Friday, November 17, 2017

[SANS ISC] Top-100 Malicious IP STIX Feed

I published the following diary on isc.sans.org: “Top-100 Malicious IP STIX Feed“.

Yesterday, we were contacted by one of our readers who asked if we provide a STIX feed of our blocked list or top-100 suspicious IP addresses. STIX means “Structured Threat Information eXpression” and enables organizations to share indicator of compromise (IOC) with peers in a consistent and machine readable manner… [Read more]

[The post [SANS ISC] Top-100 Malicious IP STIX Feed has been first published on /dev/random]



from Xavier

Thursday, November 16, 2017

Minimize cybersecurity risk with Software Asset Management

This post is authored by Patam Chantaruck, General Manager of Worldwide Software Asset Management & Compliance.

By 2021, worldwide cybercrime damage is expected to reach $6 trilliondouble what it cost businesses in 2015. Unapproved apps, unmanaged devices, poor password protection, and other security issues are leaving far too many organizations vulnerable to attack. And as organizations embrace digital transformation, it becomes increasingly urgent for them to increase control over their IT infrastructures and reduce security risks.

The question is: where to start?

Driving greater security through software asset management

Software asset management (SAM) is a set of proven IT practices that unites people, processes, and technology to control and optimize the use of software across an organization. SAM is designed to help you control costs, manage business and legal risks, optimize licensing investments, and align IT investments with business needs.

Effective SAM can identify discrepancies between software licenses owned and deployed, thus providing insights into software usage. These insights are then used to devise upgrade plans for each software release that will optimize license use, ensure worthwhile software investments, save money, reduce security risks associated with software piracy, and promote good corporate governance, including management effectiveness and transparency.

Introducing the Microsoft SAM cybersecurity engagement

At Microsoft, we take SAM a step further with our cybersecurity engagement. This comprehensive analysis of your cybersecurity infrastructureincluding your current software deployment, usage, and licensing datahelps to ensure that you have the right processes in place to minimize cyber-risk. Through this engagement we also provide prescriptive cybersecurity guidance and best practices, freeing your organization to focus on innovation instead of protection.

A Microsoft SAM cybersecurity engagement will help you:

  • Minimize data loss, fraud, and employee downtime
  • Save money combatting cyberattacks and increasing efficiencies
  • Securely manage software assets and promote reliable cybersecurity practices
  • Build a resilient IT infrastructure that can quickly respond to threats
  • Ensure that you have a secure and effective defense against attacks

What IDC has to say about SAM

IDC has identified SAM as a key component to securing infrastructure and battling cyberattacks and predicts that an increasing number of organizations will rely on SAM practices to reduce risks. Below is a direct quote from The Business Value of Software Asset Management:

Cyberattacks often take advantage of the high vulnerability of end-of-life (EOL) IT systems and/or software that have ceased to receive product updates and security patches from vendor sources. Understanding risk impact is challenging when there is limited or no understanding of where the assets reside and precisely how the assets support the business. To that end, SAM initiatives enable organizations to quickly discover how many devices and applications are in the environment, along with their location and their warranty status, which can significantly reduce unnecessary cost, waste, and cybersecurity risks. Establishing a comprehensive asset management program provides a common source of record, which enables IT to carry out more timely security patches and identify security threats sooner as well as better respond to software audits. Therefore, asset management should be viewed holistically as an essential component of an effective IT infrastructure, service, and cybersecurity management program.

How SAM helped a sugar manufacturer reduce security risks

Here is one example of how Microsoft SAM for cybersecurity is helping customers around the world.

Ranking as the fourth largest sugar manufacturer in the world, Mitr Phol Group wanted to achieve effective SAM and reduce security risks. They moved away from decentralized IT systems to a more consolidated structure, centralizing the organizations software deployments and management. To further increase the value of their established SAM processes, they became the first company in Thailand to conduct SAM for cybersecurity. As a result, they were able to identify and remediate system vulnerabilities and mitigate security risks and threat impacts while protecting their sensitive data.

SAM should be a key part of your security strategy. And Microsoft can help. To learn more, visit www.microsoft.com/sam to hear how other customers are benefiting. Find a SAM partner near you to help you establish Software Asset Management practice.



from Microsoft Secure Blog Staff

[SANS ISC] Suspicious Domains Tracking Dashboard

I published the following diary on isc.sans.org: “Suspicious Domains Tracking Dashboard“.

Domain names remain a gold mine to investigate security incidents or to prevent some malicious activity to occur on your network (example by using a DNS firewall). The ISC has also a page dedicated to domain names. But how can we detect potentially malicious DNS activity if domains are not (yet) present in a blacklist? The typical case is DGA’s of Domain Generation Algorithm used by some malware families… [Read more]

 

[The post [SANS ISC] Suspicious Domains Tracking Dashboard has been first published on /dev/random]



from Xavier

Wednesday, November 15, 2017

[SANS ISC] If you want something done right, do it yourself!

I published the following diary on isc.sans.org: “If you want something done right, do it yourself!“.

Another day, another malicious document! I like to discover how the bad guys are creative to write new pieces of malicious code. Yesterday, I found another interesting sample. It’s always the same story, a malicious document is delivered by email. The document was called ‘Saudi Declare war Labenon.doc’ (interesting name by the way!). According to VT, it is already flagged as malicious by many antiviruses… [Read more]

[The post [SANS ISC] If you want something done right, do it yourself! has been first published on /dev/random]



from Xavier

Tuesday, November 14, 2017

"Why a Phishing Click Rate of 0% is Bad"

Working with hundreds of organizations around the world, one of the most commonphishing questions I'm often asked is "What should our click rate be for our phishing assessments"? Or, "We got a 17% click rate on our phishing simulation, is that a good or bad number?" Well, it all depends. First, it really depends on … Continue reading Why a Phishing Click Rate of 0% is Bad

from lspitzner

Saturday, November 11, 2017

[SANS ISC] Keep An Eye on your Root Certificates

I published the following diary on isc.sans.org: “Keep An Eye on your Root Certificates“.

A few times a year, we can read in the news that a rogue root certificate was installed without the user consent. The latest story that pops up in my mind is the Savitech audio drivers which silently installs a root certificate. The risks associated with this kind of behaviour are multiple, the most important remains performing MitM attacks. New root certificates are not always the result of an attack or infection by a malware. Corporate end-points might also get new root certificates… [Read more]

 

[The post [SANS ISC] Keep An Eye on your Root Certificates has been first published on /dev/random]



from Xavier

Thursday, November 9, 2017

A decade inside Microsoft Security

Ten years ago, I walked onto Microsofts Redmond campus to take a role on a team that partnered with governments and CERTs on cybersecurity. Id just left a meaningful career in US federal government service because I thought it would be fascinating to experience first-hand the security challenges and innovation from the perspective of the IT industry, especially within Microsoft, given its presence around the US federal government. I fully expected to spend a year or two in Microsoft and then resume my federal career with useful IT industry perspectives on security. Two days after I started, Popular Sciences annual Ten worst jobs in science survey came out, and I was surprised to see Microsoft Security Grunt in sixth place. Though the article was tongue-in-cheek, saluting those who take on tough challenges, the fact that we made this ignominious list certainly made me wonder if Id made a huge mistake.

I spent much of my first few years hearing from government and enterprise executives that Microsoft was part of the security problem. Working with so many hard-working engineers, researchers, security architects, threat hunters, and developers trying to tackle these increasingly complex challenges, I disagreed. But, we all recognized that we needed to do more to defend the ecosystem, and to better articulate our efforts. Wed been investing in security well before 2007, notably with the Trustworthy Computing Initiative and Security Development Lifecycle, and we continue to invest heavily in technologies and people – we now employ over 3,500 people in security across the company. I rarely hear anymore that we are perceived as a security liability, but our work isnt done. Ten years later, Im still here, busier than ever, delaying my long-expected return to federal service, helping enterprise CISOs secure their environments, their users, and their data.

Complexity vs. security

Is it possible, however, that our industrys investments in security have created another problem – that of complexity? Have we innovated our way into a more challenging situation? My fellow security advisors at Microsoft have shared customer frustrations over the growing security vendor presence in their environments. While these different technologies may solve specific requirements, in doing so, they create a management headache. Twice this week in Redmond, CISOs from large manufacturers challenged me to help them better understand security capabilities they already owned from Microsoft, but werent aware of. They sought to use this discovery process to identify opportunities to rationalize their security vendor presence. As one CISO said, Just help me simplify all of this.

There is a large ecosystem of very capable and innovative professionals delivering solutions into a vibrant and crowded security marketplace. With all of this IP, how can we best help CISOs use important innovation while reducing complexity in their environments? And, can we help them maximize value from their investments without sacrificing security and performance?

Best-of-suite capabilities

Large enterprises may employ up to 100 vendors technologies to handle different security functions. Different vendors may handle identity and access management, data loss prevention, key management, service management, cloud application security, and so on. Many companies are now turning to machine learning and user behavior technologies. Many claim best of breed or best in class, capabilities and there is impressive innovation in the marketplace. Recognizing this, we have made acquisition a part of Microsofts security strategy – since 2013 weve acquired companies like Aorato, Secure Islands, Adallom, and most recently Hexadite.

Microsofts experience as a large global enterprise is similar to our enterprise customers. Weve been working to rationalize the 100+ different security providers in our infrastructure to help us better manage our external dependencies and more efficiently manage budgets. Weve been moving toward a default policy of Microsoft first security technology where possible in our environment. Doing so helps us standardize on newer and familiar technologies that complement each other.

That said, whether we build or buy, our focus is to deliver an overall best in suite approach to help customers deploy, maintain, monitor, and protect our enterprise products and services as securely as possible. We are investing heavily in the Intelligent Security Graph. It leverages our vast security intelligence, connects and correlates information, and uses advanced analytics to help detect and respond to threats faster. If you are already working with Microsoft to advance your productivity and collaboration needs by deploying Windows 10, Office 365, Azure, or other core enterprise services, you should make better use of these investments and reduce dependency on third-party solutions by taking advantage of built-in monitoring and detection capabilities in these solutions. A best-of-suite approach also lowers the costs and complexity of administering a security program, e.g. making vendor assessments and procurement easier, reducing training and learning curves, and standardizing on common dashboards.

Reducing complexity also requires that we make our security technologies easy to acquire and use. Here are some interesting examples of how our various offerings connect to each other and have built-in capabilities:

  • The Windows Defender Advanced Threat Protection(ATP) offer seamlessly integrates with O365 ATP to provide more visibility into adversary activity against devices and mailboxes, and to give your security teams more control over these resources. Watch this great video to learn more about the services integration. Windows Defender ATP monitors behaviors on a device and sends alerts on suspicious activities. The console provides your security team with the ability to perform one-click actions such as isolating a machine, collecting a forensics package, and stopping and quarantining files. You can then track the kill chain into your O365 environment if a suspicious file on the device arrived via email. Once in O365 ATP, you can quarantine the email, detonate a potentially malicious payload, block the traffic from your environment, and identify other users who may have been targeted.
  • Azure Information Protection provides built-in capabilities to classify and label data, apply rights-management protections (that follows the data object) and gives data owners and admins visibility into, and control over, where that data goes and whether recipients attempt to violate policy.

Thousands of companies around the world are innovating, competing, and partnering to defeat adversaries and to secure the computing ecosystem. No single company can do it all. But by making it as convenient as possible for you to acquire and deploy technologies that integrate, communicate and complement each other, we believe we can offer a best-of-suite benefit to help secure users, devices, apps, data, and infrastructure. Visit https://www.microsoft.com/secure to learn about our solutions and reach out to your local Microsoft representative to learn more about compelling security technologies that you may already own. For additional information, and to stay on top of our investments in security, bookmark this Microsoft Secure blog.


Mark McIntyre, CISSP, is an Executive Security Advisor (ESA) in the Microsoft Enterprise and Cybersecurity Group. Mark works with global public sector and commercial enterprises, helping them transform their businesses while protecting data and assets by moving securely to the Cloud. As an ESA, Mark supports CISOs and their teams with cybersecurity reviews and planning. He also helps them understand Microsofts perspectives on the evolving cyber threat landscape and how Microsoft defends its enterprise, employees and users around the world.



from Jenny Erie