Google said the attacks peaked at 398 million requests per second (rps) — more than five times larger than the previous record set in February 2023 — and more web traffic in two minutes than Wikipedia received in the entire month of September. Cloudflare said it saw attacks peak just above 201 million requests per second.

Google, AWS and Cloudflare said they were able to limit damage from the attacks. “While initially we saw some impact to customer traffic — affecting roughly 1% of requests during the initial wave of attacks — today we’ve been able to refine our mitigation methods to stop the attack for any Cloudflare customer without it impacting our systems,” Cloudflare said.

One troubling fact is that the attackers were able to generate the attack with a botnet of just 20,000 machines. “There are botnets today that are made up of hundreds of thousands or millions of machines,” Cloudflare said in a technical blog post on the vulnerability (CVE-2023-44487). “Given that the entire web typically sees only between 1–3 billion requests per second, it’s not inconceivable that using this method could focus an entire web’s worth of requests on a small number of targets.”

Equally troubling is how widespread the vulnerability is.

Also read: How to Stop DDoS Attacks in Three Stages

‘Every Modern Web Server’ Affected

Cloudflare noted that because the attack abuses an underlying weakness in the HTTP/2 protocol, “we believe any vendor that has implemented HTTP/2 will be subject to the attack. This included every modern web server.”

“We, along with Google and AWS, have disclosed the attack method to web server vendors who we expect will implement patches. In the meantime, the best defense is using a DDoS mitigation service like Cloudflare’s in front of any web-facing web or API server.”

Web server vendors and open source projects, including Apache Tomcat, Microsoft and several others, issued guidance for dealing with the vulnerability; the growing number of announcements can be found in the CVE listing.

NGINX, for example, recommended a number of configuration changes to minimize the attack surface:

• keepalive_requests should be kept at the default setting of 1000 requests
• http2_max_concurrent_streams should be kept at the default setting of 128 streams
• limit_conn enforces a limit on the number of connections allowed from a single client and should be added “with a reasonable setting balancing application performance and security”
• limit_req enforces a limit on the number of requests that will be processed within a given amount of time from a single client, and should also balance application performance and security.

NGINX said it will issue a patch tomorrow that will impose a limit on the number of new streams that can be introduced within one event loop. The limit will be set at twice the value configured using the http2_max_concurrent_streams directive. “The limit will be applied even if the maximum threshold is never reached, like when streams are reset right after sending the request (as in the case of this attack),” NGINX said.

Also read:

• How to Prevent DDoS Attacks: 5 Steps for DDoS Prevention
• How To Tell If You’ve Been DDoSed: 5 Signs of a DDoS Attack

How the HTTP/2 ‘Rapid Reset’ Attack Works

In a technical blog post on the HTTP/2 “Rapid Reset” attack, Google noted that “A primary design goal of HTTP/2 was efficiency, and unfortunately the features that make HTTP/2 more efficient for legitimate clients can also be used to make DDoS attacks more efficient.”

In essence, the Rapid Reset attack works by abusing an HTTP/2 feature called “stream cancellation” by repeatedly sending requests and then immediately canceling them.

The HTTP/2 protocol lets clients indicate to a server that a previous stream should be canceled by sending a RST_STREAM frame, Google noted. The protocol does not require the client and server to coordinate the cancellation, and the client may do so unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed.

“This attack is called Rapid Reset because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request,” Google said. “The request is canceled, but leaves the HTTP/2 connection open.”

The HTTP/2 Rapid Reset attack built on this capability is simple, Google said:

“The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.”

In a typical HTTP/2 server implementation, the server “will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource,” Google said.

For reverse proxy implementations, “the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Another advantage the attacker gains is that the explicit cancellation of requests immediately after creation means that a reverse proxy server won’t send a response to any of the requests.”

Mitigations can take multiple forms, but mainly center around tracking connection statistics and using signals and business logic to determine how useful each connection is, Google said. “For example, if a connection has more than 100 requests with more than 50% of the given requests canceled, it could be a candidate for a mitigation response. The magnitude and type of response depends on the risk to each platform, but responses can range from forceful GOAWAY frames as discussed before to closing the TCP connection immediately.

“To mitigate against the non-cancelling variant of this attack, we recommend that HTTP/2 servers should close connections that exceed the concurrent stream limit. This can be either immediately or after some small number of repeat offenses.”

Read next:

• Best DDoS Protection Service Providers
• Best Bot Protection Solutions and Software

The post ‘Rapid Reset’ DDoS Attack Hits HTTP/2 Web Servers appeared first on eSecurity Planet.

If the deal clears regulatory hurdles, it would give Cisco a big position in the market for centralized cybersecurity management solutions like security information and event management (SIEM) and security orchestration, automation and response (SOAR) in addition to Cisco’s already sizable presence in network and endpoint security — and position the combined company for new comprehensive cybersecurity solutions like extended detection and response (XDR) just as security buyers are increasingly consolidating vendors.

Combined with Splunk’s sizable position in infrastructure and application management and Cisco’s dominant position in networking, the deal has the potential to remake a number of enterprise IT markets.

Why Cisco and Splunk Are a Match

Splunk was an early mover in the market for cloud SIEM solutions, which gave it a strong early advantage. Over time, however, competitors have emerged, and Splunk’s high pricing has become a disadvantage in the face of lower-cost competitors. Cisco too has also lost ground to more nimble cybersecurity competitors but still boasts a strong customer base thanks to its networking dominance.

Cisco-Splunk Acquisition Timeline

In a tacit acknowledgement of the obstacles the deal may face, Cisco noted that it could take a year to close. “It is expected to close by the end of the third quarter of calendar year 2024, subject to regulatory approval and other customary closing conditions including approval by Splunk shareholders,” the company’s press release stated.

“Our combined capabilities will drive the next generation of AI-enabled security and observability,” Robbins said in a statement. “From threat detection and response to threat prediction and prevention, we will help make organizations of all sizes more secure and resilient.”

Upon the acquisition’s close, Splunk President and CEO Gary Steele will join Cisco’s Executive Leadership Team and report to Chair and CEO Chuck Robbins.

See the Top Cybersecurity Companies

The post Cisco to Acquire Splunk for $28 Billion appeared first on eSecurity Planet.

Palo Alto Networks boasts a long history of innovation and strong independent test scores, earning our rating as the top overall cybersecurity company. Enterprise security buyers might pay a premium for Palo Alto products, but they can typically buy with confidence.

That said, the next-generation firewall (NGFW) market — where we also list Palo Alto as a leader — has gotten tougher in recent years, with low-cost competitors like Versa Networks and Sangfor offering good firewalls at lower cost. Forcepoint and Fortinet have made an effort to compete on price too, and Check Point remains strong at the high end, so there’s no room for any vendor to rest on their laurels. With nearly $7 billion in annual revenue and a 20%+ growth rate, Palo Alto (PANW) has the resources to stay competitive in the network security market.

We’ll discuss Palo Alto’s wide-ranging firewall lineup, including features, performance and security — and a surprising recent development — plus buying considerations and alternatives.

See our full list of the Top Next-Generation Firewalls (NGFWs)

Jump ahead to:

• Palo Alto Firewall Ratings
• Palo Alto’s Firewall Product Lineup
• Pricing and Performance
• Security
• Cloud Features
• Management and Implementation
• Support
• Palo Alto Firewall Alternatives
• Bottom Line: Palo Alto Firewalls

Palo Alto Firewall Ratings

We’ve rated Palo Alto firewalls in a number of key areas. We go into detail below, but here’s an overview of our review findings.

Palo Alto’s Firewall Product Lineup

Palo Alto remains a clear leader in the NGFW market it invented. Gartner placed Palo Alto in the Leaders quadrant and gave it the highest ratings in its latest next-generation firewall Magic Quadrant (MQ). It was also named a Leader in a Forrester Wave for Enterprise Firewalls.

Palo Alto NGFW appliances range from the low-end PA-220 to the high-end PA-7000, plus virtual, cloud, and container firewalls and SD-WAN options. The firewalls run on Pan-OS and the Panorama centralized management console.

Palo Alto boasts a single-pass architecture to maximize performance and security (image below), with full Layer 7 protection, machine learning-based inline prevention, and centralized user identity and access control. 

Even low-cost Palo Alto firewall appliances include advanced features like ML-based detection, AIOps policy recommendations, behavioral analysis, IoT device detection, application classification, and adaptive policies for users and groups regardless of device or location.

Pricing and Performance

Pricing for Palo Alto Networks NGFWs starts at around $1,000 for the PA-220, while the high-end PA-7000 starts around $200,000 and goes up from there. Threat prevention throughput for the ruggedized PA-220R can hit 320Mbps, while the high-end PA-7080 can reach 300Gbps and 6 million new sessions per second.

Pricing for Palo Alto firewalls tends toward the higher range of the market, but users give high ratings to the firewalls’ capabilities, not surprising when you consider that the PA-220R contains many features of the high-end models. In recent testing, CyberRatings rated Palo Alto at the upper end of the market in price per Mbps (chart below).

By comparison, the very high-end Check Point Maestro Hyperscale Orchestrator 28600 can start at around $500,000 and scale to 1.5Tbps.

Also read: Check Point vs Palo Alto Networks: Top NGFWs Compared

Security

This is where it gets interesting, as we hinted earlier. Palo Alto has a long string of top independent security tests going back at least five years, so it’s noteworthy that the company’s CyberRatings firewall tests released recently came in toward the bottom of the tested solutions.

That said, many of the misses came in just two evasion techniques — http obfuscation and compression (see chart below) — so the issues identified by CyberRatings in the PA-3220 v10.2.3 are fixable. We maintain our high ratings on Palo Alto’s security given the company’s long history of top scores in MITRE, CyberRatings, NSS Labs and other evaluations, and props to CyberRatings for their extensive firewall testing.

Management and Implementation

To their credit, Palo Alto engineers have built a high-end firewall that offers user-friendly implementation and management.

Here’s a typical comment from a banking IT manager, who calls the firewalls “incredibly easy to deploy.” The IT manager says the management interface is “intuitive and easy to navigate.”

The Exploration mission tool makes it easy to transfer existing policy to a zone-based policy that can be loaded onto the firewall. Other management features getting high marks include FQDN address objects, External Dynamic Lists (EDL), rule-based log forwarding, and management of apps, customers, and content from a single interface.

Another user, a network security engineer in the transportation industry, noted that while plug-and-play features may be great for the unsophisticated, security pros seeking to customize the firewalls will have to work for it.

The engineer said Palo Alto firewalls are “awesome for somebody who just wants to unpack the box, connect it to network and leave it with default settings. But if you need something more and start to dig in, you will discover lots of bugs and limitations. On the other hand, all bugs can be fixed and all missing features can be added sometime in the future.”

Cloud Features

Support for cloud environments is an area where Palo Alto shines. With virtual firewalls and support for Azure, AWS, 5G and containers, Palo Alto’s NGFW lineup is far ahead of most competitors.

With strong branch office, campus and data center offerings, Palo Alto firewalls are particularly appealing for enterprises with a range of use cases.

Support

This is the one area Palo Alto could do better in. There are plenty of instances where Palo Alto firewall customers are happy with the support they receive, but it’s also the area users complain about the most, with a number of criticisms of the cost, timeliness and effectiveness of support. Both Gartner Peer reviewers and G2 reviewers give Palo Alto below average ratings for firewall support.

Palo Alto Firewall Alternatives

The market for next-generation firewalls is one of the best-served markets in cybersecurity, with offerings ranging from very low-cost to very high-end.

Among alternatives, Fortinet, Versa and Forcepoint offer good security and performance at lower cost, while Palo Alto’s most formidable high-end competitor is Check Point.

Whichever firewall you choose, evaluate product features carefully to make sure you get the firewall that best meets your needs.

Also read: Fortinet vs Palo Alto: Compare Top Next-Generation Firewalls

Bottom Line: Palo Alto Firewalls

Palo Alto Networks has been a leader in the market for next-generation firewalls since the company coined the term in 2008, now 15 years ago. Buyers looking for advanced features even at the lowest price points will find much to like in Palo Alto firewalls, and those buying at the high end of the market have few alternatives. But the rise of strong competition in the low-end and midrange markets means the company will have to work to stay on top of the firewall market.

Read next: Network Protection: How to Secure a Network

Drew Robb contributed to this product review and analysis

The post Palo Alto Networks PA Series Review: NGFW Features & Cost appeared first on eSecurity Planet.

In a session on cybersecurity market trends and growth opportunities, Gartner analyst and VP Neil MacDonald said 75% of security buyers are pursuing vendor consolidation, up from just 29% in 2020.

“Customers want fewer providers,” he said.

MacDonald’s talk was directed at vendors rather than buyers, and he cautioned them: “Don’t just throw a bunch of stuff together; make it work better.”

Security Products Merge Into Platforms

As part of that trend, security products are consolidating too, MacDonald said. He noted 10 areas where cybersecurity products are merging into broader platforms (see slide below).

Secure web gateways, CASB and zero trust network access (ZTNA) are merging to become security service edge (SSE), he said — and with the addition of SD-WAN technology, SSE becomes secure access service edge (SASE).

EDR, NDR and identity threat and detection response (ITDR) are merging into XDR platforms — even as XDR joins with SIEM and SOAR to become Security Operations Platforms.

In cloud security, cloud workload protection platforms (CWPP) are joining with cloud security posture management (CSPM) and software composition analysis (SCA) to become workload security and CNAPP platforms.

Other broad security platforms highlighted by MacDonald include:

• Data Security: Includes DLP, digital asset management and data-centric audit and protection (DCAP)
• Workplace Security: Combines UEM, secure email gateways and EDR
• Attack Surface Management: external & cyber asset ASM (EASM and CAASM) and digital risk protection services (DRPS)
• Identity and Access Management: Includes access management, PAM and identity governance and administration (IGA)
• Integrated Risk Management: Digital rights management (DRM), vendor risk management (VRM), and GRC

Consolidation has been a central theme at the Gartner security conference in recent years. Cybersecurity mesh and decentralized identity were big themes in 2021 and hyperautomation was an emerging technology last year, and those trends came up again in a number of presentations this year.

CTEM, CIEM and AMTD Highlight Emerging Tech

Gartner is perhaps the biggest source of acronyms in the cybersecurity industry, and the 2023 event was no exception. CTEM, CIEM and AMTD are three emerging technologies that security pros might want to familiarize themselves with.

CTEM stands for continuous threat exposure management and is something like a continuous vulnerability management program (slide below from Gartner analyst Rich Addiscott).

CIEM is short for cloud infrastructure entitlement management, which controls cloud user and entity permissions (slide below from Gartner analyst Andrew Bales).

AMTD stands for automated moving target defense, which combines a number of security technologies to protect assets as they change states (slide below from Gartner analyst Mark Wah).

Read next:

• 34 Most Common Types of Network Security Protections
• Top Cloud Security Companies

The post Security Buyers Are Consolidating Vendors: Gartner Security Summit appeared first on eSecurity Planet.

“Regarding reports of the potential to fraudulently use digital signing technology allegedly attributed to Western Digital in consumer products, we can confirm that we have control over our digital certificate infrastructure,” the company said. “In the event we need to take precautionary measures to protect customers, we are equipped to revoke certificates as needed. We’d like to remind consumers to always use caution when downloading applications from non-reputable sources on the Internet.”

Original article:

A massive cyber attack targeting drive maker Western Digital Corp. (WDC) could potentially have serious and long-term implications.

One of the hackers apparently disclosed the extent of the cyber attack to TechCrunch this week. Hackers accessed a range of company assets and stole about 10 terabytes of data, but the disclosure with the greatest potential for damage is that the hackers claim to have the ability to impersonate WDC code-signing certificates.

TechCrunch said the hacker “shared a file that was digitally signed with Western Digital’s code-signing certificate, showing they could now digitally sign files to impersonate Western Digital. Two security researchers also looked at the file and agreed it is signed with the company’s certificate.”

Western Digital isn’t commenting for now, as the company works to contain and determine the extent of the attack, which the company disclosed on April 2.

But depending on what code and data the hackers got access to, the worst-case scenario is that cyber criminals could create malicious firmware — and signed certificates to vouch for its authenticity. That could make malicious activity on any affected hardware difficult to detect and render it essentially worthless.

As one Slashdot commenter put it, “Everyone should assume that firmware on WD drives cannot be trusted at this point.”

While it remains to be seen what the hackers accessed and how they could deliver malicious firmware, one industry observer told eSecurity Planet that the worst-case scenario would mean that WDC “would need a new ASIC and signing infrastructure.”

“This should be a wake up call for every ASIC vendor in the world,” the observer said. “We need WDC to tell us exactly what’s at stake, and quickly.”

In addition to Western Digital’s substantial hard disk drive (HDD) and solid state drive (SSD) market share, the company also owns flash drive maker SanDisk.

Read next: Network Protection: How to Secure a Network

Western Digital statement updates April 14, 2023 article

The post Western Digital Cyber Attack a ‘Wake Up Call for ASIC Vendors’ appeared first on eSecurity Planet.

The conference’s focus on cyber resilience doesn’t mean that organizations should abandon core security defenses like EDR, access control and firewalls, but they should be prepared for the advanced threats that will, at some point, get past them. That also means making sure that systems will be able to continue to function, even at a reduced capacity, during an attack.

The general lack of focus on resilience, response and recovery is largely reflected in vendor offerings too. JupiterOne CISO Sounil Yu, creator of a Cyber Defense Matrix adopted by OWASP, noted the concentration of security products in protection and detection and wondered, “Is our industry actually solving the right problems?”

How to build in that cyber resiliency was the focus of a number of talks at the conference.

Patching Is Hard. Real Hard.

Unpatched vulnerabilities are at fault in anywhere from a third to more than half of all data breaches, depending on the study, so it’s natural to wonder why organizations don’t do a better job of patch management. The answer, based on a couple of presentations at the conference, is that patching is incredibly difficult to get right, requiring way more attention than most companies can afford to give it.

Art Ocain, VP for Cybersecurity and Incident Response at Airiam, noted that patching should be approached with a continuous deployment mindset, so teams should be able to patch 10 times a day.

Phil Venables, CISO of Google Cloud, said Google Cloud treats patching like another company might treat its top revenue-generating applications, with continuous updates similar to what a development team would use (see slides below).

In addition to keeping up with patches, fixes and mitigations across applications, operating systems and endpoint and network hardware — there are roughly 20,000 new vulnerabilities a year, and several hundred of those are actively exploited by hackers — many organizations don’t even know everything they own, so asset management is part of the problem too.

The sheer difficulty is one reason that vulnerability management as a service (VMaaS) and similar services have been gaining traction among security buyers.

Google’s cloud security is well regarded (and the company has shared some documentation of its security architecture and practices too). Venables spent much of his presentation discussing the many ways Google Cloud reduces concentration risk (see slide below).

Also read:

• Is the Answer to Vulnerabilities Patch Management as a Service?
• MSSPs Fare Well in First MITRE Evaluations

Backup Is Hard. Really Hard.

Ransomware is the most feared cybersecurity threat, and with good reason: Its ability to destroy and steal data is almost without peer.

That double threat — exfiltration and destruction/encryption — makes backup and encryption of data critically important for recovery and to avoid extortion when hackers threaten to release sensitive data.

“Immutable backups” are often touted as the answer here. But even that needs to be incredibly secure — Ocain said Airiam has to take extra steps to protect even the laptop of the backup manager because hackers will find it. And keys and credentials are stored in a key vault so admins don’t keep them. The slide below shows the controls the MSSP has built into its backup and disaster recovery systems to keep customer data safe.

Continuous pentesting and ransomware simulations are among Airiam’s many controls. As Ocain put it, the company’s evolution “from good MSP to good resilience provider” was borne of necessity, and the company is now called in to consult on high-profile ransomware cases.

Also read: Building a Ransomware Resilient Architecture

Prepare Now

The conference — held in McLean, Va., and virtually — had a strong government and financial services focus, two sectors with high security needs that understand the limits of security tools and the need for resilience. That element gave the conference an air of realism: No one was claiming that they could stop every threat, and the focus was on the layers of defense that can keep an attack from spiraling out of control.

Government agencies and industries with high security needs have faced attacks and know they will continue, but most smaller businesses and non-IT companies don’t have the time or money to focus on cyber attacks until they happen. ResilienCyCon showed the error of that thinking. Those secondary layers of defense and response are critical, and are far cheaper than dealing with the consequences of an attack. They can make the difference between bending and breaking, so businesses would be wise to prepare now.

Read next: Best Incident Response Tools and Software

The post MITRE ResilienCyCon: You Will Be Breached So Be Ready appeared first on eSecurity Planet.

Of the 15 MSSPs that participated in MITRE’s first-ever security services testing, only three failed to report attack techniques in all 10 of the evaluation steps, and in two of those cases it was because the test didn’t successfully execute because of a web shell failure.

While the sample is small – by some estimates there are roughly 10,000 MSSPs – it nonetheless should be reassuring to MSSP customers that the vendors charged with defending their networks have demonstrable cybersecurity expertise. As there are few measures of security effectiveness, and none better than MITRE, it would benefit information-starved security buyers if more service providers participated in future rounds.

Ashwin Radhakrishnan, general manager of MITRE Engenuity’s ATT&CK Evals, said in a statement that the organization decided to evaluate MSSPs because of their growing importance.

“More than half of organizations use security service providers to protect their data and networks,” Radhakrishnan said. “We wanted to research how they are employing threat-informed defense practices for their clients. We don’t rank the vendors in our evaluations. Organizations, however, can use the Evals to determine which service providers may best address their cybersecurity gaps and fit their particular business needs.”

See the Best Managed Detection and Response (MDR) Services and the Top MSSPs

MSSP Tests Look At Reporting, Not Detection

MITRE is best-known for its endpoint security product evaluations, but there are some important differences between the organization’s product and services evaluations.

The MSSP evaluations examined how vendors performed under techniques that simulated attacks from the OilRig Iranian threat group, which was chosen because of its “evasion and persistence techniques, its complexity, and its relevancy to industry,” MITRE said.

The evaluation examined the MSSPs’ ability to report ATT&CK Techniques across 74 techniques and 10 steps, from initial compromise through lateral movement, exfiltration and cleanup.

An important emphasis in the new tests is on the word “report” rather than the detections measured in MITRE’s endpoint tests. MITRE purple teamers evaluated whether an ATT&CK Technique was reported or not, rather than whether it was detected by the service provider, MITRE said.

“In many cases, the service provider may have detected the ATT&CK Technique under test but chose not to report it to MITRE Engenuity because they believe it is unnecessary information, or they believe it can be implied or assumed by other information provided to MITRE Engenuity,” MITRE said on the MSSP evaluation’s overview page. “In order for an ATT&CK Technique to be considered Reported, the activity provided to MITRE Engenuity must contain sufficient context to explain the activity. Things like raw telemetry with no added analysis provided by the service provider were not considered Reported.”

That means the data provided by the tests isn’t as clear as it is in the product evaluations. So while we’ve recorded below the number and percentage of techniques reported by the MSSPs, as always it’s important to dig into the data and find what’s relevant for your organization’s needs.

In a blog on interpreting the results, Radhakrishnan noted a number of important considerations, among them:

• Not all techniques are equal: “A service provider reporting on Process Discovery might not have the same value as a service provider reporting on Credential Dumping due to the severity of the action.”
• Not all procedures are equal: “Process Discovery (T1057) via Command-Line Interface (T1059) can be detected with most process monitoring. Process Discovery via API (T1106) would need API monitoring. A service provider could have reported one, but not the other.”

The Results

With those significant caveats, here is some basic data from the evaluations.

Only one MSSP – BlackBerry – failed to report any findings on one of the 10 steps, the five techniques where the attackers download and install a web shell on the Exchange Web Server (EWS) for persistence. BlackBerry found plenty in the other 9 steps, however.

Palo Alto Networks and NVISO couldn’t participate in a handful of the 74 techniques, which couldn’t be executed because of a web shell failure.

And a 16th vendor, Trend Micro, did not have its results published after inadvertently finding “sensitive information.”

“Although Trend Micro participated and completed testing for this inaugural round, after an unintended situation, Trend Micro promptly and responsibly shared that their team had found sensitive information to MITRE Engenuity,” Radhakrishnan told eSecurity Planet. “Based on the agreement between MITRE Engenuity and Trend Micro, MITRE Engenuity did not publish Trend Micro’s results.”

So with those caveats, here are the raw numbers and percentages of the 74 attack techniques reported by the MSSPs:

The post MSSPs Fare Well in First MITRE Evaluations appeared first on eSecurity Planet.

The report, “Cyber Insecurity in Healthcare: The Cost and Impact on Patient Safety and Care,” surveyed 641 healthcare IT and security practitioners and found that the most common consequences of cyberattacks are delayed procedures and tests, resulting in poor patient outcomes for 57% of the healthcare providers, followed by increased complications from medical procedures. The type of attack most likely to have a negative impact on patient care is ransomware, leading to procedure or test delays in 64% of the organizations and longer patient stays for 59% of them.

The Ponemon report comes with a caveat that the numbers depend on the accuracy of self-reporting and thus don’t have the weight of, say, an epidemiological study that looks at hospital mortality baseline data before and after an attack, but the data is similar to what Ponemon found last year and there have been a number of reports of patient deaths and other complications from ransomware attacks.

Also read: After Springhill: Assessing the Impact of Ransomware Lawsuits

Healthcare Cyberattacks Common – And Costly

The new report found that 89% of the surveyed organizations have experienced an average of 43 cyberattacks in the past 12 months. The most common types of attacks were cloud compromise, ransomware, supply chain, and business email compromise (BEC)/spoofing/phishing.

Ponemon chairman and founder Larry Ponemon said in a statement that “Most of the IT and security professionals regard their organizations as vulnerable to these attacks,” and that growing adoption of technologies such as cloud, mobile, big data, and the Internet of Things (IoT) are adding to that risk.

The Internet of Medical Things (IoMT) is a top concern for survey participants. Healthcare organizations have an average of more than 26,000 network-connected devices, yet only 51% of the surveyed organizations include them in their cybersecurity strategy.

Healthcare organizations are better at cloud security, with 63% taking steps to prepare for and respond to cloud compromise attacks, and 62% have taken steps to prevent and respond to ransomware — but that still leaves nearly 40% of healthcare organizations more vulnerable than they should be.

Preparedness is even worse for supply chain attacks and BEC, with only 44% and 48% having a documented response to those attacks, respectively.

Healthcare cybersecurity tools likely have a high return on investment (ROI), even though roughly half of the survey respondents say they lack sufficient staffing and in-house expertise.

The financial costs of healthcare cyberattacks are high, the report noted, costing an average of $4.4 million in the last 12 months, with productivity loss creating the most significant financial impact at $1.1 million.

“Healthcare has traditionally fallen behind other sectors in addressing vulnerabilities … and this inaction has a direct negative impact on patients’ safety and wellbeing,” stated Ryan Witt, Proofpoint’s healthcare cybersecurity leader. “As long as cybersecurity remains a low priority, healthcare providers will continue to endanger their patients. To avoid devastating consequences, healthcare organizations must understand how cybersecurity affects their patient care and take the steps toward better preparedness that protects people and defends data.”

Further reading on ransomware protection and recovery:

• How to Recover From a Ransomware Attack
• Best Ransomware Removal Tools
• Best Ransomware Removal and Recovery Services
• Best Backup Solutions for Ransomware Protection

Healthcare Security Defenses

Two of the more common healthcare cybersecurity defenses the report found are training and awareness programs and employee monitoring.

Threat intelligence also ranks high among respondents, used via network traffic (57 percent, firewall/IPS traffic (53 percent), dark web data (46 percent) and user behavior (44 percent).

The healthcare organizations are better at access control, with nearly 80% reporting use of adaptive access and authentication controls, and 74% report using multiple identity federation standards like SAML.

Ponemon and Proofpoint held a briefing yesterday to preview the report, joined by two healthcare CISOs: Hussein Syed of RWJBarnabas Health and Dan Anderson of LifeScan Global.

Anderson stressed the need for proper security controls and staffing, noting that his organization has “experienced threat hunters on our network every day and they know when something doesn’t look right.” That’s preferable to an incident response service, he said, where an incident responder would need to learn the system in real time.

Shutting down local admin privileges on endpoints, monitoring software downloads, zero trust, phishing tests and training, and understanding the flow of data are other important controls that Anderson highlighted.

Syed said healthcare cybersecurity is a “long game” covering everything from hygiene up to EDR and access management. “It really is a building block, … strategic approach toward building that security posture,” he said.

Read next: Zero Trust Speeds Ransomware Response, Illumio-Bishop Fox Test Finds

The post Healthcare Cyberattacks Lead to Increased Mortality, Lower Patient Care: Ponemon Study appeared first on eSecurity Planet.

This year, for the first time, we’re ranking the overall best companies and products in 14 of those categories. While there are many other products that might prove best for particular organizations and use cases, these are the products that most stood out to us because of their innovation, breadth of features, and strong security performance. You can read more about our methodology here.

There is no substitution for your own testing and analysis, of course, but this list will serve as an introduction to the breadth and depth of our product coverage. Congratulations to our 2022 winners – and to the hundreds more who have made our top cybersecurity product lists.

Best Cybersecurity Solutions:

• Overall Vendor
• Top Startup
• EDR
• Firewall
• SIEM
• Intrusion Detection
• Breach and Attack Simulation
• Encryption
• Small Business Security
• Email Security
• IAM
• NAC
• Vulnerability Management
• Security Awareness Training

Best Cybersecurity Company: Palo Alto Networks

Winner: Palo Alto Networks

Finalists: Fortinet, CrowdStrike, Cisco

Palo Alto Networks has topped our list of the best cybersecurity companies for a couple of years running. Consistently high independent test scores, a history of innovation, and a broad portfolio that touches all the hottest markets has landed Palo Alto on 17 of our top product lists, including cutting-edge markets like XDR and SASE. The security market is a deep one, however, and our list contains everything from recent startups to first-generation antivirus vendors that are still going strong, 30 names in all.

See our full list of the Top Cybersecurity Companies.

Top Cybersecurity Startup: Abnormal Security

Winner: Abnormal Security

Finalists: Wiz, Cado Security

While the ecosystem of cybersecurity startups is crowded with many advanced and innovative solutions, Abnormal Security earns our pick as the top startup by focusing on the universal threat vector of email communications, still the greatest source of cyber attacks. Abnormal Security’s core product utilizes behavioral AI to block malicious email attacks, with add-ons for account takeover prevention, productivity enhancement, and mailbox automation. Wiz and Cado have developed innovative approaches to cloud security and forensics, innovation that has kept venture capital flowing despite economic headwinds.

See our list of the Hottest Cybersecurity Startups.

Best EDR Solutions: Palo Alto and SentinelOne

Winners: Palo Alto Networks and SentinelOne

Finalists: CrowdStrike, Cynet, Trend Micro

Here we have a tie: Palo Alto’s Cortex XDR platform offers the best overall security in our opinion, with consistently high independent test results and advanced features while not losing sight of ease of use and value. Tied with Palo Alto is SentinelOne, which manages to combine high security and ease of use, a great combination for a range of markets.

This is a market packed with high-quality products, so don’t overlook others in this space. CrowdStrike and Cynet have impressed us with their security and innovation. And if you’re looking at broader XDR platforms, Trend Micro is a feature-packed offering with very good security that manages to offer good value too. The fast-growing managed detection and response (MDR) market is another area worth exploring.

See our full list of the Top EDR Solutions.

Best Next-Generation Firewall (NGFW): Palo Alto Networks

Winner: Palo Alto Networks

Finalists: Fortinet, Check Point

Competing with firewall giants like Check Point and Fortinet, we believe the market’s best next-generation firewall (NGFW) belongs to Palo Alto Networks. The cybersecurity vendor’s industry-recognized line of NGFWs covers on-premises, virtual, container, and cloud-delivered firewall solutions. PAN’s more extensive portfolio expands to emerging technologies for SASE, CNAP, and XDR. Fit for SMBs up to enterprise-scale organizations and MSSPs, Palo Alto Networks’ innovation and security capabilities in the hybrid infrastructure era have been pivotal to its staying power. A top rating from CyberRatings is just the latest in a string of accolades for Palo Alto.

See our complete list of Top NGFWs.

Best SIEM Solution: Exabeam

Winner: Exabeam

Finalists: Splunk, LogRhythm, IBM

This year’s pick for the top Security Information and Event Management (SIEM) solution goes to the fast riser, Exabeam. Launched in 2013, Exabeam’s Fusion platform combines SIEM and XDR capabilities to offer organizations an automated threat detection, investigation, and response (TDIR) solution. Exabeam Fusion offers a stack of security features akin to SIEM solutions from IBM, LogRhythm, and Splunk, with specializations in insider threats and compliance.

See our complete list of the Top SIEM tools.

Best Intrusion Detection and Prevention System (IDPS): Trend Micro

Winner: Trend Micro

Finalist: Cisco

Founded in 1988, multinational vendor Trend Micro’s intrusion detection and prevention capabilities only came to fruition in recent years. A robust cybersecurity portfolio plus the acquisition of HP’s TippingPoint Intrusion Prevention System (IPS) in 2016 gave Trend Micro the foundation for its industry-leading IDPS solution. Dueling it out with Cisco’s Next-Generation IPS (NGIPS), Trend Micro TippingPoint offers threat intelligence, centralized insight, and real-time security to protect IT infrastructure.

See our full list of Top IDPS Solutions.

Best Breach and Attack Simulation (BAS) Solution: AttackIQ

Winner: AttackIQ

Finalists: Cymulate, Picus Security

The top solution in the emerging breach and attack simulation (BAS) sector belongs to San Diego-based AttackIQ. Competing with upstart BAS vendors like Cymulate and Picus Security, AttackIQ’s platform, capabilities, and user reviews impressed us the most. The AttackIQ Security Optimization Platform offers a friendly user interface, MITRE-informed threat intelligence, and real-time testing of an organization’s defensive posture.

See our full list of the Top BAS Solutions.

Best Encryption Solution: Micro Focus

Winner: Micro Focus

Finalists: IBM, Opaque Systems

We’ll give the nod to Micro Focus Voltage SecureData – with the caveat that quantum and data-in-use encryption makes this one of the most dramatically changing areas in cybersecurity these days. Voltage SecureData is a cloud-native solution that’s good for secure high-scale cloud analytics, hybrid IT environments, payment data protection, SaaS apps and more. It protects both structured and unstructured data in use, at rest, in the cloud, and in analytics, checking all the important boxes. But others to watch in the space include IBM and Opaque Systems, two companies with strong research and innovation capabilities.

See our full list of Top Encryption Software.

Best Small Business Security Product: Syxsense

Winner: Syxsense

Finalists: Zerto, Trend Micro

Syxsense Enterprise is a Unified Security and Endpoint Management (USEM) solution that delivers real-time vulnerability monitoring and remediation for every endpoint in an environment, as well as IT management, patch management and mobile device management (MDM) across all endpoints. If you’re looking for a complete security solution, it’s tough to beat. Others offering comprehensive security solutions include Zerto and Trend Micro.

See our full list of SMB Security Solutions.

Best Secure Email Gateway: Perception Point

Winner: Perception Point

Finalists: Proofpoint, Barracuda, Mimecast

Secure email gateways remain one of the most important enterprise security technologies, as spoofing and phishing remain the biggest entry point for cyber attackers. Proofpoint, Barracuda and Mimecast lead the market, but a number of innovators have popped up in this critical market. We’re going to give the nod to one of those newcomers: 7-year-old Israel-based Perception Point. The company’s Prevention-as-a-Service solution stops phishing, BEC, ATO, spam, malware, zero-days, and N-days before they reach enterprise users, and an incident response service is included at no extra cost. We’ll quote one Gartner user review: “We did a very detailed evaluation [of] about 15+ E-Mail security solutions… The vendor was new to us but we compared capabilities in a very fact based approach. The solution showed both in prevention capabilities (simultaneous pen-testing to other modern products) and in Incident response support capabilities the best results on the market.”

Just about everyone on our top secure email gateways list deserves an honorable mention, and some new players have emerged that will have us revisiting that list soon enough.

And an additional honorable mention: Ever notice how good Gmail is at blocking spam and phishing emails?

Best Vulnerability Scanning and Management Tool: Rapid7 InsightVM

Winner: Rapid7

Finalist: Qualys

Vulnerability scanning and management is another critical market – after all, unpatched vulnerabilities remain one of the easiest entry or escalation points for attacks – but it’s also one of the most difficult things to get right. Security teams and sysadmins need to know which vulnerabilities matter the most – and which ones apply to them. Here we’ll give the award to Rapid7 InsightVM, which scans local, remote, cloud, containerized and virtual infrastructure and assesses business risk and likelihood of attack. The product also has a reputation as one of the easier ones to use. Qualys VMDR remains a formidable player in this market, but we’re giving Rapid7 the nod based on its overall higher user reviews. Both can get the job done – along with a number of our other picks for best vulnerability scanners and vulnerability management tools.

Best IAM Solution: Cisco Duo

Winner: Cisco

Finalists: Okta, Ping

Identity and access management (IAM) is another changing cybersecurity market. In the case of IAM, it’s become an easy way for companies to start their zero trust journey, and thus a number of IAM leaders have also been early leaders in zero trust. Cisco has put together a remarkably strong zero trust portfolio, and at its heart is Duo, our top IAM product. Duo gets high marks for ease of use and value, and adaptive authentication, device visibility and application integration are standout features. Another market loaded with strong offerings; Okta and Ping are our other finalists based on their strong market presence.

See all our picks for top IAM solutions.

Best NAC Solution: Cisco ISE

Winner: Cisco

Finalists: Fortinet, Extreme Networks, HPE Aruba

Network access control (NAC) is similar to IAM but operates at the device and network level. The major players in the NAC market typically have networking or firewall backgrounds, and so do our top picks. Cisco ISE is our overall winner, managing to post high scores both for value and capabilities, but there’s so much depth and strength here that we’re going to name three other finalists: Fortinet FortiNAC, Extreme Networks ExtremeControl, and HPE Aruba ClearPass.

See all of our top NAC solutions.

Best Security Awareness Training: KnowBe4

Winner: KnowBe4

Finalists: Ninjio, Proofpoint

Finally, we’ve already mentioned the critical role that end users play in cybersecurity, so few cybersecurity investments are more important than employee awareness training. KnowBe4 remains the clear market leader while retaining an edge in ease of use, but Ninjio and Proofpoint are other compelling security awareness training solutions.

See our full list of Top Security Awareness Training Solutions.

Sam Ingalls and Drew Robb contributed to this report.

The post eSecurity Planet’s 2022 Cybersecurity Product Awards appeared first on eSecurity Planet.

We gather information from a range of IT industry sources for our top security products articles. Our most frequently used sources have been analyst firms Gartner and Forrester, testing organizations MITRE and Cyber Ratings, and user review sites Gartner Peer Reviews and G2. We interview company officials and scour data sheets. We interview users and impartial experts. We aggregate all information to best inform our content, and you, our guest.

We analyze security and threat-blocking ability, performance, ease of implementation, ease and richness of management, technical support, and customer satisfaction, among other features. The evaluation criteria vary depending on the product area. We then score each product, typically giving more weight to security performance and incident response abilities.

We usually limit the list to eight to 10 products but in particularly strong markets we’ve included more. There are products outside our list that merit consideration, of course, and we’ve sometimes included those as honorable mentions.

The post Our Top Security Vendor Methodology appeared first on eSecurity Planet.