News Feed

Good Non-Human Identity Governance Means Maturing Your Enterprise Secrets Management

~ Reporter ~ Leave a comment

Learn why enterprise secrets management is a key component to building a robust non-human identity governance model and is required for securing the whole organization.

When you think of identity and access management (IAM), you traditionally think of humans. We’ve been managing human access management for decades and are getting progressively better at it. The cycle of onboarding a new employee or user, giving them access to the systems they need, and eventually safely offboarding them has a well-established set of best practices. The IAM tooling vendors re-enforce these governance policies for a good reason: they work.

Today, the enterprise is in a new era. Non-human identities (NHIs) outnumber human identities by a ratio of at least 50 to one. Some estimates put it as high as 100 to one in 2025. It is easy to find consensus that we should do something about NHIs, as the consequences of more and more breaches and leaks stemming from poor machine identity management, particularly credential management, mean we need to find a better path. The question a lot of leaders are asking themselves now is, “What does a good Non-Human Identity governance model look like, and how do we navigate our organizations there?”

The overlapping path of secrets management

There is one element of NHI management that has been studied for a while now, credential management. As all NHIs need a way to authenticate and the governance for storing and using those secrets is definitely part of the larger NHI story. Research into how companies evolve their secrets security practices produced the Secrets Management Maturity Model. 

The model describes organizations transitioning from Level 0, where no secrets security is in place, to Level 3, where enterprise vault technology becomes the standard, and secrets detection is automated at every level of the SDLC, including on the developer’s machine. The most mature organizations at Level 4 are working to remove credentials as much as possible, moving to alternative authentication and authorization strategies for their services and data. 

Secrets Management Maturity Level 0

Companies at the beginning of their journey don’t consistently implement controls around secrets. If they do, they were simple ENV files passed around in plain text. All too often, plaintext credentials are hardcoded into the code itself.

Secrets Management Maturity Level 1-2

As companies mature, secrets management becomes more of a recognized problem. We see the wider adoption of secret management tools, especially those built into cloud platforms like AWS, Azure, or Google Cloud. As long as a company standardizes on the same cloud provider for everything, these work well for putting your secrets somewhere safe, encrypted at rest, and programmatically addressable when needed. The adoption of secret discovery tools to continually find hardcoded credentials in code or surrounding systems has become commonplace, and developer tools to prevent secrets from being leaked in the first place have been introduced. All rotation and remediation efforts are still manual and reactive.

Secrets Management Maturity Level 2-3

Cross-platform centralized vault systems to properly store and manage secrets, such as HashiCorp Vault, Conjure by CyberArk, and Akeyless, get adopted at this stage. Automation becomes one of the main goals, particularly around credential rotation. The developers are involved early and throughout the remediation process as well.

Secrets Management Maturity Level 4

The most mature organizations actually seek to remove credentials as much as possible. Teams move to alternative authentication and authorization strategies for their services and data. These companies establish policies for rapid, possibly automated, remediation, which can only be possible with a sophisticated toolchain leveraged by coordinated teams across the entire organization.

Non-Human Identity Governance Maturity

While secrets management maturity gives us a solid base model and addresses one of the more serious security control concerns, it is not the whole story of NHI governance. We will need to think broader than just the storage and retrieval of the secrets and think about the entire life cycle, ownership, and risk management of our NHIs. But we need to start somewhere

The first step in any threat modeling or organizing exercise is the deceptively simple act of understanding what you have. Did you keep track of when they were introduced? Is there a dashboard or spreadsheet listing them all? While there are a lot of ways you can approach this, one method means properly mapping what secrets exist and understanding how they are used.

Once all of your secrets are discovered, then it’s time to enforce a centralized observable system to keep track of them, ideally in an enterprise secrets vault. A good secrets management platform can track when an NHI’s credential is created and when it’s rotated. They can report on what permissions the NHI holds. They can show when a credential was used and what it connects to. Ultimately, they can help you audit when a key is decommissioned.

It is critical to have this data before we think about broader policies for governance at scale.

Ownership is key

Once your NHIs are mapped and understood, we must address the daunting question of risk ownership. Who should own NHIs in the organization is a subject of much debate. Is it the developer who initially introduces the machine identity into the ecosystem? Is it the DevOps or Platform team who will need to utilize the secret for builds and deployments? Is it the security team, who is on the hook for breaches and incident response?

Today there is no clear consensus in the tech community on who actually should own this. Every company navigates this independently and comes to its own conclusions. No matter who gets ownership responsibility, they will only be successful if they are armed with the right data and insights into their systems.

Evolving IAM To Account For NHIs

The largest and most mature organizations have begun to account for NHIs as part of the overall IAM landscape. This trend will continue for the rest of the industry and at an accelerated pace. The NHI tooling market, which is rapidly emerging, is reacting to more and more leaders looking for a clear and sane way ahead.

Understanding the global lifecycle management of all your NHIs at scale is something that’s going to take a lot of work and alignment across organizations. This goes beyond anything that Security, IT, or DevOps can handle alone or without buy-in from the whole organization.

 

__

Author Bio

GitGuardian Security Advocate – Dwayne has been working as a Developer Relations professional since 2016 and has been involved in the wider tech community since 2005. He loves sharing his knowledge.

The post Good Non-Human Identity Governance Means Maturing Your Enterprise Secrets Management first appeared on Cybersecurity Insiders.

The post Good Non-Human Identity Governance Means Maturing Your Enterprise Secrets Management appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/lsEpo1y
via IFTTT

Saudi Cyber Innovation: Redefining SOC Operations

~ Reporter ~ Leave a comment

Launch of COGNNA at RSA 2025

Security teams today face an unstoppable challenge—one that isn’t just about technology but about operational endurance. For years, SOC analysts have been inundated with alerts, struggling with fragmented tools and siloed systems that require constant manual oversight. The cybersecurity market has responded with a flood of automation solutions. Yet, many fail to bridge the fundamental gap: the need for a truly unified, intelligence-first approach that reduces noise without losing critical insights.

This problem isn’t unique to any one region or industry—it’s a global crisis in cybersecurity effectiveness. Yet, Saudi Arabia’s emerging leadership in the cybersecurity sector brings a fresh perspective, challenging legacy assumptions about how a SOC should operate.

Saudi Arabia’s Role 

Saudi Arabia is becoming a key player in cybersecurity innovation, driven by national security imperatives within the Kingdom, supported by large-scale investments in AI-led security solutions. This approach isn’t just theoretical—it’s being put into practice with Saudi-backed cybersecurity initiatives that integrate deep telemetry, real-time threat analysis, and AI-driven investigations. 

The Kingdom’s emphasis on scalable, compliance-ready security frameworks also reflects a broader industry need: to shift security operations centres (SOCS) away from reactive alert handling and toward autonomous, guided security operations. 

Why the U.S. Market Matters

As one of the most targeted cybersecurity landscapes, the United States plays a crucial role in validating next-generation security operations centre (SOC) architectures. Enterprises operating within the U.S. face relentless cyber threats, regulatory pressures, and increasing complexity across multi-cloud environments. Yet, many still rely on legacy SOC models that struggle to scale with modern attack surfaces.

Bringing Saudi-developed cybersecurity innovations into the U.S. market offers a unique opportunity to challenge entrenched inefficiencies and accelerate the shift toward proactive security. By adopting modular, AI-driven Security Operations Centre (SOC) frameworks, U.S. enterprises can move beyond outdated incident response models and embrace a future where security operations are driven by contextual intelligence, not just overwhelming volumes of data.

Introducing COGNNA

COGNNA was founded by Ibrahim Alshamrani, CEO, and Ziyad Alshehri, CTO, in 2022. Since then, it has become a leader in the Kingdom with the development of its intelligence-first SOC architecture. Unlike legacy or fragmented SOC solutions, COGNNA’s modular platform merges deep telemetry, autonomous investigations, and guided response into a seamless workflow—eliminating operational silos and enabling security teams to act with complete clarity. 

Designed with flexibility in mind, its architecture adapts to diverse security needs, from multi-tenant MSSPs to regulated financial enterprises. By integrating AI-driven threat analysis and contextual automation, COGNNA doesn’t just detect anomalies—it refines and elevates security insights so organizations can prioritize and respond with confidence.

The Future of SOC Innovation

The launch of COGNNA’s Nexus platform in the USA at RSA 2025 means that American companies will now have access to intelligence-driven, adaptable SOC solutions with AI at their core, helping security analysts within SOCS evolve from siloed, fragmented responses to unified action.

Saudi Arabia is playing a role in shaping the cybersecurity market. Its expertise, combined with the U.S. market’s demand for scalable and analyst-friendly solutions, sets the stage for a more resilient cybersecurity future. The question is no longer whether AI will enhance SOC operations—it’s how quickly organizations will embrace the shift toward intelligence-first security.

COGNNA will showcase the Nexus platform at the Saudi Arabia Pavilion in collaboration with the National Cybersecurity Authority (NCA), Booth 760 in the South Expo.

 

The post Saudi Cyber Innovation: Redefining SOC Operations first appeared on Cybersecurity Insiders.

The post Saudi Cyber Innovation: Redefining SOC Operations appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/qPOe0jf
via IFTTT

Attackers hit security device defects hard in 2024

~ Reporter ~ Leave a comment

Attackers are having a field day with software defects in security devices, according to a new report released Wednesday by Mandiant 

Exploits were the most common initial infection vector, representing 1 of every 3 attacks in 2024, and the four most frequently exploited vulnerabilities were all contained in edge devices, such as VPNs, firewalls and routers, Mandiant said in its M-Trends report released Wednesday.

“Exploitation of these vulnerabilities represented slightly less than half of all observed vulnerability exploitation,” said Kirstie Failey, principal threat analyst at Google Threat Intelligence Group, under which the Mandiant brand operates.

Threat researchers and federal cyber authorities have been sounding the alarm about attacks targeting network edge devices for more than a year. Since 2024, security device exploits have resulted in attacks on government agencies and some of the most valuable publicly-traded companies in the world.

These lightweight devices and services are designed to improve defenses and prevent intrusions. Yet, because they don’t typically support third-party software, including endpoint detection and response capabilities, organizations are often caught off-guard when attackers gain access to their networks through a highly-privileged system.

“Three of the four vulnerabilities were first exploited as zero-days,” Mandiant said in the report. “While a broad selection of threat actors have recently targeted edge devices, Mandiant also specifically noted an increase in targeting from Russian and Chinese cyber espionage actors.”

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS, CVE-2024-3400, was the most frequently exploited defect across all of Mandiant’s incident response engagements last year. Mandiant said it observed one threat group exploit it as a zero-day, but malicious activities quickly escalated soon after.

Mandiant observed over a dozen threat groups exploiting the vulnerability within two weeks after Palo Alto Networks disclosed the CVE and published a proof-of-concept exploit code in April 2024. Among these was a Ransomhub affiliate, which used the vulnerability — rated a 10 on the CVSS scale — to gain initial access to organizations’ systems and launch a multifaceted extortion campaign.

The next most frequently exploited vulnerabilities in 2024 belong to a pair of defects — CVE-2023-46805 and CVE-2024-21887 — affecting Ivanti Connect Secure VPN and Ivanti Policy Secure appliances, according to Mandiant. Ivanti disclosed the vulnerabilities in January a month after UNC5221, a suspected China state-sponsored espionage group, exploited the vulnerabilities in the wild as zero-days.

Attackers achieved unauthenticated arbitrary command execution on systems by chaining the vulnerabilities together, Mandiant said in the report.

By mid-January 2024, Mandiant observed UNC5135, a group with suspected links to Volt Typhoon, scanning Ivanti Connect Secure appliances but did not observe successful exploitation. Eight distinct clusters, including five suspected Chinese espionage groups, exploited one or more of the Ivanti vulnerabilities, including a third defect tracked as CVE-2024-21893 by April 2024.

An SQL injection vulnerability in Fortinet’s FortiClient Endpoint Management Server, CVE-2023-48788, was the fourth-most frequently exploited vulnerability across all of Mandiant’s incident response engagements last year. 

A financially-motivated threat group exploited the vulnerability within two weeks of Fortinet’s disclosure in March 2024. At the back end of the year, in October and November, another financially motivated threat group tracked as FIN8 exploited the vulnerability to deploy ransomware and steal data.

“Mandiant observed dozens of organizations impacted by exploitation of these vulnerabilities, and our observations are almost certainly only a small fraction of the total number of organizations affected by this activity,” said Kelli Vanderlee, senior manager at Google Threat Intelligence Group. “These campaigns affected organizations across at least 13 industries, located in four different continents.”

Ransomware accounted for 21% of all Mandiant incident response activities last year. These ransomware-related attacks affected organizations in healthcare, local government, energy, technology, education and finance across the Americas, Europe, the Middle East, Asia Pacific and Japan, researchers said in the report.

Brute-force attacks, including password spraying, VPN compromise via default credentials and high-volume remote desktop protocol login attempts, were the most common initial access vector for ransomware attacks last year. Mandiant linked 26% of ransomware attacks to brute-force methods, 21% to stolen credentials, another 21% to exploits, 15% to prior compromise and 10% to third-party compromise.

Mandiant noted that potential deficiencies in enterprise logging and detection capabilities likely contributed to a considerable blind spot with respect to initial access vectors. The incident response firm was unable to determine an initial access vector for 34% of all intrusions.

Mandiant said its annual M-Trends report is based on 450,000 hours of incident response engagements throughout 2024.

The post Attackers hit security device defects hard in 2024 appeared first on CyberScoop.

from CyberScoop https://ift.tt/vuFf3TQ
via IFTTT

DOGE Worker’s Code Supports NLRB Whistleblower

~ Reporter ~ Leave a comment

A whistleblower at the National Labor Relations Board (NLRB) alleged last week that denizens of Elon Musk’s Department of Government Efficiency (DOGE) siphoned gigabytes of data from the agency’s sensitive case files in early March. The whistleblower said accounts created for DOGE at the NLRB downloaded three code repositories from GitHub. Further investigation into one of those code bundles shows it is remarkably similar to a program published in January 2025 by Marko Elez, a 25-year-old DOGE employee who has worked at a number of Musk’s companies.

A screenshot shared by NLRB whistleblower Daniel Berulis shows three downloads from GitHub.

According to a whistleblower complaint filed last week by Daniel J. Berulis, a 38-year-old security architect at the NLRB, officials from DOGE met with NLRB leaders on March 3 and demanded the creation of several all-powerful “tenant admin” accounts that were to be exempted from network logging activity that would otherwise keep a detailed record of all actions taken by those accounts.

Berulis said the new DOGE accounts had unrestricted permission to read, copy, and alter information contained in NLRB databases. The new accounts also could restrict log visibility, delay retention, route logs elsewhere, or even remove them entirely — top-tier user privileges that neither Berulis nor his boss possessed.

Berulis said he discovered one of the DOGE accounts had downloaded three external code libraries from GitHub that neither NLRB nor its contractors ever used. A “readme” file in one of the code bundles explained it was created to rotate connections through a large pool of cloud Internet addresses that serve “as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.” Brute force attacks involve automated login attempts that try many credential combinations in rapid sequence.

A search on that description in Google brings up a code repository at GitHub for a user with the account name “Ge0rg3” who published a program roughly four years ago called “requests-ip-rotator,” described as a library that will allow the user “to bypass IP-based rate-limits for sites and services.”

The README file from the GitHub user Ge0rg3’s page for requests-ip-rotator includes the exact wording of a program the whistleblower said was downloaded by one of the DOGE users. Marko Elez created an offshoot of this program in January 2025.

“A Python library to utilize AWS API Gateway’s large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing,” the description reads.

Ge0rg3’s code is “open source,” in that anyone can copy it and reuse it non-commercially. As it happens, there is a newer version of this project that was derived or “forked” from Ge0rg3’s code — called “async-ip-rotator” — and it was committed to GitHub in January 2025 by DOGE captain Marko Elez.

The whistleblower stated that one of the GitHub files downloaded by the DOGE employees who transferred sensitive files from an NLRB case database was an archive whose README file read: “Python library to utilize AWS API Gateway’s large IP pool as a proxy to generate pseudo-infinite IPs for web scraping and brute forcing.” Elez’s code pictured here was forked in January 2025 from a code library that shares the same description.

A key DOGE staff member who gained access to the Treasury Department’s central payments system, Elez has worked for a number of Musk companies, including X, SpaceX, and xAI. Elez was among the first DOGE employees to face public scrutiny, after The Wall Street Journal linked him to social media posts that advocated racism and eugenics.

Elez resigned after that brief scandal, but was rehired after President Donald Trump and Vice President JD Vance expressed support for him. Politico reports Elez is now a Labor Department aide detailed to multiple agencies, including the Department of Health and Human Services.

“During Elez’s initial stint at Treasury, he violated the agency’s information security policies by sending a spreadsheet containing names and payments information to officials at the General Services Administration,” Politico wrote, citing court filings.

KrebsOnSecurity sought comment from both the NLRB and DOGE, and will update this story if either responds.

The NLRB has been effectively hobbled since President Trump fired three board members, leaving the agency without the quorum it needs to function. Both Amazon and Musk’s SpaceX have been suing the NLRB over complaints the agency filed in disputes about workers’ rights and union organizing, arguing that the NLRB’s very existence is unconstitutional. On March 5, a U.S. appeals court unanimously rejected Musk’s claim that the NLRB’s structure somehow violates the Constitution.

Berulis’s complaint alleges the DOGE accounts at NLRB downloaded more than 10 gigabytes of data from the agency’s case files, a database that includes reams of sensitive records including information about employees who want to form unions and proprietary business documents. Berulis said he went public after higher-ups at the agency told him not to report the matter to the US-CERT, as they’d previously agreed.

Berulis told KrebsOnSecurity he worried the unauthorized data transfer by DOGE could unfairly advantage defendants in a number of ongoing labor disputes before the agency.

“If any company got the case data that would be an unfair advantage,” Berulis said. “They could identify and fire employees and union organizers without saying why.”

Marko Elez, in a photo from a social media profile.

Berulis said the other two GitHub archives that DOGE employees downloaded to NLRB systems included Integuru, a software framework designed to reverse engineer application programming interfaces (APIs) that websites use to fetch data; and a “headless” browser called Browserless, which is made for automating web-based tasks that require a pool of browsers, such as web scraping and automated testing.

On February 6, someone posted a lengthy and detailed critique of Elez’s code on the GitHub “issues” page for async-ip-rotator, calling it “insecure, unscalable and a fundamental engineering failure.”

“If this were a side project, it would just be bad code,” the reviewer wrote. “But if this is representative of how you build production systems, then there are much larger concerns. This implementation is fundamentally broken, and if anything similar to this is deployed in an environment handling sensitive data, it should be audited immediately.”

Further reading: Berulis’s complaint (PDF).

from Krebs on Security https://ift.tt/3f2WP9U
via IFTTT

Lattica Emerges from Stealth to Solve AI’s Biggest Privacy Challenge with FHE

~ Reporter ~ Leave a comment

Tel Aviv, Israel, April 23rd, 2025, CyberNewsWire

Lattica, an FHE-based platform enabling secure and private use of AI in the cloud, has emerged from stealth with $3.25 million in pre-seed funding. The round was led by Konstantin Lomashuk’s Cyber Fund, with participation from angel investor Sandeep Nailwal, co-founder of Polygon Network and Sentient: The Open AGI Foundation, among others.

Lattica’s technology represents a critical new standard for industries such as healthcare, finance, and government sectors, where data privacy and security concerns have limited AI adoption. According to Cisco’s 2025 AI Briefing: CEO Edition, 70% of CEOs surveyed admitted being concerned about the state of their networks due to the rising adoption of AI, with 34% citing security as a major barrier to adoption. 

Fully Homomorphic Encryption (FHE) – the “holy grail” of cryptography in the last decade – ensures all communication between AI providers and end users remains encrypted, without needing to decrypt it, but due to longstanding computational inefficiencies, FHE has yet to be widely adopted. By capitalizing on the latest breakthroughs in the AI acceleration stack, Lattica leverages advanced acceleration techniques to operationalize FHE. 

Led by founder and CEO, Dr. Rotem Tsabary, who holds a PhD in lattice-based cryptography from the Weizmann Institute of Science, Lattica takes advantage of the foundational mathematical similarities between FHE and machine learning to offer a hardware-agnostic, cloud-based platform that utilizes FHE to deliver secure and private use of AI.

A key differentiator powering Lattica’s solution is its Homomorphic Encryption Abstraction Layer (HEAL), which enhances FHE performance and standardizes its acceleration. A cloud-based service, HEAL serves as a universal bridge connecting FHE applications and AI algorithms across a diverse range of hardware, including GPUs, TPUs, and CPUs, as well as dedicated accelerators like ASICs and FPGAs.

“By combining the advancements of hardware acceleration with software-based optimization, we realized that not only could we improve FHE efficiency to the point of commercial viability, but use it to solve critical data dilemmas holding back AI’s adoption in sensitive industries,“ said Dr. Rotem Tsabary, founder and CEO of Lattica. “We’re enabling practical FHE by developing a solution that is tailor made for neural networks.”

As part of its emergence from stealth, Lattica has made demos of the platform available on its website, alongside insights from an in-depth survey within the FHE community. Survey results validate Lattica’s approach, revealing that a majority (71%) of respondents believe FHE adoption will be achieved through a combination of hardware and software. 

“Lattica is pushing the boundaries of Fully Homomorphic Encryption, solving one of the most critical challenges in AI security,” said Konstantin Lomashuk, Managing Partner at Cyber Fund. “Cyber Fund is proud to have led Lattica’s pre-seed round. This is the kind of deep-tech innovation that defines the future, and we’re excited to see Lattica leading the way.”

Lattica’s focus on healthcare and finance further underscores the platform’s relevance, with potential applications in secure data analysis for medical research and encrypted financial transactions.

“Lattica’s product-first approach fundamentally transforms sensitive data processing in the AI ecosystem,” said Sandeep Nailwal, co-founder of Polygon Network and investor in Lattica. “Lattica has made FHE a reality that is both practical and scalable, as Tsabary and her research team is proving that advances in the machine learning stack can significantly boost the performance of FHE and have an immediate impact on the market.”

About Lattica

Lattica enables querying AI models with Fully Homomorphic Encryption, offering FHE as a hardware-agnostic, cloud-based service. The platform leads in scientific innovation by ensuring that user queries remain encrypted throughout the entire machine learning inference process. Lattica’s Homomorphic Encryption Abstraction Layer (HEAL) connects FHE applications, algorithm implementations, and diverse hardware backends, making secure AI computation as accessible as traditional cloud-based AI services. The company is headquartered in Tel Aviv. For more information, users can visit www.lattica.ai.

Contact

Jordan Chaim
InboundJunction
jordan@inboundjunction.com

The post Lattica Emerges from Stealth to Solve AI’s Biggest Privacy Challenge with FHE first appeared on Cybersecurity Insiders.

The post Lattica Emerges from Stealth to Solve AI’s Biggest Privacy Challenge with FHE appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/8dB9kOy
via IFTTT

AI can help defenders stop nation-state threat actors at machine speed

~ Reporter ~ Leave a comment

Last year, the escalating concerns about Chinese threat actors breaching U.S. organizations reached a crescendo as federal authorities issued increasingly urgent advisories about China’s “Typhoon” groups infiltrating U.S. networks, pressing organizations to take immediate action.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) warned that these groups were engaged in a host of massive intrusions, ranging from infiltrating telecommunications networks and sensitive law enforcement communication platforms in order to preposition themselves on critical infrastructure networks to destroy or disrupt services.

Since late January, however, the U.S. government has issued few alerts about Chinese or other nation-state advanced persistent threat actors (APTs), including Russia, North Korea, and Iran. Experts say that despite the lack of warnings, it is more important than ever to stay alert against these groups, particularly given that rapidly developing artificial intelligence (AI) technologies have enabled defenders to spot these threat actors at machine speed and stop them in their tracks.

“Your ability to respond quickly is really important,” Alex Stamos, CISO at SentinelOne, told CyberScoop. “You can’t spend fifteen, twenty minutes for your security operations center analyst to go to the bathroom and then come back and look at an alert and to make a decision because the threat actors are already ten steps ahead of you.”

“Chinese threat actors are going for very large-scale operations,” Alon Schindel, VP of AI and threat research at Wiz, told CyberScoop. “AI can empower cybersecurity teams to walk faster and reduce the number of issues. You can reduce the remediation time. That’s the thing.”

AI brings it all together

Experts emphasize that AI’s real value in identifying and halting sophisticated threat actors lies in its capacity to process vast amounts of information across an organization’s tech surface. It can then correlate that data to identify and potentially thwart suspicious behavior swiftly. 

“AI is there to augment your efforts by tying in a lot of the disparate context or the context that’s lacking between different siloed systems,” Cristian Rodriguez, Americas Field CTO at CrowdStrike, told CyberScoop. “We are firm believers that AI helps bridge that gap across disparate data sources so that contextually there’s a better understanding of the steps that an adversary needs to take to be successful in their tradecraft.”

“To help and try to understand whether it is a real attack or whether it is just some other activity, whether it’s a false positive alert by a security product, you can use the context that you have from your actual production environment, from your code, and the threat detection products,” Schindel said. “You can feed an LLM with all this information, and within a few seconds, you can get a conclusion with a high level of confidence, whether it is a real attack or whether it is just a false positive or maybe some ordinary activity in your environment.”

Before AI, defenders had massive amounts of information compiled in different locations with little ability to tie events together occurring in different log sources across the tech stack. The logs did not traditionally go into a repository “that allows for hyper scaling and hyper analysis of what those data points mean when they’re put together,” Stamos said.

The cloud nexus is critical

Most experts agree that the increasing adoption of  cloud-based technologies is central to the problem of disparate data sources. As information moves between  cloud and on-premises systems,  it creates more avenues for threat actors to move around laterally within an organization.

“Very few companies have visibility across their cloud infrastructure and their on-premise tech in a way where they see all of it at the same time and detect and track a threat actor in real time across all of those different environments,” Stamos said. “And very few companies can respond fast enough.”

According to Stamos, this lack of visibility specifically benefits Chinese threat actors, notably in the Microsoft-based systems that dominate the enterprise sector’s cloud, security, and operating systems. “What [Chinese threat actors] have gotten very good at is chaining vulnerabilities across those three areas,” he said. “For example, you can have a cloud entry point where they can brute force a username and password.”

“That’s something that’s not getting logged, not getting alerted on,” Stamos said. “And so, they can just brute force for days until they find a user password pair that works for them and then use that against the VPN tied to Microsoft Active Directory, and then get onto the domain controller. Now, they can do a traditional domain controller attack. That’s not something you can do in the cloud; that’s only local.”

The combination of cloud-based technologies and stolen identities is at the crux of where AI can start shedding light on intrusions in a way that genuinely helps defenders. “AI can start to bring context around what are outliers within things like login attempts,” CrowdStrike’s Rodriguez said. 

“Using legitimate credentials to get into your environment in lieu of having to use malware, for example, which is very noisy,” is how most unauthorized intrusions occur, Rodriguez added. “AI can act as that opportunity for analysts to scale themselves across these large data sets to contextually understand outliers for login attempts and outliers for authorization across applications. Think of identity, think of what’s happening on your endpoints, and what happens in your cloud workloads. Those are all major data sources a defender must use when responding or analyzing an attack.”

Warning: AI systems themselves need protection

As beneficial as AI technologies might be in identifying and thwarting threat actors, experts warn that new LLM models and other AI technologies that defenders use to protect assets are themselves prized targets of threat actors. Even worse, these AI technologies can leak organizational secrets.

Chinese threat actors are “targeting these AI companies directly for their intellectual property, whether it’s ChatGPT, Gemini, all these new models,” Wiz’s Schindel said. “They are trying to steal information and then build their own versions that are based on what they stole as part of their threat operations.”

For some of these threat actors, “especially coming out of China and even North Korea, not only are they looking for or using identities, but they’re also looking for these custom large language models or any type of generative AI that you may be hosting within your own cloud services,” CrowdStrike’s Rodriguez said.

“The adversary is looking for misconfigured large language models and any type of other genAI that you may be hosting in your cloud because that can also act as an exfiltration point if they were to access those systems,” he added. “And you’ve inadvertently put sensitive information or IP into those systems. They can ultimately use some prompt engineering or even access to misconfigurations within those models to exfiltrate sensitive data.”

What can defenders do?

According to Stamos, very few organizations are currently using AI in a way that prepares them to tackle threats from sophisticated adversaries to provide real-time intervention. “Out of the Fortune 500, there are maybe 150 to 200 companies playing at that level,” he said.

Stamos said organizations “need to gather as much security telemetry as possible and have it in one data lake that can be queried quickly in real time. You’ve got to do that plumbing, and that’s hard.”

Rodriguez advises organizations to “secure your identities. That is number one. Ensure that you understand the identities that you have for these services, have things like multifactor authentication, and [see to it] that the privileges for these identities are regularly assessed to ensure that you’re not overextending access to any single or handful of identities within environments that are sitting in the cloud, for example.”

Even though using AI to battle Chinese and other threat actors is a complex and high-level task that might need experienced AI engineers to implement, Schindel says that most organizations can easily start the process without this kind of scarce talent. “The only thing you need is someone enthusiastic about AI on your team,” he said. “They don’t necessarily have any significant background with AI, just someone who can use it. These models are easy to use.”

The post AI can help defenders stop nation-state threat actors at machine speed appeared first on CyberScoop.

from CyberScoop https://ift.tt/VhbPvJC
via IFTTT

Essentials to Gain 100% Cybersecurity Success: A Comprehensive Approach

~ Reporter ~ Leave a comment

In this increasingly digital world, cybersecurity has become more than just an IT concern; it’s a critical aspect of every business’s strategy and operations. With the rise of cyber threats—ranging from ransomware and phishing to insider threats and advanced persistent threats (APTs)—securing your digital infrastructure is no longer optional, but a necessity.

While no system can guarantee 100% security (given the ever-evolving nature of cyber threats), there are essential strategies and practices that can significantly reduce the risk and strengthen your cybersecurity posture. Achieving “100% cybersecurity success” means taking a holistic, multi-layered approach that focuses on prevention, detection, response, and continuous improvement.

Here’s a detailed look at the essentials to achieve a near-total cybersecurity defense:

1. A Robust Cybersecurity Framework: Build from the Ground Up

To lay the foundation for comprehensive cybersecurity, it’s crucial to adopt a well-established cybersecurity framework. Frameworks like NIST (National Institute of Standards and Technology), ISO 27001, and CIS Controls are designed to guide organizations in building and maintaining secure systems and processes. These frameworks offer structured methodologies for protecting digital assets, setting clear guidelines on policies, procedures, and technologies necessary for cybersecurity success.

Key Areas:
•    Risk management and assessment
•    Data protection and privacy
•    Incident response protocols
•    Network security controls

Implementing these frameworks ensures that your organization’s cybersecurity strategy is both comprehensive and effective, addressing threats from multiple angles.

2. Employee Awareness and Training: The Human Element

One of the most vulnerable points in any cybersecurity strategy is the human element. Employees are often the weakest link in the chain, falling victim to phishing scams, social engineering tactics, or careless handling of sensitive data.

Employee training and awareness are fundamental to preventing breaches. Regular training sessions should be conducted to educate staff about:

•    Recognizing phishing emails
•    Best practices for password management
•    How to identify and avoid social engineering tactics
•    Data protection protocols and compliance regulations (like GDPR)

3. A Multi-Layered Defense Strategy: Defense in Depth

A successful cybersecurity strategy requires multiple layers of defense. This defense-in-depth approach ensures that even if one layer is breached, others will still protect critical assets. Implementing several layers of security reduces the risk of a successful attack.

Core Layers Include:

•    Firewalls and Network Security: These are the first line of defense against external threats. Modern firewalls should be capable of inspecting traffic for malicious activity and blocking threats in real-time.
•    Endpoint Protection: All devices connected to your network, such as laptops, smartphones, and servers, need to be protected with antivirus software, endpoint detection, and response (EDR) systems.
•    Encryption: Encrypting sensitive data, both at rest and in transit, is crucial for ensuring that even if data is intercepted, it cannot be accessed or tampered with.
•    Access Controls: Implementing zero-trust architecture, where every user and device is continuously validated, ensures that only authorized individuals can access critical systems.

4. Incident Detection and Response: Plan for the Worst

No matter how strong your defenses are, there’s always a possibility that a breach could occur. Incident detection is crucial to minimize the impact of an attack. The faster you detect a breach, the faster you can respond and mitigate potential damage.

Key Incident Response Actions:

•    Real-Time Monitoring: Utilize automated threat detection systems, such as SIEM (Security Information and Event Management) solutions, to continuously monitor your network and endpoints for suspicious activity.
•    Behavioral Analytics: These tools help identify unusual patterns of behavior, which can indicate a compromised system or insider threat.
•    Incident Response Plan (IRP): Having a clearly defined IRP ensures that everyone in the organization knows what to do in case of a breach. It should include protocols for containment, investigation, communication, and recovery.

5. Regular Vulnerability Assessments and Penetration Testing

Vulnerabilities in your systems can lead to potential entry points for attackers. Regular vulnerability assessments and penetration testing should be part of your ongoing cybersecurity strategy. These tests simulate attacks on your systems to identify weaknesses before cybercriminals can exploit them.

Penetration testing helps you:
•    Identify software vulnerabilities, unpatched systems, and misconfigurations
•    Test the strength of your defenses
•    Provide insight into areas that need improvement

Frequency: Penetration testing should be conducted every 3-6 months, or whenever major changes are made to your network or infrastructure.

6. Data Backup and Disaster Recovery Plans

A strong cybersecurity strategy includes disaster recovery (DR) and business continuity plans. Ransomware attacks, data breaches, and system failures can bring business operations to a halt. To minimize the impact of such disruptions, organizations must have reliable data backup solutions and DR protocols in place.

Essentials of a Data Backup and DR Plan:

•    Frequent backups: Ensure that critical data is backed up on a regular basis, and that backups are stored securely, ideally in multiple locations (on-site and off-site/cloud).
•    Tested Recovery Procedures: Periodically test recovery plans to ensure that systems can be restored quickly in the event of a breach or failure.
•    Separation of backup systems: Isolate backup systems from production networks to reduce the risk of them being compromised in the event of an attack.

7. Third-Party Vendor Risk Management

In today’s interconnected world, businesses often rely on third-party vendors for critical services, such as cloud storage, payment processing, and software development. However, these vendors can also pose a cybersecurity risk if their own security practices are weak.

Vendor risk management is essential to ensure that any third-party relationships do not expose your organization to unnecessary threats. Key steps include:

•    Evaluating vendor security policies: Before onboarding any vendor, assess their cybersecurity policies and practices.
•    Continuous monitoring: Regularly assess the security posture of third-party vendors to ensure they remain compliant with your organization’s security standards.
•    Contractual Agreements: Ensure that cybersecurity expectations are included in contracts, specifying security measures, data protection requirements, and liability clauses.

8. Compliance with Regulatory Standards

Many industries are subject to strict regulatory frameworks that mandate specific cybersecurity practices. Compliance with regulations such as GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), and PCI DSS (Payment Card Industry Data Security Standard) not only helps businesses protect sensitive data but also ensures they avoid costly penalties.

Regular audits should be conducted to ensure your organization complies with relevant laws and regulations. Failing to meet compliance standards can lead to significant legal and financial consequences, as well as damage to your reputation.

9. Continuous Improvement: Evolving with the Threat Landscape

Cybersecurity is not a one-time effort but a continuous process. New vulnerabilities, threats, and technologies emerge regularly, and businesses must remain agile in adapting their defenses. Regularly review and update your cybersecurity strategy to stay ahead of evolving cyber threats.

•    Stay informed: Subscribe to threat intelligence services to receive updates on emerging threats and vulnerabilities.
•    Engage with the cybersecurity community: Participate in industry forums, cybersecurity conferences, and workshops to stay informed about the latest trends and best practices.

Conclusion: Striving for 100% Success in Cybersecurity

While achieving 100% cybersecurity success is a complex and ongoing process, the principles above lay the groundwork for a robust defense. By adopting a multi-layered security approach, prioritizing employee training, establishing an incident response plan, and continuously evaluating your defenses, you can significantly reduce the risk of cyber threats.

Cybersecurity is not just a technical issue—it’s a culture that must permeate every level of an organization. With a proactive, well-rounded approach, businesses can maximize their chances of achieving “success” in cybersecurity, protecting their assets, reputation, and customers in an increasingly hostile digital landscape.

The post Essentials to Gain 100% Cybersecurity Success: A Comprehensive Approach first appeared on Cybersecurity Insiders.

The post Essentials to Gain 100% Cybersecurity Success: A Comprehensive Approach appeared first on Cybersecurity Insiders.

from Cybersecurity Insiders https://ift.tt/Hnjqhkb
via IFTTT

GCP Cloud Composer Bug Let Attackers Elevate Access via Malicious PyPI Packages

~ Reporter ~ Leave a comment

Cybersecurity researchers have detailed a now-patched vulnerability in Google Cloud Platform (GCP) that could have enabled an attacker to elevate their privileges in the Cloud Composer workflow orchestration service that’s based on Apache Airflow.
“This vulnerability lets attackers with edit permissions in Cloud Composer to escalate their access to the default Cloud Build service account, which

from The Hacker News https://ift.tt/6gvJXde
via IFTTT