether employees need access at that time to sensitive data. Companies will also double down on endpoint controls to ensure their rapidly growing remote workforce stays secure.

About Jason Lee

Jason Lee is the Chief Information Security Officer at Zoom with 20 years of experience in technology, with a specialization in information security and operating mission-critical services. He was recently the Senior Vice President of Security Operations at Salesforce where he was accountable for the global organization delivering critical end-to-end security operations to customers and employees including company-wide network and system security, incident response, threat intel, data protection, vulnerability management, intrusion detection, identity and access management, and the offensive security team. Before Salesforce, he held the position of Principal Director of Security Engineering for the Windows and Devices division in Microsoft.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

The post 2021 Security Predictions: Endpoint Security is of Utmost Importance appeared first on CISO MAG | Cyber Security Magazine.

Karmesh is the CEO of the Indian cybersecurity-based product suite provider, WiJungle. Honored by Forbes as the best “30 Under 30 Asia 2020,” he has not always had a smooth ride. It was rough, patchy, full of bumps, and only after two failed attempts, did he make it big. Karmesh humbly says, “Persistence did pay.” His company’s unique cybersecurity offering in the network and endpoint security domain is ringing bells around the globe (which already has a product reach in 30+ countries).

It is the end of the year and endpoint security has grabbed headlines almost all year round. So, in a fireside chat with Mihir Bagwe, Tech Writer at CISO MAG, Karmesh helped us gain deeper insights into the trenches of network and endpoint security.

The edited excerpts of his interview follow:

The Readiness Quotient

A.

Yes, in the case of large businesses, who already had the required infrastructure for business continuity during the pandemic.

No, in the case of SMBs, who either didn’t have the required products for remote work enablement or were managed by third-party vendors. In both these cases, the movement started happening around the first week of lockdown.

Specifically referring to our customer base, only 12% of the people were using the remote work enablement function of our product before COVID, while within the initial 10 days of lockdown, this number rose to 80%.

Pre and Post-COVID Strategies

A. Between the pre-COVID and post-COVID era, there has been a shift from network security-centric policies to endpoint-centric policies as endpoints have become the first entry point for any threat. Policy enforcement around Endpoint Data Leakage Prevention (DLP), Host-based Intrusion Prevention Systems (IPS), Ransomware Protection & Application Filter have been the prime adoptions/amendments in the overall strategy.

Hidden Risks of Remote Working

A.

Due to complete remote working, there has been a significant increase in usage of Virtual Private Network (VPN). As multiple endpoints from around the globe are connecting the corporate network daily, the entry points for perimeter breaches have risen. Moreover, neither every official endpoint in the pre-COVID phase was configured for such utilization, nor the newly added personal devices during this scenario were equipped with concrete BYOD policies.

That’s the reason attackers have shifted their focus to breach the network via making an entry through vulnerable endpoints. It is one of the prime reasons for increased cyberattacks post-pandemic. The only way to resolve this is by having proper endpoint protection policies.

Including Endpoints in Our Security Perimeter

A. Enforcing the security policies on these endpoints is a challenge, and hence a comprehensive or unified product holds the key to bringing them under the security perimeter. Cloud-based solutions like SDPs or Unified Network Security Platforms could simplify these aspects to a huge extent.

Reason to have a Unified Solution

A.

The reason is simple. Unified products give you the leverage to efficiently manage the policies and monitor the traffic.

As an example, the unified client application that we provide does the work of both VPN as well as Endpoint Protection. If you already have our network security product, then on subscribing to the endpoint protection, end users are just required to update the client app and endpoint security functions get enforced immediately.  The admins are only required to enable the option of applying the user network security profile on endpoints, and 80% of their configuration task is done by default.

Now imagine the same implementation if an organization would have opted for separate stand-alone products for network and endpoint. It would have doubled the task and turnaround time.

One thing to remember is that SCCs are used in many countries where the protections are significantly less than in the U.S.

What’s in the Cloud?

A.

‘As a service’ model, for sure, is the key to the future but having said that, cloud comes with its challenges. Whether you are hosting some data on a public/private cloud or using third-party applications, businesses adopting cloud for hosting their data or using third-party applications or both have different challenges.

One of the biggest misconceptions I have witnessed among the small and medium business owners is – ‘Hey, we use AWS or Azure or GCloud and they, by default, provide required security’ or ‘Hey, we use Gmail and it, by default, provides every kind of security.’ They do not understand what kind of security these platforms are talking about and conveying. It makes their cloud open for potential threat actors.

Since the cloud utilization is higher than ever, it needs to be ensured that SMBs at least have basic DDoS protection enabled for their data hosting along with the right access configurations provided by the platform. Moreover, if suitable, they should go for a Cloud WAF and Virtual Firewall.

In the case of third-party applications, if the number of such applications is less, then they still could be managed by proper access configurations, which should be provided by the platform itself. In any other case, one should deploy a CASB.

Choosing a Network and Endpoint Security Solution

A.

For sure, number one is to go with a unified synchronized solution for easy management and scalability. The form factor of the solution could be cloud or appliance depending on the business operations need. If they have plans to work 100% remotely for some years, then cloud-delivered security makes sense for them.

Number two on the consideration list is the part where we discuss the capabilities. Ensure that network solution includes Zero-Day Protection, and the Endpoint Security Solution has features of DLP along with ransomware protection.

Prevention is Better Than Cure

A.

As mentioned earlier, there are two aspects.

Firstly, the majority of ransomware attacks in enterprise networks happen as attackers can traverse through the remote endpoints. Hence, the foremost need is to have the right policy and security at both, network as well as the endpoint level.  It is a kind of proactive defense.

Secondly, if the above seems to be a difficult job then one could opt for deception technology such that threat actors could be deceived and their network scan time could be increased to make IT admins aware before a possible security breach occurs. It is a reactive defense.

Current Trends

A.

The most trending forms that we have observed are:

1. Malware Attacks (majorly ransomware, Trojans, and spyware): Via phishing, messaging platforms & freeware.
2. Payment Frauds: Via fake mobile apps, websites, calls, and emails.

Future Challenges

A.

I don’t think any. The world is already witnessing all the possible permutations and combinations of the challenges during the pandemic.

About the Interviewer

Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity technologies and trends.

 

Other Interviews from the Author:

• “COVID-19 is a humanitarian crisis but also emerging as a data security challenge” – Nikhil Korgaonkar
• “Invalidation of the EU-U.S. Privacy Shield was a long time coming” – Robert Meyers

Other Posts from the Author:

• Don’t Just be a Good CISO, Be a Successful CISO!
• OT-ISAC Virtual Summit Brings Together the Best Minds in APAC for OT/ICS Security
• Is the Co-existence of Security and User Experience in Media Industry Possible?
• COVID-19 Pandemic is a Silver Lining for Cybersecurity

The post “Unified solutions could hold the key in enforcing endpoint security policies” appeared first on CISO MAG | Cyber Security Magazine.

By Pankit Desai, Co-founder and CEO, Sequretek

One may wonder what the above context has got to do with the topic of endpoint security — to start with: there is a “Virus” with a play here and, like its biological cousin, it seems to morph to a changing landscape, albeit technological in this case. It was way back in 1971 that the world encountered its first computer virus, “Creeper.” Since then, there has been a constant game of one-upmanship between the attackers and defenders. For a while, it seemed like the good guys had the upper hand only to be proven wrong, and for a few legitimate reasons.

Technological Changes and its Impact

Lowering of costs and complexity has resulted in the democratization of technologies like – IoT, cloud, big data, mobility, robotics, and additive manufacturing.  This technology infusion has transformed manual and offline systems into automated and networked employees moving out of their offices and data centers, moving to the cloud.

Before COVID, the companies who understood technology’s power had started embracing this transformation and absorb its impacts. However, the laggards ended up getting caught pretty much unaware. They were forced to quickly figure out a way to enable their enterprises to “work from home” scenarios and open up their internal processes to external access. As if this was not enough, the WFH creates an additional challenge where ‘personal assets are being used for professional purposes’ and ‘professional assets are being used for personal purposes.’

Enhanced Security Risks and Responses

Technological advances and changing circumstances have impacted how enterprises have configured their IT infrastructure, forcing them to rethink how they now need to be secured.

Traditionally there was an emphasis on a strong perimeter defense to protect critical assets, be it endpoints or servers in one’s datacentre, since they were supposed to protect the perimeter. However, there was a lopsided budget allocation leading to a strong perimeter but weak device security. For most of them, a signature-based antivirus was sufficient for endpoint security, and patching was done sporadically, if at all, for servers.

The result is for everyone to see. Pull up any report by analysts or security experts, and one sees varied statistics suggesting that attacks on the endpoints are on the rise and are the cause of the majority of breaches. Thankfully, there is a consensus that the endpoint is the new perimeter that needs to be defended.

Reactive Approach Leads to New Challenges

The industry has gone about addressing the threat perception by offering a series of layered products, each of whom solves a specific security challenge.

Antivirus (AV) was the first technology, launched in the late 80s, to address external threats by leveraging signature, behavior, and heuristics-based models. As zero-day attacks and advanced persistent threats (APT) started coming in somewhere in early 2010, one saw emulator based Anti-APT technologies coming into the market. We are now witnessing the proliferation of machine learning-based technology Endpoint Detection Protection and Response (EDR) to address the challenges of file-less malware, the effectiveness of emulator technologies, and signature dependencies with AV.

On the other hand, the need to understand and improve environmental hygiene resulted in another technology set.  Asset management to get an understanding of the heterogeneous landscape, both hardware and software. Application whitelisting to reduce the software asset sprawl and the consequent security risk. Vulnerability / Configuration Management to identify software vulnerabilities, followed by Patch Management, to fix the same.

Add technologies like encryption, device control, data loss prevention, host firewall, VPN, and you get the drift. It almost seems that every time there was a new security challenge, the industry’s response was to offer a new product, not only that, most of these technologies don’t talk to each other. It’s a classic case of six blind men and the elephant story, where each one touches a different part of the elephant to give a view on what they were seeing. In most enterprises, the endpoint security realm is about managing multiple management consoles, each reporting their point of view on devices’ health. The situation becomes even more complicated when the consoles can’t even agree on the inventory count as each of them reports independent numbers with considerable time spent on reconciliation.

Technology Bloat and Ensuing Challenges

Way back in 2015, Gartner coined the term “endpoint protection platform” (EPP), defining it as a solution that would converge endpoint device functionality into a single product that would combine several point technologies into one. Most of the technologies mentioned earlier are part of the Advanced EPP feature set.

It’s been more than five years since. A recent report by a security leader identified that, on average, there 50-70 different security tools that enterprises end-up investing in, and 35% of the security products had overlapping functionality. These findings should not come as a surprise, looking at how one sees the bloat of technologies for the endpoint space.

As if the technology bloat challenges weren’t enough, the same report identifies 80% of the tools as poorly configured. The way the market today operates, the product companies come out with products with rich but complicated feature sets. The implementation and subsequent management are left to poorly trained customers or resellers, leading to misconfigurations.

Therefore, the result is to talk to any CXO these days, and one hears a familiar grouse, “I spend so much money on these complicated three-letter acronym products. I, however, don’t get an answer to a simple question: Am I secure?” This has caused significant consternation with the security community that will need rectification.

Is there a way forward?

While the sins of the past have come to haunt us as the endpoint security battle remains unsolved and probably more complicated than before, we can take a series of measures to earn the trust back by thinking in the customer’s interest.

Machine Learning: Effective use of ML would be an effective method to remove the challenges of continuous security updates. However, there are two schools of thought on where the ML capability should reside agent v/s cloud. While the cloud gives much better control, there is an issue, especially in countries with relatively poor internet infrastructure or data residency issues, sending packets to the cloud for analysis may not be viable. A hybrid model with some localized capability for ML may be a better option.

Single Agent, Single Console: It is high time that products start looking at the endpoint security as an integrated problem, and not silos. It is heartening to note that companies branch into adjacent spaces and the coverage points seem to be improving. There are a lot of paths still to be covered.

Reduce feature bloat: In a zeal to differentiate the products, there are quite a few features that have made the products too complex to implement and run. There needs to be a critical view of what is essential as a feature set and what can be knocked off to make them simple to implement and manage.

Open interfaces: In the short run, at least till the consolidation play pans out, there needs to be an agreed API framework that allows the product to co-exist and lean on each other to become part of the security chain.

Platform v/s product: It is essential to think of a platform-based approach where products (yours or someone else) can be plugged in as new technologies or needs come. Expecting customers to overhaul their security architecture every time a new digital transformation wave comes in (5G, IoT) is not viable.

In closing

The federated nature, heterogeneity, and volume of endpoints make them the weakest link for enterprise security. It will need stakeholders’ collective efforts to overcome the inherent nature of the risk attached to them.

Till then, maintain social distance and stay safe for overcoming the risk attached to another virus that is running rampage across the world.

About the Author

Pankit  Desai,  Co-founder and CEO of Sequretek, a Mumbai-based cybersecurity company, launched it in 2013 with an aim to provide enterprise clients an end-to-end cybersecurity platform. Pankit, a veteran of the IT industry, brings 20+ years of hard-core technology and leadership experience from the information technology industry to lead Sequretek. Prior to Sequretek, he was with Rolta as the President of Business Operations. He has also served in a senior leadership capacity with NTT Data Inc, Intelligroup, Wipro, and IBM India. His vast experience has given him the ability to manage and scale global business units and service lines rapidly and efficiently. Pankit has diversified business operations and created an organization that has a multidimensional growth, understanding of business support functions, Financial Planning and Analysis, Recruitment and Operations, Internal IT, Quality, Marketing, and Alliance.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

Is Your Endpoint Device Secure? Take our Endpoint Security Survey and win exciting goodies. Don’t miss out! Take Survey Now!

The post Endpoint Security: Your First Line of Defense appeared first on CISO MAG | Cyber Security Magazine.

By Nilesh Jain, Vice President, Southeast Asia and India, Trend Micro

Today, the major area of concern in any organization is to secure the endpoints and servers where most of the breaches and frauds happen. It’s not surprising in that context that so many IT leaders see endpoint security as a critical issue. In fact, endpoint security has become a hot topic on the cybersecurity front and is rising ever higher on IT managers’ to-do lists. IT leaders want a more effective, easier to use solution to address this issue. They need to find products that can consolidate a range of security capabilities into one easy-to-manage suite.

Endpoint security has changed fundamentally over the last two decades, in many ways mirroring the evolution of the wider information security market. From the first basic anti-malware scanners of the ‘90s, through innovations in black- and whitelisting, intrusion detection, web and email filtering, and today’s sophisticated targeted attack detection products – we’ve surely come a long way.

EDR – The Black Box of Breaches

EDR systems offer defenders the first line of defense that gives them a way to gain greater visibility into what is happening at the interface between production systems and the internet, with all its threats and malicious activity.

With traditional endpoint security technology, visibility into how a threat entered the network and its travel path is limited. One reason is that, when a hacker has compromised a device, he is likely to wipe away his criminal traces. Once an attack is discovered, customers want to know what the root cause was, and how it spread. When security teams go back to investigate a breach, the devices look pristine. They do not have enough information to piece the breach together. Now, with endpoint detection and response (EDR) technology, they are finally able to.

EDR works by recording the security events on any device connected to the corporate network. These endpoint devices include desktop computers, laptops, smartphones, tablets, thin clients, printers, or other specialized hardware such as POS terminals, etc. EDR is the black box of breaches. Some of these events may be regular activities; some may reveal a clue to how the threat inched towards the irreversible catastrophe. When a breach has taken place, EDR enables security teams to playback the infection and understand what has, and how it happened.

EDR Adoption

As per a global survey by Enterprise Strategy Group, 70% of organizations are already using EDR. Enterprises are always looking for new techniques to protect themselves from increasingly sophisticated malware and some standalone EDR vendors deliver their detection and response capabilities as part of EDR. To use it effectively, one would require years of training and hands-on experience. Not all companies have a security team that can do that. The downside of EDR is that it is operationally intensive. When you combine that with a global skills shortage in cybersecurity and the high level of skills needed to use the root cause tools, many customers can’t keep with EDR. While EDR tools can be difficult to use for less experienced operators, they can improve overall security efficiency by reducing the time to detect and respond to security incidents.

EDR is crucial for advanced endpoint protection solutions capable of detecting suspicious behaviors at all levels of the computing stack from the device to the user. Another key EDR functionality is that it enables security teams to do proactive threat hunting. As the EDR market matures, Gartner expects feature improvements to focus on increasing the capabilities of the adaptive security architecture to provide more holistic and integrated security capabilities.

EDR from a Security Provider and a User Standpoint

As threats continue to become stealthier and capable of evading traditional cyber defenses, cybersecurity leaders today need a comprehensive enterprise cybersecurity strategy that pre-empts threats, reduces risk, and responds to every regulatory requirement. Security leaders are concerned with increasing complexity in their endpoint environment, compounded by advanced, multistage attacks going beyond typical malware.

Endpoint security suites are now more than ever being tasked with protecting against targeted-style threats that utilize multiple stages involving user interactions, exploit chaining and script-based attacks. As mass threats increase in sophistication, buyers and vendors have begun focusing on behavioral detection with an automatic response. According to Forrester, endpoint security suite customers should look for providers that:

• Tightly integrate threat prevention, detection, and response
• Extend visibility and control over a broad endpoint ecosystem
• Offer flexibility in a variety of environments and risk tolerances

The highest priority for customers is improved detection and response, and hence we’ve integrated these capabilities into our endpoint protection platform to leverage the automation that already exists, which provides enterprises with better-layered protection. For instance, advanced detection capabilities such as behavioral analysis, pre-execution machine learning, run-time machine learning, and vulnerability protection work in concert with other endpoint detection and remediation capabilities.

Customers require a multi-layered approach to endpoint security incorporating tools that combine superior performance with low cost and centralized management. We believe it’s all about delivering the best in threat protection across all endpoints, email, and web; and ensuring that customer data is safe whether it’s run in a physical, virtual or hybrid environment. For enterprises that want to have root cause analysis capabilities on top of their advanced detection and response, endpoint sensor allows them to query endpoints and build a detailed analysis of how and where advanced attacks occurred. For those enterprises that may not have skilled threat researchers to develop this, we are expanding their MDR services that are already available in some limited geographies.

EDR is Here to Stay

Needless to say, EDR is a complex technology; its overarching benefits will make it indispensable for organizations in this highly connected digital world. Gartner’s predictions validate that EDR is here to stay. Their findings suggest that by 2022, 60% of organizations that leverage endpoint detection and response capabilities, will use the endpoint protection solution from the same vendor or managed detection and response (MDR) services.

Hence, for enterprises that are increasingly looking for scalability, strong data management, flexible analytics and open integration, EDR would be a mainstay in the 21^st century.

About the Author

Nilesh Jain heads South East Asia and India Operations for Trend Micro since January 2018, before that he was head of India operation as Managing director of Trend Micro India business. During his stint at Trend Micro, Nilesh has been instrumental in scaling business through Sales Management, Profitable growth & adding new Customers in the fold.

With over one has half-decade of a successful Sales career at Trend Micro, Nilesh has handled Channels, SMB, Enterprise & Govt segments with equal excellence. As head of the Business, Nilesh is responsible for all functions, with foremost emphasis on managing Sales Operations, Profit & Revenue in India, and SEA (Southeast Asia) region.

Disclaimer

Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.

Is Your Endpoint Device Secure? Take our Endpoint Security Survey and win exciting goodies. Don’t miss out! Take Survey Now!

The post The Evolving Role of Endpoint Detection and Response appeared first on CISO MAG | Cyber Security Magazine.

Other Areas of Weakness include:

• Updates to hardware (29%)
• Endpoint control (21%)
• Enforcing encryption (19%)

Kurt Markley, Director of Sales at Apricorn, commented, “Employees have a critical role to play in their organization’s cybersecurity processes, from recognizing the tools required, through to the policies in place to protect sensitive data. Whether it be through the delivery of awareness programs or ongoing training, establishing a culture of security within the workforce is essential. He continued:

“Endpoint security is critical, and deploying removable storage devices with built-in hardware encryption, for example, will ensure all data can be stored or moved around safely offline. Even if the device is lost or stolen, the information will be unintelligible to anyone not authorized to access it.”

Is Your Endpoint Device Secure? Take our Endpoint Security Survey and win exciting goodies. Don’t miss out! Take Survey Now!

Several respondents also highlighted that they weren’t fully prepared to work at home securely and productively, where nearly 18% of respondents felt they didn’t have the right tools and technology while 16% admitting being completely ignorant of it.

Markley highlighted that COVID-19 may have bettered productivity among employees, while without the right tools and technology, these can easily backfire. He also highlighted that with more than 60% of employees planning to work remotely, the threat landscape may continue to widen.

According to Jon Fielding, Managing Director, EMEA at Apricorn, “IT and security teams had to scramble to respond to this crisis and in doing so, left a lot of companies wide open to breach. Nine months into employees working remotely, some know already that they have been attacked. Others think they may have been but can’t be sure. In the same way that we had to learn how to protect ourselves from illness and modify our behavior, we had to also learn how to protect our data outside of the firewall and more importantly, to remain vigilant about it.”

The post Employee Education Singled Out as the Biggest Weakness During the Pandemic appeared first on CISO MAG | Cyber Security Magazine.