With the impacts and repercussions of the looming California Consumer Privacy Act (CCPA) on the minds of many privacy professionals, new research from MediaPRO shows more work is needed to train U.S. employees of this first-of-its-kind privacy regulation.

MediaPRO’s 2019 Eye on Privacy Report reveals 46 percent of U.S. employees have never heard of CCPA, which sets specific requirements for the management of consumer data for companies handling the personal data of California residents.

Passed last year and going into effect in January 2020, the CCPA has been referred to as a U.S. General Data Protection Regulation (GDPR) for its scope and focus on data rights. Privacy experts expect the law to apply to more than 500,000 U.S. companies. The 2019 Eye on Privacy Report findings suggest that raising employee awareness should play a key role in preparing for this new regulation.

Data privacy and the public

The CCPA awareness findings come from MediaPRO’s 2019 Eye on Privacy Report, a survey of more than 1,000 U.S.-based employees. The survey tested knowledge on data privacy best practices and privacy regulations in addition to gauging opinions on a variety of different privacy topics.

The survey presented participants with questions concerning when to report potential privacy incidents, what qualifies as sensitive data, how comfortable respondents were with mobile device apps having specific permissions, and the most serious threats to the security of sensitive data.

Additional findings from the report

• 58 percent of employees said they had never heard of the PCI Standard, a global set of payment card industry (PCI) guidelines that govern how credit card information is handled.
• 12 percent of employees said they were unsure if they should report a cybercriminal stealing sensitive client data while at work.
• Technology sector employees were least likely to identify and prioritize the most sensitive information. For example, 73 percent of those in the tech sector ranked Social Security numbers as most sensitive, compared to 88 percent of employees in all other industries ranking this type of data as most sensitive.
• Employees were more comfortable with a mobile device app tracking their device’s location than with an app accessing contact and browser information, being able to take pictures and video, and posting to social media.
• Theft of login credentials was considered the most serious threat to sensitive data, with disgruntled employee stealing data and phishing emails coming next.

The findings give weight to the vital role employees play in a strong data privacy posture and the continuing need for privacy awareness training in protecting sensitive information. Working toward a “business-as-usual” approach to data privacy, with best practices embedded into all employee actions, is increasingly becoming a must for companies of all sizes.

“We’re at a pivotal time in history for privacy, and more people than ever are paying attention to privacy and data protection,” MediaPRO’s Chief Learning Officer Tom Pendergast said.

“Some of our survey results might make you think that people are starting to get it—but until everybody gets it, we in the privacy profession really can’t rest. In today’s world, protecting personal information really is everyone’s responsibility, and that’s why it’s up to us to champion year-round privacy awareness training programs that aim to create a risk-aware culture.”

Security teams need to consider the possibility of internal as well as external threats

While high-profile cybersecurity breaches originating from malicious insiders are on the rise, many cybersecurity professionals continue to focus exclusively on external threats, forgetting that a threat could be sat right beside them.

It’s easy to put the notion of an insider threat to the back of our minds, however looking at the spate of cybersecurity breaches last year, many of them had one thing in common – they originated from a malicious insider.

Motivations and behaviours of an insider threat

Many security teams assume that their employees would not compromise the reputation, operations, or even existence of the business. However, the truth is that no one is immune.

There are various type of insider threats; malicious insiders often seek financial gain, look for revenge, or can even result from insider collusion, where a relationship with an organisation or hacker group has been formed. Unintentional insider threats on the other hand are more well-meaning but are no less dangerous as these employees fall victim to social engineering techniques or phishing emails – something that needs to be addressed proactively by security professionals.

Key behavioural traits of an insider threat that businesses can look out for, include:

Resignation: Individuals leaving on bad terms are important to monitor as they often maintain access to intellectual property initially. It is highly possible that they could – and often will – sabotage intellectual property. However, it’s important to note that an employee could be leaving the company on great terms, but still have less-than-honourable intentions regarding their access to IP. It’s sadly not uncommon for someone to take data to their next gig to sweeten the deal.

Ignorance: These individuals were never trained on their personal responsibility over company data and have little knowledge of the company’s security practices. As such, they are highly susceptible to phishing and other similar attacks. A clear warning sign of this is if you see someone walk away from their computer or laptop without locking their screens first.

Discontent: These individuals often voice their grievances and dissatisfaction in the office, display combative behaviour and a resistance to change. A sure warning sign is if this is done with little regard to the audience, whether it includes new hires, interviewees, management or even media. They feel wronged by the company and feel like they have something to gain; this is often in the form of IP theft.

Personal life: These individuals are easy to influence due to personal reasons and are often the ones who get blackmailed into handing over intellectual property. Sometimes financial motivation is also a factor, where employees can see gains by selling company confidential information. Warning signs can include unusual working hours, frequent absence from work, or general suspicious activity at the workplace such as someone covering something up when you are walking over to say hello.

Why insider threats are dangerous

1. They are hard to identify

Since insider threats already have access to the network with authorised credentials, their access does not flag on a traditional monitoring system. They also often already have access to sensitive data and awareness of the existing security measures in place and how to get around them. Combine this all with a lack of visibility into user access and data activity, and the difficulty of identifying threat actors is incredibly challenging.

2. They are expensive 

Like a traditional threat actor, the longer they go undetected and are free to roam the network, the more damage they can do. Even with baselining, often threat actor activity can get caught in a baseline, making it much more difficult to identify their rogue behaviour. The fact that they are not raising alarms means you are talking some serious potential damage. Indeed, the Ponemon Institute revealed that the average cost of insider threats per year for an organisation is $8.76 million.

3. They risk compliance

Data protection and compliance should also be considered because an insider threat will often make the exfiltration of data their objective. Last year, Coca Cola suffered an insider threat attack which saw the personal information of about 8000 of its employees leave the building. Not only this, but the dwell time of the incident was extended. They didn’t realise it had happened until law enforcement informed them of the data breach.

4. They cause operational disaster

As seen with Tesla, an insider threat can sabotage operations and risk an organisation’s competitive edge. In this instance, a disgruntled employee who lost out on a promotion made ‘direct code changes to the Tesla Manufacturing Operating System under false usernames and exported large amounts of highly sensitive data to unknown parties’ according to a letter addressed to employees.

Mitigating insider threats

Insider threats take many forms and companies must ensure they evaluate the risk. Policy is needed to reduce insider threats. Employee handbooks that are easily accessible can detail how employees can protect customers data, for example the do’s and don’ts with company laptops. It’s also important that employees fully understand all information in the handbook.

Awareness and training is critical. Companies should put a programme in place and make sure that senior management continuously reinforce that programme. Businesses should consider having a security culture improvement programme. Again, it should be supported by senior management, but perhaps with ways to measure the success of the programme.

Ultimately, companies must invest in technology that will help them to respond to and prevent insider threats from moving data externally. Organisations can identify what data has left their network, and how to prevent data leaving in the future by looking for similar information on all other data assets.

You can read the original article, here.

In May, it will be a year since the enforcement of the EU GDPR began. In the midst of continued and ever growing confusion within the EU caused by the Brexit process, a recent report around another high profile EU issue may have gone unnoticed. DLA Piper recently released a paper looking into incidents reported — both GDPR breach notification and other kinds of notification — fines enforced and how reports and fines are spread out across EU members.

From the time GDPR was introduced to the point when the report was released, 59,000 incidents were reported to the various regional “Data Commissioners,” such as the CNIL in France. The numbers were built upon on data reported by EU members (which still includes the UK as I write this) and collected by DLA, but, it is important to note that not all countries expose such information.

Firstly, before discussing these numbers, we need to be clear that these incidents do not imply 59,000 data breaches. Because GDPR is concerned not only with data breaches, but also with the inappropriate handling and processing of data,EU countries are required to engage in more than just GDPR data breach notification.  The reported number of incidents, therefore, cover data abuse as well as data loss, whether accidental or maliciously derived. A separate source, directly from the EU commission, places the data breach related incidents as coming to 41,500 for both malicious and accidental events.

The effects and legalities of GDPR are still rippling their way through data processing services. As a recent example, lobbyists from several countries launched a petition to their respective regional Data Protection Authorities on how EU personal data is used in the fast growing space of Real-Time Bidding, which is the process that determines which adverts are shown to you online. Real-Time Bidding is driven by the data advert companies have about you, since this is what allows them to make the most informed decision as to which advertisement you would find most appealing. The decision of which advert to show you is made in a split second and, therefore, clearly, there is no possible way for the user to ‘opt-in’ to the processing of their data. This is separate from the 50m EURO fine placed on Google by the French CNIL earlier this year.

One very interesting element of the DLA Piper report is the breakdown by country of the number of incidents filed. The Netherlands tops the list with around 15,400 reported incidents. Strangely, despite having a population nearly three times that of the Netherlands and a similar difference of scale in GDP, France only reported 1,300 incidents – over 14,000 less! This, perhaps, highlights an inconsistency between EU members as to what needs to be reported. For example, reported incidents have included simple notification that an email was accidentally sent to the wrong recipient. It would appear, although not confirmed, that the Dutch are playing it safe and reporting any infringement, whereas the French and Italians (with 610 incidents reported in Italy), have a narrower interpretation of what a data incident is.

Potentially, the reporting of even mild infringements could explain why only 91 fines have resulted from the 59,000 reported incidents. However, the report from DLA Piper does concede that there is likely to be a backlog within the EU commission to process GDPR breach notification and other types of incidents, which could mean that more fines will be forthcoming. The backlog may also be a sign that the EU underestimated the initial volume of incidents it would receive.

The main thing that is evident from this report is that the effect of the GDPR is still not fully understood. This is reflected by the huge variance in reported incidents per country and the ongoing arguments around the interpretation of legal data processing. The implications and interpretations will continue to play out for the foreseeable future.

One thing remains clear, organisations (with a deliberate UK spelling) who are the controller or processor of EU related data need to protect this information and its usage with a specific mind-set. The data is not theirs; it belongs to the individuals to whom it is linked. Organisations must treat the data as something they are borrowing or looking after, not something they own. It needs to be locked away with the right protection to ensure only those who should use it or see it can do so. It may seem like an obvious shift of perception, but it’s vital in terms of the importance we place upon protecting EU-related data.

CyberArk is honored to be named a 5-Star Security Vendor – the highest rating in CRN’s 2019 Partner Program Guide. This marks the second consecutive year that CyberArk has received this prestigious designation. This recognition highlights the importance of privileged access management (PAM) as a top security control and enterprise priority. Organizations that are extending PAM to users and applications across the enterprise, in the cloud, throughout the DevOps pipeline and at the endpoint are realizing rapid risk reduction and strong business impact.

CyberArk received a 5-Star rating based on an in-depth assessment of channel program offerings, partner profitability, partner training, education and support, marketing programs and resources, sales support and communication.

CyberArk has built a powerful channel partner community to help customers around the world to reduce risk, protect against advanced cyber threats and securely embrace digital transformation strategies. This recognition comes on the heels of CyberArk’s Scott Whitehouse being named a CRN Channel Chief.

We believe that protecting high-value assets and data in today’s increasingly complex business environment requires high levels of innovation and collaboration. Our partner ecosystem brings together the strengths of advisory consultants, global systems integrators and regional solutions providers to deliver the industry’s most complete privileged access security solution. We’re honored to be recognized by CRN for our commitment to cybersecurity innovation and channel partner empowerment.

CRN’s annual guide identifies the strongest and most successful partner programs offered by the top IT products and services suppliers. Solution providers have come to rely on this world-class guide as they evaluate security providers they work with or are considering working with in the future. The 5-Star rating recognizes an elite subset of companies that empower solution providers with the best partner program offerings.

The 2019 Partner Program Guide will be featured in the April issue of CRN and is available online here. To learn more about the CyberArk Global Partner Program, visit here.

Is PowerShell bad? Not necessarily. In fact, most PowerShell executions are not malicious, but PowerShell can be (and often is) taken advantage of.

The new Sophos EDR capabilities offer the ability to track down malicious executions that otherwise may remain hidden. For example, executions which use the encoded command argument are more likely to be associated with bad behavior and are less common in good executions.

With Intercept X Advanced with EDR 1.1, analysts can easily search for PowerShell commands, including encoded command arguments.

You can look for other suspicious PowerShell executions besides encoded commands such as policy bypass (-Exec Bypass), missing information (-NoLogo, -NoProfile), and more.

These new capabilities have also been added to the Intercept X Advanced for Server with EDR Early Access Program (EAP) so participants can start using these new features on their servers.

PowerShell features previously included in Intercept X

Intercept X already blocks known malicious PowerShell activity. The Application Lockdown feature automatically terminates a protected application based on its behavior. For example, when an Office application is leveraged to launch PowerShell, access the WMI, run a macro to install arbitrary code, or manipulate critical system areas, Sophos Intercept X will block the malicious action – even when the attack doesn’t spawn a child process. It will also prevent malicious PowerShell code executions via Dynamic Data Exchange too. Learn more about exploit protection with Intercept X.

Finally, if PowerShell appears to be involved with a detection it is referenced in a Threat Case where the command line executed can be analyzed.

Few terms in networking have generated as much buzz recently as SD-WAN (or Software Defined Networking in a Wide Area Network). All that buzz has been accompanied by equal doses of useful information and confusing rhetoric. As a result, SD-WAN has grown to mean a lot of different things to different people, while some are still trying to figure out exactly what it means.

Fundamentally, SD-WAN is usually about achieving one or more of these networking objectives:

• Reduce connectivity costs: Traditional MPLS connections are expensive, and organizations are shifting to multiple more affordable broadband WAN options
• Business continuity: Organizations require solutions that will elegantly handle WAN failures and outages, and are looking for redundancy, routing, fail-over and session preservation
• Simpler branch office VPN orchestration: VPN orchestration between locations is often complex and time-consuming, so organizations are looking for tools to simplify and automate deployment and setup
• Quality of critical applications: Organizations are seeking real-time visibility into application traffic and performance in order to maintain session quality of mission-critical business apps

What’s most important to you?

XG Firewall includes all the common SD-WAN features and capabilities you need to achieve these goals. Check out our XG Firewall and SD-WAN Solution Brief for the full details, but here’s a quick summary of how XG Firewall can help you achieve your SD-WAN objectives:

Multiple WAN links: XG Firewall offers support for multiple WAN links, including a variety of copper, fiber, and even cellular interface options. XG Firewall can terminate MPLS circuits using Ethernet handoff and VDSL through our optional SPF modem. XG Firewall also offers essential WAN link monitoring, balancing, and fail over capabilities.

Branch office connectivity: Sophos has long been a pioneer in the area of zero-touch branch office connectivity with our unique SD-WAN RED devices. These affordable devices are super easy to deploy by a non-technical person, and provide a robust secure Layer 2 tunnel between the device and a central XG Firewall. XG Firewall also supports site-to-site RED tunnels, as well as a variety of standard VPN solutions and easy orchestration wizards and tools to make inter-office connectivity quick and painless.

VPN support and orchestration: XG Firewall offers support for all the standard site-to-site VPN options you would expect including IPSec, SSL, and even our own unique RED Layer 2 tunnel with routing that is very robust and proven to work reliably in high-latency situations such as over-satellite links. Sophos Firewall Manager or Central Firewall Manager also offer centralized multi-site VPN orchestration tools to easily set up a mesh of VPN SD-WAN connections. XG Firewall also offers a flexible failback option to automatically fail back to the primary VPN connection when a WAN link is restored.

Application visibility and routing: You can’t route what you can’t identify, so accurate, reliable application identification and visibility is critically important. This is one area where XG Firewall and Synchronized Security provide an incredible advantage. Synchronized Application Control provides 100% clarity and visibility into all networked applications, providing a significant advantage in identifying mission critical applications, especially obscure or custom applications.

XG Firewall also includes application-based routing and path selection in every firewall rule as well as policy based routing (PBR), making it easy to direct important application traffic out the optimal WAN interface. Additionally, it includes predefined Fully Qualified Domain Name (FQDN) objects for popular SaaS cloud services with thousands of FQDN hosts definitions included out of the box with the option to easily add more.

What’s Next for SD-WAN with XG Firewall?

XG Firewall includes many innovative solutions to help organizations reach their SD-WAN objectives – from great WAN connectivity options to our unique RED SD-WAN appliances, to our unmatched application visibility and great routing options.

XG Firewall offers a powerful, flexible network connectivity and security solution for every type of network and Sophos is continuing to invest in SD-WAN capabilities in upcoming releases, with new features for link monitoring and management, VPN orchestration, and application routing.

Check out our XG Firewall and SD-WAN Solution Brief, to get further insights into how XG Firewall is solving the top challenges with SD-WAN and helping organizations achieve their important SD-WAN goals.

NSS together with CyberArk and Sophos will inform you of the latest cyber threats and will suggest ways to address them at the 9th Infocom Conference on 17th and 18th of April – Dais Conference Center.

The concept of Industry 4.0 (aka the 4th Industrial Revolution), has begun to be reported more and more, reflecting the utmost modernization and rapid development of all the levels of the production, services and procedure, with the main pillar of all the new and advanced technologies that bring us a revolution in the way that private businesses, public organizations and societies operate.

The basis for Industry 4.0 is the combination of the natural and digital world. The interconnection of machines with information and communication systems and the complete digitization of physical procedures through the combination of existing and emerging technological trends such as Cyber ​​Physical Systems, Artificial Intelligence, Augmented Reality, and the Cognitive computing, as well as Big Data, cloud computing and cryptocurrencies.

In this new era, the Digital Security sector, if we include Information Security, Networks and IT infrastructures also Data Protection, is to have a very important role, creating new challenges and new opportunities that we will present at the 9th Infocom Security Conference, to be held on 17 and 18 April at the Dais Conference Center at Maroussi Athens.

Cyber ​​Security, in all aspects, is vital importance to the effective understand and use all the new technologies that can lead us to the 4th generation Digital Revolution, and that’s why all the professionals should be fully informed about the evolution of cyber-threats, the trends and the strategies that are developed in the field of security, new technologies and new generation protection solutions.

This need for information on Digital Security – with a business-oriented approach, but also scientific, research and technological interest – the Infocom Security Conference will fill for one more year. Infocom Security Conference is the reference point for the security specialist and the place of their annual meeting.

Speeches

17th April 13:30 “Anatomy of a cyberattack – forensics made simple with Artificial Intelligence”, Sophos Sales Engineer Peter Skondro

18th April 14:30 “Are the apps that run your business also your Achilles’ heel”, Cyberark Account Executive  Roee Abaiov

Security Workshops

During the 9th Infocom Security, parallel workshops will take place, offering techniques and practical presentations by specialists about information security issues.

Workshop-room D1

17th April 14:00-15:00 “EDR in Action – Forensics and automatic containment of threats with Sophos Synchronized Security”, Sophos Sales Engineer Peter Skondro

Workshop-room D2

18th April 15:00-16:00 “Learn how to Protect your business Apps in the Age of Industry 4.0”, Cyberark Customer Success, David Kellermann

Sponsor companies’ expo

During the 9th Infocom Security -like every year- there will be an expo for sponsor companies, giving visitors the opportunity to get in touch with businesses active in the country, in the sector of information security services and solutions, in order to stay informed face-to-face about all developments in this area, as well as their own activities.

You move to the public cloud with the dream of infrastructure cost savings, added agility, and taking full advantage of devOps process to speed up development and product delivery. A move to Amazon Web Services, Microsoft Azure or Google Cloud Platform can bring all that good stuff. But soon you’ll meet your new challenge of increasingly complex attacks targeting a more dispersed multi-cloud network.

That’s exactly what we found in the most recent Sophos research study of 10 cloud honeypots placed worldwide. Once the honeypots were live, it took attackers no time at all to discover the SSH service and for login attempts to start. In one instance, a honeypot was attacked less than one minute after it was deployed. And once the login attempts started, the attacks were relentless and continuous.

Put that smile back on your face

To solve the problem of public cloud security and get you back to spending your time on projects that move your business forward, rather than security worries, we’re pleased to announce the launch of Sophos Cloud Optix.

The latest addition to the Sophos Public Cloud Security line up, Cloud Optix is a powerful new tool that allows you to accurately see what you have running in the cloud at all times, while combining the power of AI and automation to simplify compliance, governance and security monitoring in the cloud. And you can have it up and running in less than 10 minutes.

You can’t secure what you can’t see

Running multiple cloud environments, potentially across multiple providers, you’re going to have a tough time visualizing what your actual cloud network and assets look like. This means you can easily spend days or weeks preparing accurate diagrams to ensure they are configured correctly in order to prepare for audits. Cloud Optix is an agentless solution that does this in seconds with complete network inventory, topology visualization and continuous asset monitoring. But don’t just listen to us, here’s why HubSpot chose Sophos:

Sophos Cloud Optix provides us a comprehensive network topology diagram with real-time traffic of our cloud environment. I have better insight into our cloud network security posture than ever before.

– Jessica Mazzone, Security Engineer, HubSpot Inc.

Changing environments need continuous compliance

In an ever-changing, auto-scaling public cloud environment, automatically detecting changes to your cloud environments in real time is a life saver. Cloud Optix continuously monitors compliance, with custom or out-of-the box templates for standards such as SOC2, HIPAA and GDPR, and reports generated in seconds.

Earlier this week, news broke that a Chinese woman attempted to sneak a USB stick loaded with malware into Mar-a-Lago, President Trump’s main place of residence outside of the White House.

The news made international headlines due to the nationality of the alleged attacker and the location of the attempted attack.

Using an external device like a thumb drive to deliver malware is not a new attack method – it has been around for years.

But this somewhat old-school delivery mechanism is still very effective today. Why? Because many endpoint protection products only focus on “next-gen” approaches to endpoint security and skip over proven foundational techniques that have worked for years.

Those techniques include “device control” or “peripheral control” which protects external hard drives.

The USB stick incident at Mar-A-Lago is a perfect example of why you need endpoint protection that combines modern/next-gen techniques *and* foundational techniques like device control. Fortunately, with Intercept X Advanced you get both.

How does Intercept X Advanced protect against this type of attack?

Intercept X Advanced administrators have the ability to control access to removable storage devices (like USB sticks), mobile devices (iPhone, various Androids, Blackberry), Bluetooth, and other peripheral devices.

They can choose to either block the use of peripheral device types altogether, monitor devices, allow in read only mode, or block/allow specific devices.

If a person was able to sneak a USB drive into an environment, they would receive a message similar to this when trying to use it:

But that’s not it…

Even if this feature had not been enabled, Intercept X would be able to detect the malware before it executed using the industry’s best malware detection engine, powered by deep learning technology. Find out more about Intercept X Advanced here.

You can read the original article, here.

XG Firewall v17.5 recently delivered several new innovations including Lateral Movement Protection, management via Sophos Central, and a variety of new features focused on education.

With Maintenance Release 4 (MR4) announced earlier this week, there are a few new important features I want to ensure everyone is able to get the most out of.

While we always encourage all our customers and partners to keep their firewall up-to-date with the latest firmware release, MR4 is the perfect time to update if you haven’t been keeping current to take advantage of the latest security, performance, and many other enhancements.

Email notifications

Several new email notifications have been added to inform you about important system and threat related activity including:

• Started SFOS
• Sign-in failed for web admin console, SSH, or CLI console
• Advanced threat protection alert or drop actions
• Installed new firmware
• System restart initiated through web admin console
• System shutdown initiated through web admin console

To receive these new alerts, simply ensure you have these boxes checked in the Notification Settings tab of your XG Firewall:

Backup encryption

Backup files now use a personal password key for enhanced security. You’ll be required to take advantage of this new feature going forward to protect your backups.

The new options are part of the workflow for scheduling and performing backups and restoration of your XG Firewall configuration on the Backup & Firmware main menu option, on the first tab for Backup & Restore:

Υou’ll notice new entries for an “Encryption password” for the backup and restore process.

You should update your backup settings to utilize a strong password that’s 12 characters or more in length. Once you’ve typed in your password, click “apply”.

All backups from that point onwards, will use the new password as the encryption key.  You can change the password at any time, and even at the time of doing a local backup.  Of course, we suggest you use a password manager so you don’t need to worry about remembering all your passwords, but if you forget your encryption password, you can change it at any time and create a new backup.

Chromebook authentication

If you’re one of the many XG Firewall customers enjoying the new Chromebook authentication support, there’s now a new option to generate the application configuration file from within the XG Firewall console to import into Google GSuite.

This option can be found under Authentication > Services > Download GSuite App Config, as shown below:

Other enhancements

XG Firewall v17.5 MR4 also introduces a number of performance, reliability and stability enhancements.  You can check out the full release notes for more details.

How to get it

As with every XG Firewall firmware update, it will appear in your console automatically at some point in the near future, but if you want to start taking advantage of these enhancements right away, you can download the firmware update immediately from the MySophos Portal.

If you need a refresher on how to update your firmware, watch this short how-to video:

You can read the original article, here.

The age of digital transformation is upon us. Cloud, virtualization and containerization are becoming mainstream. With all of the buzzwords and technology hype, it is easy to forget the real business drivers behind this age of innovation. Established industries like finance and healthcare are being disrupted by new and nimble startups who have leap-frogged established players with new technologies that bring tremendous competitive advantage with speed to market, flexibility and resiliency. Now, established enterprises are adopting these new technologies to ensure and recapture their market leadership positions. It truly is an exciting time in B2B technology, but what about the engine of the enterprise? Business critical applications are the motor that keep firms running. They too are seeing change with the adoption of cloud and SaaS applications, but are often overlooked when it comes to their security.

 Business critical for a reason

Consider the vast information and applications within your organization. Depending on your line of work and industry you will have your own list of critical business applications and related data that if compromised or lost, put your business at a stand-still.  These can include applications like financial transaction apps and their related sensitive customer data; enterprise resource planning (ERP) applications that help manage crucial inventory for retailers or hospitals or critical electronic health record (EHR) applications storing vital electronic personal health information (ePHI) for health care providers, hospitals and insurers.

But how do organizations secure all of this sensitive information and the applications that store and manage it? Unfortunately, many business and IT stakeholders are finding themselves in a risky position. While they are doing a great job curating the right applications for their needs, they are missing the boat on protecting these costly investments that run their enterprises – and drive customer relationships.

According to a recent CyberArk Business Critical Application survey of 1,450 business and IT decision makers conducted across eight EMEA countries, 61% indicated that even the slightest downtime affecting their business critical applications would be massively disruptive and severely impact the business. Yet, 70% of these enterprises do not prioritize the security of business critical applications. So what can you do to help bridge this gap? CyberArk just released an eBook, “The Age of Digital Transformation: 5 Keys to Securing Business Critical Applications,” to answer your questions. Here is a preview of the first two points.

1. Identify what apps are truly business critical

As a security leader, it goes without saying that you need to be one with the business. Get to know your line of business leaders and the leaders of key functions such as finance, human resources and marketing. Once you have a handle on important business initiatives, you will be in a better place to identify the business apps that are truly critical. These could be SaaS applications or even custom applications built using DevOps tools and methodologies.

 2. Get comfortable with the cloud (and securing it)

Understand what your cloud strategy, migration plan and timelines are for on-premises applications that are moving to the cloud or new cloud-native applications. Partner with cross-functional stakeholders to ensure privileged access security is a front-and-center consideration when you’re looking to migrate applications to the cloud or to adopt new cloud applications.

To learn about keys three through five and find out more about securing business critical app, download the eBook here.

Your mailbox is more valuable than ever to attackers, with 93% of company breaches in security now starting with a phishing email. Whether users are targeted to receive phishing emails, or they have their mailbox compromised to send spam and viruses from your organization’s domain, the risks to your organization are great.

The symptoms of a compromised mailbox

When your domain is used to spread malicious email, it can impact your reputation as an email sender and as a trusted business, leading to blocked messages. There are some common symptoms of this activity, which busy users may struggle to notice, leading to undetected threats:

• The user’s mailbox may be blocked from sending emails
• Missing or deleted emails in their inbox
• Recipients report emails being received, but the user has no corresponding sent item
• The existence of inbox rules that neither the user nor your administrator has created. These rules may forward messages to the Junk folder
• Mail forwarding was recently added to the account without consent.

A connected approach

Thanks to its shared user list, Sophos Central is now able to link mailboxes protected by Sophos Email with the associated computers protected by Sophos Endpoint. Once linked, if Sophos Email detects 5 or more spam or virus emails sent in 10 minutes, the mailbox is automatically blocked while an endpoint scan is carried out. The infection is then removed and alerts are shared via Sophos Central.

Watch our video on Sophos Email Compromised Mailbox Detection:

During this year’s RSA conference (visit us at booth #N6253!), CyberArk announced the release of version 10.8 of the CyberArk Privileged Access Security Solution. Version 10.8 focuses on expanding and improving CyberArk’s ability to continuously discover and protect cloud environments as well as augmenting Just-in-Time capabilities for an easy-to-use privileged access control. We’ve included a demo of Version 10.8’s capabilities at the bottom of the page.

The Cloud

Cloud computing, storage and applications have all become integral to modern organizations and the cloud footprint amongst the world’s organizations continues to grow. One of the main tenets of the cloud is speed; speed of deployment, scaling and integration. However, the increased speed at which cloud computing and storage allows organizations to spin up new virtual machines, instances and storage buckets can lead to headaches for both SOC and IT administrators. As cloud computing and storage has become an increasingly popular way conducting business, a staggering 50% of organizations do not have a privileged access security plan to secure cloud instances.

The newest CyberArk release provides a robust strategy for securing privileged access throughout AWS environments. It enables organizations to detect, alert and respond to potential attacks or misuse in AWS environments relating to Identity and Access Management (IAM) accounts and EC2 instances. To further the integration of these new capabilities, CyberArk customers can now deploy threat detection, alerting and response capabilities as an AMI or CloudFormation template.

It’s no small feat to secure these accounts and instances. A recent CloudInsight Essentials study showed that, among the 31,000 EC2 instances studied, there were 150,000 misconfigurations detected, 30,000 of which were linked to IAM accounts. These IAM accounts provide privileged users sweeping access to create, edit and update AWS Simple Storage Service (S3) buckets. S3 buckets are a public cloud storage resource similar to file folders that can store objects containing descriptive metadata and sensitive information.

With the CyberArk Privileged Access Security Solution, organizations can now continuously discover unmanaged privileged AWS accounts and instances and automatically add these accounts to a list of pending approvals to prevent further misuse. CyberArk customers are also able to initiate automatic Access Key rotation and re-creation if unauthorized or unmanaged access is detected. They can also send alerts to SOC and IT administrators based on detected misuse so that they can take a risk-based approach to their cloud inventories.

Just-in-Time

Just-in-Time solutions are simple to use and that can make life easier. However, it’s important not to lose sight of the rest of the necessary security precautions. Drawbacks to not fully managing and rotating privileged credentials associated with critical servers, databases and cloud-instances include having minimal visibility into activities taking place on those targets and a lack of native workflows. Having a tiered structure in place that implements higher levels of security (automatic session isolation, recording and threat detection and response) on cloud consoles, domain controllers, and other critical systems is a best practice.
Ensuring that the right person has the right access to the right resource at the right time for the right reason is a fundamental component of privileged access security. This is “Just-in-Time access,” a strong option for organizations that are looking to kick-start their privileged access security programs by introducing an easy-to-use solution.

Building on existing Just-in-Time access to Windows servers, which provided users provisional access to a defined subset of Windows servers for a pre-determined amount of time, this release advances those capabilities. Now, administrators have the ability to configure on a minute-by-minute basis the amount of time approved for access to target Windows servers. As part of the CyberArk Privileged Access Security Solution, Just-in-Time access adds another route for organizations to take toward implementing a robust privileged access security program.

In addition to advanced cloud capabilities and Just-in-Time functionality, other features included in this release are:

• A new policy that, if enacted, will require end-users to provide a reason for every privileged connection to a target system. That reason is sent to a reviewer for approval, automatically audited and stored.

• A new authentication method, “Cognito,” for AWS environments that enables application users to sign in directly through a user pool or third-party identity provider and supports the multi-configuration of SAML

Register for our webinar to learn more about CyberArk’s ability to extend privileged threat detection and response to the cloud.

he total number of records exposed in the healthcare sector rose to 11.5 million in 2018, according to the fifth annual Healthcare Breach Report, published by Bitglass.

The number of breaches reached a three-year low at 290 breaches total; however, the number of exposed records nearly doubled from 2017. Also notable in the report was that nearly half (46%) of the 11.5 million individuals who were affected by healthcare breaches in 2018 were so because of hacking and IT incidents.

An analysis of data acquired from a US Department of Health and Human Services (HHS) database that holds information on breaches involving protected health information (PHI) revealed that breaches in the healthcare industry fell into one of four categories.

In addition to those breaches related to malicious hackers and improper IT security, 36% of healthcare data breaches were categorized as caused by unauthorized access or disclosure of protected health information. A smaller number were the result of theft of endpoint devices. According to the report, the number of breaches caused by lost and stolen devices has fallen by nearly 70% since 2014. The final category encompassed those miscellaneous breaches and leaks related to items such as improper disposal of data.

On average, nearly 40,000 people were affected per breach, which is more than double the average number affected in 2017. Given that nearly half of breaches occurred because of hacking or IT issues, the report suggested that bad actors are targeting healthcare IT systems more frequently because they know there are massive amounts of sensitive data stored on those systems.

“Healthcare firms have made progress in bolstering their security and reducing the number of breaches over the last few years,” said Rich Campagna, CMO of Bitglass, in a press release. “However, the growth in hacking and IT incidents does deserve special attention. As such, healthcare organizations must employ the appropriate technologies and cybersecurity best practices if they want to secure the patient data within their IT systems.”

You can read the original article, here.

Strong, unique identities are the core of IoT device security. Giving unique identities allows them to be authenticated when they come online and throughout the lifetime. It proves integrity and securely communicates with other devices, services and users. But how do you know what’s the best of the best?

In the true spirit of an “awards season” that just passed, we think it only makes sense to unveil one more: The market’s pick for best in IoT Security – The GlobalSign IoT Identity Platform! In fact, we just took home a 2019 Silver Cybersecurity Excellence Award – recognizing companies, products and individuals demonstrating excellence, innovation and leadership in information security.

We believe the IoT Identity Platform stands out for an ability to address critical device security requirements. No other product today protects the identity, integrity and privacy of devices and data from chip to cloud through authentication, authorization, and encryption – while staying highly scalable. This is especially true due to the platform being a high volume, high throughput infrastructure, capable of issuing 3,000 certificates per second and enabling customers to validate Proof of Concept with low-volume test certificates – then scale to millions of identities using the same RESTful API.

The IoT Identity Platform can manage all types of digital certificates in any market vertical or IoT Gateway – semiconductor, industrial manufacturing, automotive, smart grid, agriculture, healthcare, construction, logistics and more. The central feature is IoT Edge Enroll, a full-fledged enrollment client used to provision and manage PKI-based identities to IoT devices of all types. The main function is a Registration Authority with an embedded GlobalSign CA Root of Trust, whitelisting, challenge-response, and policy-based management.

Edge Enroll also includes connectors for hardware security modules (HSMs), and can be deployed in a public or private cloud, on-premises, or as a GlobalSign managed service. The offering supports an expanded list of enrollment and communication protocols in response to flexibility required by IoT ecosystems. It backs PKCS #7, #10 and #12, can accommodate batching of certificate/requests, and performs private key generation and key escrow. The solution uses secure TLS communication, IP address whitelisting and integrates with secure elements such as Physical unclonable function (PUF), Trusted Platform Module (TPM), and STSafe (Secure STMicroelectronics microcontroller).

Even better, our solution is also being leveraged across a broad range of industries. Just last April, the platform was integrated with the Arm® Mbed™ Cloud platform – allowing any third-party developer using Mbed Cloud to quickly automate issuance of digital certificates from GlobalSign, along with certificate management services. This also ensures every Mbed supported device can have a unique device certificate from a trusted third party such as GlobalSign.

Last year, we also began working with Longview, a Carnegie Technologies company as it began packaging its newly launched industrial IoT asset management solution. Their development team took an approach that included four key areas: security by design, multiple layers of security, securing the supply chain and partnering for success. Ultimately, Longview IoT packaged the right IoT technologies – including GlobalSign’s IoT Identity Platform — to provide customers with a single, secure, and optimized solution to monitor and manage industrial assets. It delivers end-to-end IoT solutions, pre-configured for various industries and designed to work right out-of-the-box.

The explosion of IoT connected devices is staggering. Although technology has improved manufacturing, enhanced decision-making and improved the safety, comfort and efficiency of our lives – it’s also created the largest attack surface ever. GlobalSign’s IoT Platform rises to this challenge of securing IoT by protecting identity, integrity and privacy of devices and data – from chip to cloud through authentication, authorization and encryption.

So who needs the Oscars? Awards season is over, but our IoT Platform continues to deliver. To learn more, visit https://www.globalsign.com/en/lp/iot-identity-platform/

You can read the original article, here.

CyberArk aims to make implementing and managing a robust privileged access program as easy as possible for our customers. CyberArk continues to lead the industry with its own investments in innovation to consistently deliver the most value to customers – especially in terms of simplicity, automation and improved operational efficiencies. Over the course of the last calendar year alone, CyberArk introduced dozens of new capabilities  to help customers more easily implement and scale their privileged access security controls. Here’s a list of our top seven updates to the Core CyberArk Privileged Access Security solution:

1. Privileged Session Management for the Cloud – In March of last year, CyberArk acquired cloud security provider Vaultive and rolled the functionality into the CyberArk Privileged Access Security Solution. This provides organizations with greater visibility and control over privileged business users, social media, SaaS, IaaS and PaaS administrators, and enables customers to manage privileged sessions natively. This introduces yet another method for CyberArk customers to isolate and monitor sessions for web-based applications. These sessions are automatically assigned a risk-score, much like any other privileged session in CyberArk, which helps SOC admins take a risk-based approach to securing their most critical assets. Accounts that revolve around cloud providers (AWS, Azure, Google Cloud Platform) social media (Twitter, Facebook, LinkedIn) and other web applications like Salesforce and OpenShift can now be secured while providing a native login experience to the admins and privileged business users of this critical applications.

2. Integrated threat detection and response — Threat detection, alerts, and responses generated by the CyberArk Privileged Access Security Solution are now 100% integrated into the main console and also sent as logs directly to your SIEM tool or other alerting system. CyberArk administrators now have access to in-depth analytics on who or what is utilizing privileged access in the environment and to see this information without having to look up from where they set policies, review sessions or log in to do their other administrative tasks. Not only that, but they are also able to receive prioritized alerts and initiate automated action to take a risk-based approach to privileged access security; tackling the riskiest accounts, credentials and activities first, thus reducing clutter and excessive alerts.
3. Automatic Risky Session Termination –CyberArk provides security teams with the tools they need to automatically suspend or terminate risky privileged sessions based on policy from the web based interface or via API. The new tools enables security operations teams to mitigate risk by automatically shutting down or suspending sessions that pose a security risk until verified, rather than waiting for a human to identify the problem and act.
4. PowerShell Utility for Un-Suspending Users — When a suspended user needs to be granted re-entry to CyberArk, instead of losing time relying on manual intervention to let the user back in, a member of our Customer Success Team, Randy Brown, came up with clever way to use a PowerShell utility to revive suspended accounts. We’ve made this time-saver available free on GitHub, and this is one of many useful tools made available to our customers on GitHub.
5. Automatic Account On-Boarding — Combing through all the privileged accounts that are discovered and onboarding them en masse into the vault can be time consuming. It can also presents a security risk when end users create backdoor access to perform their own tasks. With CyberArk’s recent introduction of automatic account onboarding, neither of these things are an issue anymore. Automatic account onboarding helps administrators scale their privileged controls with reduced human intervention and increased speed to manage privileged accounts that present risk to your organization.
6. Privileged Access Security Installer – When CyberArk released version 10.4, it included the Privileged Access Security Installer, which delivers a massive reduction in the steps required to deploy all of the CyberArk Core Privileged Access Security components. This is part of a concerted effort to support smaller deployments that deploy all CyberArk components on a single server.
7. CyberArk Marketplace – Since the launch of the CyberArk Marketplace in 2018, CyberArk has deepened the depth and breadth of ready-to-deploy integrations – especially in key areas like IT Management and security software, Industrial Control Systems, Robotic Process Automation and Identity Access Management. Customers who use the CyberArk Marketplace can easily find and deploy integrations from CyberArk’s 100+ certified technical partners to bolster their security posture.

What’s Next?

Right now, cybersecurity professionals are having to do more with less. Having solutions, tools and features in place to help security teams effectively and efficiently use the products in their purview is more essential than ever. We recently hosted a webinar that outlines, and demonstrates new capabilities introduced in version 10 that help customers deploy, integrate and scale with CyberArk. Click here to access the recording and learn more!

This course provides an in-depth study of Sophos Central, designed for experienced technical professionals who will be planning, installing, configuring and supporting deployments in production environments. It consists of presentations and practical lab exercises to reinforce the taught content, and electronic copies of the supporting documents for the course will be provided to each trainee through the online portal. The course is expected to take 3 days to complete, of which approximately 9 hours will be spent on the practical exercises.

Sophos Central Architect Training

3 days Training

Wednesday 20 March 2019 – Friday 22 March 2019

Requirements

Prior to attending this course, trainees should:

• Complete the Sophos Central Endpoint and Server Protection and should have passed the Certified Engineer exam
• Experience with Windows networking and the ability to troubleshoot issues
• A good understanding of IT security
• Experience using the Linux command line for common tasks
• Experience configuring Active Directory Group Policies
• Experience creating and managing virtual servers or desktop

Target audience:

This course is designed for technical professionals who will be planning, installing, configuring and supporting deployments in production environments. And for individuals wishing to obtain the Sophos Central Certified Architect certification.

Objectives:

• On completion of this course, trainees will be able to:
• Design an installation considering all variables
• Undertake a multi-site installation appropriate for a customer environment
• Explain the function of core components, how they work, and how to configure them
• Track the source of infections and cleanup infected devices
• Perform preliminary troubleshooting and basic support of customer environments

Certification:

To become a Sophos Certified Architect, trainees must take and pass an online assessment. The assessment tests their knowledge of both the presented and practical content. The pass mark for the assessment is 80%, and is limited to 3 attempts.

Content

• Module 1: Deployment Scenarios (60 mins)
• Module 2: Client Deployment Methods (65 mins)
• Module 3: Endpoint Protection Policies (80 mins)
• Module 4: Server Protection Policies (30 mins)
• Module 5: Protecting Virtual Servers (60 mins)
• Module 6: Logging and Reporting (45 mins)
• Module 7: Managing Infections (45 mins)
• Module 8: Management (65 mins)

Course content

Module 1: Deployment Scenarios (60 mins)

• Identify some of the common challenges when deploying Central
• Deploy Update Caches – Set up Message Relays
• Configure AD Sync Utility
• Identify where Update Caches and Message Relays should be used
• Labs (45 mins)

1. Register and activate a Sophos Central evaluation
2. Install Server Protection
3. Install and Configure AD Sync Utility
4. Deploy an Update Cache and Message Relay

Module 2: Client Deployment Methods (65-75 mins)

• Identify the recommended steps for deploying Sophos Central
• Explain the installation process, and identify the different types of installer
• Automate deployment for Windows, Linux and Mac computers
• Migrate endpoints from Enterprise Console
• Locate installation log files
• Remove third-party products as part of a deployment
• Labs (75-90 mins)

1. Enable Server Lockdown
2. Deploy using Active Directory Group Policy
3. Use the Competitor Removal Tool
4. Deploy to a Linux Server using a Script

Module 3: Endpoint Protection Policies (80-90 mins)

• Describe the function and operation of each of the components that make up an Endpoint Protection and Intercept X
• Configure policies to meet a customer’s requirements and follow best practice
• Test and validate Endpoint Protection
• Configure exclusions
• Configure Data Loss Prevention
• Labs (100-120 mins)
• Test Threat Protection Policies
• Configure and Test Exclusions
• Configure Web Control Policies
• Configure Application Control Policies
• Data Control Policies

Module 4: Server Protection Policies (30 mins)

• Configure Server Protection Policies
• Configure and Manage Server Lockdown
• Labs (65-75 mins)

1. Configure Sever Groups and Policies
2. Manage Server Lockdown
3. Test Linux Server Protection

Module 5: Protecting Virtual Servers (60 mins)

• Connect AWS and Azure accounts to Sophos Central – Deploy Server Protection to AWS and Azure
• Deploy and Manage Sophos for Virtual Environments
• Labs (60 mins)
• Download the installer for the Security Virtual Machine
• Install the Security Virtual Machine (SVM) on a Hyper-V Server
• Configure Threat Protection policies to apply to the Security VMs and the Guest VMs they protect
• Perform a manual installation of the Guest VM Agent and view logs
• Test and configure a script to deploy the GVM Agent
• Manage Guest VMs from the Central Console
• Test Guest VM Migration

Module 6: Logging and Reporting (45 mins)

• Explain the types of alert in Sophos Central, and be able to read an RCA
• Use the Sophos Central logs and reports to check the health of your estate
• Export data from Sophos Central into a SIEM application
• Locate client log files on Windows, Mac OS X and Linux
• Labs (55-60 mins)

1. Generate and analyze an RCA
2. Configure SIEM with Splunk

Module 7: Managing Infections (45-60 mins)

• Identify the types of detection and their properties
• Explain how computers might become infected
• Identify and use the tools available to cleanup malware
• Explain how the quarantine works and manage quarantined items
• Cleanup malware on a Linux Server
• Labs (40 mins)

1. Source of Infection Tool
2. Release a File from SafeStore
3. Disinfect a Linux Server

Module 8: Management (65 mins)

• Use the Controlled Updates policies appropriately
• Enable multi-factor authentication
• Use the Enterprise Dashboard to manage multiple sub-estates
• Identify the benefits of the Partner Dashboard
• Identify common licensing requirements

Labs (25 mins)

1. Enable Manually Controlled Updates
2. Enable Multi-Factor Authentication