MDR and Self Sabotage – Jason Lassourreille – ESW #331
Discussing ways to ensure client success with MDR and discuss the ways organizations hurt MDR efficacy with overly broad global exclusions, poor deployment practices, and poor policy hygiene.
This segment is sponsored by Sophos. Visit https://securityweekly.com/sophos to learn more about them!
Jason has been in the technology industry for 15 years and at Sophos for about 5 years. In his current role he is a technical resource for new and existing clients and helps ensure client success.
Join our cybersecurity community on Discord! Connect directly with our expert hosts, join discussions with fellow audience members, and customize your notifications to receive alerts every time an episode of your favorite show publishes. Get your invite at securityweekly.com/discord!
Detection Difficulty – Why are we still missing attackers? – Chris Sanders – ESW #331
We talk to Chris Sanders today, who has been steeped in the world of SecOps and detection/response for many years. After many years of writing books and training folks in the cybersecurity industry, he started delving into cognitive psychology and educational effectiveness. He leverages this knowledge in the training classes he builds and delivers.
Today we'll discuss why it seems like defenders are still failing, despite the security industry largely (and arguably) receiving the resources it has been requesting.
Chris Sanders is an information security instructor, author, and researcher focused on the intersection of cyber security, education, and cognitive psychology where he studies security analyst cognition and performance. He is the founder of Applied Network Defense, a cyber security training company, and Executive Director of the Rural Technology Fund, a non-profit that provides technology education resources to rural public schools and libraries. In previous roles, Chris worked with the US Department of Defense, InGuardians, and Mandiant. He is the author of several information security books, including Intrusion Detection Honeypots, Applied Network Security Monitoring, and Practical Packet Analysis. Chris received his doctorate in education from Baylor University.
Security Weekly listeners: InfoSec World 2023 is just weeks away! Have you registered to join over 2,500 cybersecurity experts on September 25-27 in Lake Buena Vista, FL? InfoSec World is your gateway to a world of knowledge and growth. Don't miss the chance to enhance your career, connect with industry leaders, and make an impact on the rapidly evolving landscape.
Secure your seat using code ISW23-SECWEEK20 to save 20% off your registration. Register today: securityweekly.com/infosecworld2023
Breaches, detecting deepfakes, cloning yourself, and cars are a privacy nightmare! – ESW #331
In this news segment, we start off by discussing funding, acquisitions, and Ironnet's unfortunate demise. We discuss Gmail's new, extra verifications for sensitive actions and Lockheed Martin's Hoppr SBOM and software supply-chain utility kit. We get into CISA's roadmap to help secure open source software, and their offer to run free vulnerability scans for the United States' 150,000+ water utilities.
Then, discussion turns back to some more negative items with Brazil's self-inflicted $11 billion dollar data leak, and the MGM/Caesar's ransomware attacks, which seem like they could have a common attacker and initial attack vector (a shared IT support company, perhaps). We also discuss Microsoft's post mortem on the Storm-0558 attack. Kelly Shortridge wants to know, "why are you logging into production hosts", someone is submitting garbage CVEs, and Mozilla finds that privacy policies from auto manufacturers are a privacy TRAIN WRECK.
Finally, we wrap up discussing tools that can detect deepfake audio, as well as the likelihood that this will be the start of a game of leapfrog, as deepfakes get increasingly better over time. And we discuss Delphi's offer to create a 'digital clone' of you that could live on forever, haunting your descendants.
Join us at SC Media’s Investing in IAM eSummit September 19th through 20th. This two-day virtual event will provide insights from industry experts with a deep dive into identity and access management. Register now for this free event where you will gain cybersecurity knowledge and receive 6.5 CPE credits just for attending!
Register today: securityweekly.com/IAM
Adrian Sanabria
- FUNDING: Rapid7 Announces Upsized Pricing of $260 Million Convertible Senior Notes Offering
Post-IPO debt raise
- FUNDING: Compliance and risk management startup Certa raises $35M
- FUNDING: Hyperproof has reached an exciting milestone: we closed $40 million in growth funding
- FUNDING: AuthMind raises seed funding for its identity SecOps platform
- FUNDING: Morgan Stanley Expands Global Inclusive Ventures Lab with Largest Single Cohort of 23 Companies
Including, because Leigh Honeywell's Tall Poppy is among the 23 companies funded! Each cohort receives $250k.
- FUNDING: Zenity Raises $16.5 Million Series A to Enhance Low-Code/No-Code Security – Intel Capital
- ACQUISITIONS: SafeBase Acquiring Stacksi to Invest in Security Reviews with Zero Friction
- ACQUISITIONS: Check Point to Acquire Atmosec
- ACQUISITIONS: Tenable Increases Focus on Cloud Security With Agreement to Acquire CNAPP Vendor Ermetic
Tenable continues to build out its portfolio!
- ACQUISITIONS: Osirium agrees to takeover by SailPoint Technologies after challenges
They call it a "takeover" though. Desperate times call for desperate measures...
- ACQUISITIONS: Battery Ventures Acquires GrammaTech’s Application Security Testing Software Business, Forming CodeSecure
Is this a divestiture? An acquisition? A spin-out? Whatever it is, it doesn't happen often, but we see something like this every now and then, often when a services org creates a software product and it grows to a point where it makes sense to spin it out.
- BUSINESS FAILURES: Cyber Company IronNet Furloughs Workers, Explores Bankruptcy
The drama has unfolded over the course of several years now, with accusations (and suits filed) by shareholders. Not many companies that went public via SPAC in 2020, 2021, or 2022 are big success stories today. The most obvious reason? They had no business going public in the first place. The S-1 path is still the most likely to result in proper due diligence and public scrutiny (see WeWork).
- NEW TOOLS: What Is Hoppr?
"Hoppr is your software bill-of-materials (SBOM) and secure software supply-chain (S3C) utility kit."
- NEW FEATURES: New Gmail ‘Verify it’s you’ prompt appears when attempting ‘sensitive actions’
- FEDERAL PROGRAMS: CISA releases roadmap to support the open source software ecosystem
"We envision a world in which every critical OSS project is not only secure but sustainable and resilient, supported by a healthy, diverse, and vibrant community"
Amen.
Goal 1: Establish CISA's Role in Supporting the Security of OSS Goal 2: Drive Visibility into OSS Usage and Risks Goal 3: Reduce Risks to the Federal Government Goal 4: Harden the OSS Ecosystem
- FEDERAL PROGRAMS: Risky Biz News: CISA to provide free security scans to public water utilities
- TALK: Demystifying LLMs and Threats My Journey – by Caleb Sima
- JOBS: Vendors are Hiring (by Richard Stiennon on LinkedIn)
Richard writes, "We just ingested all the LinkedIn job postings for 3,000+ cybersecurity vendors. There are over 67,000 job openings searchable within the Analyst Dashboard. 5,509 are in sales."
- JOB MOVES: Famed hacker and Twitter whistleblower Peiter ‘Mudge’ Zatko is joining the Biden administration
- BREACHES: Brazil’s government convicted for data leak exposed by The Brazilian Report
Is this possibly the most expensive breach/data leak ever? $3000 to 3.7m citizens adds up. $11B is bigger than the total estimated damages by NotPetya and WannaCry. For comparison, Target and Home Depots estimated costs were < $200m.
- HOT TAKES: “why are you logging into production hosts?”
Shots fired by Kelly Shortridge. The replies are worth a read.
- BREACHES: Caesars Ransomware Breach
Two key statements here:
- "We have taken steps to ensure that the stolen data is deleted by the unauthorized actor, although we cannot guarantee this result." ANALYSIS: They paid the ransom. I heard a rumor that they paid around $30 million USD.
- "resulting from a social engineering attack on an outsourced IT support vendor" ANALYSIS: Their MSP got hit. Is it the same MSP that MGM uses? The attack vector tracks (social engineering). Safe to assume that MSP serves more than two major hotel/casinos, so there could be more affected here. Is it possible this IT MSP caters specifically to the hospitality/gambling vertical?
- BREACHES: Adrian’s take on rumors of how MGM got popped
vx-underground reports: "All ALPHV ransomware group did to compromise MGM Resorts was hop on LinkedIn, find an employee, then call the Help Desk. A company valued at $33,900,000,000 was defeated by a 10-minute conversation."
Adrian's Take: We've got to stop thinking of breaches as something that only happens at step 1 of the attack. If each individual employee is your first and last line of defense, you're not doing security right.
A proper security program has to assume employees will fall for pretexting, phishing, and other social engineering attacks. We've got to detect attacks at steps 2 - 17+ and have the capability to prevent, detect, and contain threats at these levels also.
Bottom Line: This is a bad take, especially with the insight that this was a managed services vendor. The issues here are much more complex than "train your employees better".
- POST MORTEMS: Results of Major Technical Investigations for Storm-0558 Key Acquisition
Not a big fan of these results, as they're entirely focused on Microsoft fixing their internal stuff, and ignores the bits that impacts all their customers. Namely, the lack of information on how the attackers got in. If Microsoft can't keep attackers out, or even determine how they got in, what chance do the rest of us have?
- POST MORTEMS: DEF CON 31 A Different Uber Post Mortem, by Joe Sullivan
- DUMPSTER FIRES: “It’s time to talk about the ridiculous rash of awful CVEs posted in the last few weeks.”
- PRIVACY: It’s Official: Cars Are the Worst Product Category We Have Ever Reviewed for Privacy
First off, I'm not sure I was aware Mozilla was doing this work. But it's good that they are, because HOLY CRAP are the findings troubling.
- SECURITY DEBT: Risky Biz News: Microsoft to phase out 3rd-party printer drivers for security reasons
This link is to the whole newsletter. I'm including it for the headlining story, but also because you should subscribe to it. Useful stuff.
- INSIGHTS: As a programmer – when was the last time you used stack overflow?
I had no idea there was a shift this hard by developers away from Q&A forums to LLM AI
- AI TRENDS: Welcome to the Artificial Intelligence Incident Database
Simultaneously welcome and disturbing.
- AI TOOLS: Detect Deepfake Audio with Resemble
- ESSAYS: The building blocks of modern enterprise identity
- ESSAYS: The problem with buying too many security tools
- SQUIRREL: You can now make an AI clone of yourself — or anyone else, living or dead — with Delphi
On one hand, everyone wants to leave a legacy behind.
On the other hand, will future generations really want an immortal AI of me making fart jokes for eternity?
