• AI-charged cybersecurity and cyberthreats: Artificial intelligence (AI) will boost both attackers and defenders while causing governance issues and learning pains. Read more.
• Next-level cybercrime: Cyberattackers will implement improved skills, “shift left” attacks, and shifting strategies to adjust to evolving cyberdefense. Read more.
• Exploding attack surfaces: Cyberdefense complexity will compound as API, cloud, edge, and OT resources add to the list of assets to defend. Read more.
• Increased action from governments: Expect more government regulations, state-sponsored cyberattacks, and increased documentation required to protect CISOs. Read more.
• Last year’s security issues continue: Weak IT fundamentals, poor cybersecurity awareness, and ransomware will still cause problems and make headlines. Read more.
• Bottom line: Prepare now so you’re ready to manage your team’s risk. Read more.

AI-Charged Cybersecurity & Cyberthreats

For better or worse, the development of artificial intelligence (AI) has continued to accelerate. Various forms of AI, such as machine learning (ML) and large language models (LLM), already dominated headlines throughout 2023 and continue to present both overhyped possibilities and realized potential in 2024. Industry experts recognize that AI will require governance action, cause learning pains, and will be used to both improve and weaken cybersecurity.

AI Governance

Regardless of any positive, negative, or neutral attitudes towards AI, all organizations will need to develop an official stance, develop policies, and apply those policies consistently. Without guidelines, organizations risk unfettered use of AI, risks of data leaks, and no recourse for unethical AI use within the organization.

Sharad Varshney, CEO of OvalEdge, put AI use in a familiar framework. ”The same issue that faces generative AI-based innovations is the same for everything else: all roads in anything IT-related start and end with data — the most critical component of every system,” he said.

“Organizations faced similar security visibility and control challenges with SaaS apps like Box or Dropbox,” added Kunal Agarwal, founder and CEO of dope.security. “Organizations will look to understand what apps employees are using, evaluate whether they should be paid for by the company (to control), accept the risk, or block the app… the company can choose to educate (through a warning page) or block the app entirely.”

“AI-related innovations will create new possibilities we’re not even considering at the moment,” cautioned Manny Rivelo, CEO of Forcepoint. “Moving forward, organizations of all sizes will need to create and expand corporate AI policies that govern how employees can interact safely with AI. And AI security policies will need to extend beyond commercial AI tools to also cover internally-developed GPTs and LLMs.”

For more on governance and policies, check out our article on IT security policies, including their importance and benefits, plus tips to create or improve your own policy. Also consider learning about the top governance, risk, and compliance tools to identify the best one for you.

Dangers of Using AI

As with any emerging technology, many organizations should expect errors and growing pains as teams learn the nuances of applying the technology. Yet these dangers can be offset through training to minimize issues.

Phil Nash, developer advocate at Sonar, cautioned that “successes from using AI tools to write code will lead to overconfidence in the results, and ultimately a breach will be blamed on the AI itself.”

“Before companies can effectively and safely use generative AI tools, employees must be educated on utilizing best practices: writing prompts that achieve desired outcomes, keeping data security and privacy in mind when inputting data, identifying the quality and security of AI, verifying AI output, and more,” said Arti Raman, CEO of Portal26.

AI-Improved Security

Many vendors began marketing AI-enhanced products years ago, and experts see continuing development of AI as an advantage for improved cybersecurity.

Aiden Technologies CEO Josh Aaron predicted that AI will “enhance the effectiveness of software patch management among security professionals [by] leveraging AI for risk assessment and prioritization in patch management [and] a move towards systems that not only detect vulnerabilities but also autonomously determine the best ways to remediate them [by] employing machine learning algorithms.”

Similarly, Mike Anderson, CIO and CDO of Netskope, saw more general benefits. “In the coming year, I think we will see generative AI be used to analyze a company’s existing policies, regulatory requirements, and threat landscape to generate tailored security policies. I also think we will also see generative AI used to continuously monitor a company’s network and systems for policy violations and automatically respond to issues.”

AI-Powered Cybercrime

Despite the advancements in using AI to improve security, cybercriminals also have access to AI and language learning models. Expect cybercriminals to embrace the power of AI to enhance their threat capabilities.

Melissa Bishoping, director and endpoint security research specialist at Tanium, emphasized the importance of personal contact to avoid falling for deepfake scams. “If someone contacts you to perform a personal or professional transaction, it is always better to seek additional verification when you are unable to physically verify the individual over the phone,” she said.

“Often, just hanging up and calling a known, trusted contact number for the ‘caller’ who reached out to you can expose the scam. In business, establishing workflows that rely on more robust forms of authentication that cannot be spoofed by an AI – FIDO2 security tokens, multiple-person approvals and verifications are a good place to start.”

In addition to enabling cyberattacks, AI will also be used to create more believable disinformation to attack both governments and businesses. Andy Patel, researcher at WithSecure, said that “AI will be used to create disinformation and influence operations in the runup to the high-profile elections of 2024. This will include synthetic written, spoken, and potentially even image or video content.

“Disinformation is going to be incredibly effective now that social networks have scaled back or completely removed their moderation and verification efforts,” he added. “Social media will become even more of a cesspool of AI and human-created garbage.”

Next-Level Cybercrime

While cybercriminals have always shown strong adaptability and opportunism, experts expect attackers to further develop their capabilities and strategies throughout 2024. Some attacks will be aided by technology, while others will be more strategic in nature as companies strengthen cyberdefense against older attacks. Threat actor strategies include using the dark web, exploiting development environments, and capitalizing on both old and new vulnerabilities.

Improved Attacker Skills

In addition to the use of AI, we should expect cybercriminals to incorporate their access to dark web information to make attacks much more believable and widespread.

“While AI is still in the early stages of precisely answering questions, it has reached a sophisticated level in generating text in multiple languages, surpassing the well-known limitations of existing translators,” explained Alessandro Di Pinto, Director of Security Research, for Nozomi Networks. “The emergence of AI as a tool for crafting convincing text circumvents [grammar errors], significantly enhancing the likelihood of success in such attacks.”

Deepfakes will likely play a part in this AI-assisted approach to scams, too. “The use of deepfake techniques in fraudulent activities… will elevate the sophistication of phishing fraud, making it increasingly challenging for users to distinguish between legitimate services and scams,” said Ricardo Villadiego, founder and CEO of Lumu.

If AI models have access to dark web data, they’re much more prepared to be convincing. “By training such models with PII data that is readily available on dark web marketplaces, attack lures that are much more personal and enterprise specific can be created at scale,” concluded Eric George, the director of solution engineering for digital risk and email protection at Fortra.

“In addition to being more believable, detection evasion tactics ensure that the attacks only present themselves to the intended target and otherwise “play dead” for detection processes. This combined increase in plausibility and deliverability increases the attacker ROI as well as the damages incurred.”

The ability to detect AI-based attacks, particularly ones that use evasion tactics, will become a critical requirement for security services like EDR.

Cybercrime Shifts Left

As development and operations (DevOps) uses automation to transition to development, security and operations (DevSecOps) attackers find themselves with less human error to exploit. Recent successes with poisoned open-source libraries and other development channels to deliver malware will continue to influence attacks deeper into the development supply chain for both traditional and new technologies.

Mario Duarte, VP of Security at Snowflake, saw that “attackers are now looking for ways in through developer environments, because that’s where human mistakes can still be discovered and exploited, and we’ll unfortunately see this escalate as suspicious actors become increasingly mature in the coming year.

“Because the threats originate in the code, they’re that much more challenging to uproot. “It’s harder for security teams to defend against such attacks, and it’s even more challenging to create baselines for acceptable development activity than for an automated, well-managed production environment,” Duarte said.

Javed Hasan, CEO and co-founder of Lineaje, offered a blunt warning: “The best time to compromise AI is when it is being built.” He claimed it’s most vulnerable during the development phase.

“Like today’s software, AI is largely built using open-source components,” Hasan said. “Identifying who created the initial AI models, what biases are embedded, and which developers were involved with what intentions are crucial for closing gaps in an organization’s security posture.” Least privilege access is critical here — only a few people should be in charge of model development, and they should carefully document their work and be closely supervised.

Dmitry Sotnikov, CPO at Cayosoft, emphasized the effect of attacks on the software supply chain. “In the first half of 2024, we’ve witnessed how consequential software and service supplier downtime can be to businesses and lives dependent on their uptime,” he said.

“The most glaring example is Synnovis, a pathology service whose downtime in June has exposed 400GB of patient information and postponed thousands of London-based outpatient appointments and cancer treatments. The compromise of dealership management system provider CDK effectively crippled 15,000 car dealership operations across the US.”

Sotnikov also addressed the importance of secure identity systems in protecting supply chains. Identity systems are one of the biggest targets for attackers because they provide so much useful data to navigate and access company resources.

“If you are forced to do one thing to improve your resiliency here, the most impactful would be implementing a modern recovery system with a daily tested process to create and test a safe isolated standby replica of your Active Directory,” Sotnikov said about protecting identity systems from attacks. “This would allow you to instantly switch back to the standby, unaffected version of your Active Directory in the event of a successful attack.”

Shifting Strategies in Response to Shifting Security

As cybersecurity teams eliminate vulnerabilities and add security to block current attacks, cybercriminals will adjust to attack easier targets or change tactics. This includes exploiting older vulnerabilities as well as capitalizing on newer strategies. Recently, security researchers have found flaws almost two decades old that threat actors could still exploit if they chose to; they may aim for this low-hanging fruit as well as attacking newer systems.

Ricardo Villadiego, founder and CEO of Lumu, expects passwordless architecture adoption to increase as organizations work to fight phishing campaigns. “However, this disruptive change from traditional models will prompt a change in the focus of phishing campaigns to bypass these new architectures,” Villadiego said.

“In response, adversaries will increasingly target obtaining complex variables from the device’s environment, which they will use to bypass new authentication methods.”

Joe Payne, president and CEO at Code42, believes biometrics will trigger a shift to insider threats. “As organizations quickly adopt technologies like Okta Fastpass, which uses biometrics for authentication instead of passwords… we expect an increase in two areas: breaches caused by social engineering (already on the rise), and breaches caused by Insiders (already over 40% of all breaches).

“Insiders who have legitimate access to source code, sales forecasts and contacts, and HR data continue to take data from organizations when they depart for competitors or start their own companies,” Payne said. “As we reduce the ability of hackers to access our data using weak passwords, the focus on solving the insider problem will become more pronounced.”

Authentication continues to gain importance and technology continues to develop new MFA options and passwordless-options such as passkeys.

Exploding Attack Surfaces

Even as AI turbocharges attack and defense and cybercriminals expand their capabilities, the attack surfaces that security teams need to defend will grow at a rapid pace – well beyond standard network security. New and formerly overlooked technologies and connections will become targeted by specialized cybercriminals seeking poorly defended API, cloud, edge, and OT resources.

API Attacks

Application programming interfaces (APIs) provide automated and regularly trusted connections between applications and resources. Andy Grolnick, CEO of Graylog, cautioned teams about increasing attacks against them.

“In 2023, ransomware is still the dominant threat in the minds of security teams,” he said. “However, 2024 will be the year that API security preparedness and threats gain momentum. Security APIs are a challenge because they are:

• Simple to navigate and an easy attack
• Dark, hidden and hard to track unlike movements on the Web
• Internal responsibility is not always clear and CISOs haven’t largely set strategies and ownership.”

Cloud Risks

The continuing rise in cloud adoption will also expand the attack surface and increase interest for cybercriminals to attack cloud resources. Organizations will need to consider specialized cloud security tools and implement cloud security best practices.

Neeraj Singh, senior security researcher at WithSecure, saw “an increase in activities that introduce new technologies and processes that haven’t been thoroughly secured. Cloud services, with their new interfaces, APIs, and communication channels, offer additional targets for attackers, thereby expanding the potential attack surface.”

“Third-party risk will evolve as a big data-security-related challenge in the coming year as organizations of all sizes continue their transition to the cloud,” said Mike Scott, CISO at Immuta.

“It’s clear teams can’t accomplish the same amount of work at scale with on-prem solutions as they can in the cloud, but with this transition comes a pressing need to understand the risks of integrating with a third party [cloud provider] and [to] monitor that third party on an ongoing basis.

Cloud security has been a hot topic for years, but as more workloads shift to the cloud, the opportunities for threat actors increase. Before migrating data and applications to a third-party provider, teams will need to make sure their business is taking any necessary protective measures before moving the data. This includes asking probing questions about the cloud provider’s security processes.

Chen Burshan, CEO of Skyhawk Security, envisioned a “rise in cloud-native security incidents that have no perimeter and multiple attack vectors. This is going to shift the market perception because enterprises will realize that no matter how thoroughly they secure the perimeter, threat actors will get in,” Burshan said.

“Cloud security posture management and cloud native application protection will not prevent a breach, and it will not detect a threat in real time. This will increase the maturity of current security practices and accelerate the adoption of solutions like cloud investigation and response automation and cloud-native threat detection and response.”

Edge Exposure

Even as attackers pursue API and cloud attacks, more organizations push out computing to edge resources beyond any network controls. While many envision attacks on smart cars and surveillance cameras, servers exposed to the demilitarized zone (DMZ), such as MoveIT servers, also provide tantalizing edge targets.

Stephen Robinson, senior threat intelligence analyst at WithSecure, noted “the recent MoveIT compromise by the ransomware group Cl0p will begin to inspire more mass exploitation campaigns targeting edge data transfer servers in a similar vein. MoveIT was typically used for reliable transfer of large volumes of important files between organizations.

“Cl0p exploited MoveIT servers to gain access to and exfiltrate these important, valuable files,” Robinson said. “For a ransomware group, access to large volumes of valuable data is the end goal; they had no need to go further into the network than the exposed, vulnerable MoveIT servers. I expect to see more copycat attacks where the value is the exploited server itself, not the access it provides to the rest of the network.”

OT Exposure

Operational technology (OT) used to be unconnected and safely ignored by cybersecurity teams. However, the rise of connected industrial motors, sensors, and industrial control systems (ICS) now provides a tempting target with less mature security.

Edgard Capdevielle, CEO of Nozomi Networks, declared, “We’re at risk of the next Colonial Pipeline. Cyber attacks against critical infrastructure are too easy – we’re still vulnerable and unprotected. If this isn’t more widely spoken about or prioritized, there will be another attack on critical operational technology systems within the country, targeting an industry such as oil, energy, hospitals, or airports.”

The ransomware attack on Colonial Pipeline exposed overlooked OT security and the potential disruption to US infrastructure from a single failure. This event subsequently led to an executive order and guidance on ransomware in 2021.

Increased Action From Governments

As technology progresses at a rapid pace and cybercrime strikes out at an ever-expanding landscape of opportunities, governments will attempt to regulate, influence, and exert control over the cyber sphere.

Increasing Regulation

Decades of use and abuse of computer systems led to early regulation, such as Europe’s General Data Protection Regulation (GDPR) adopted in 2016 and California’s Consumer Privacy Act (CCPA) passed in 2018. This year sees the first enforcement of two new laws in the European Union: the Cyber Resilience Act (CRA) and The Network and Information Systems Directive (NIS2).

While the EU leads in regulation, the US will also exert regulatory influence. “In the next year, we expect a regulatory surge that CISOs must prepare for – which could include continued AI regulation, new post-quantum guidance, and, in late 2024, new legislation is expected around Know Your Customer (KYC) guidelines,” cautioned Jordan Avnaim, CISO at Entrust.

“Businesses should consider each of these a call to action to improve not only their own cybersecurity strategies, but also to consider the impact of new technologies, like AI, on their organization and their customers… CISOs and leaders will need trusted advisors, sound support, and secure solutions to successfully and safely forge ahead.”

Matthew Corwin, Managing Director of Guidepost Solutions, added that “security teams must navigate new breach reporting landscapes shaped by the SEC’s four business day rule for material cybersecurity incidents, state PII breach notification laws, and other regulatory requirements.

“These regulations underscore a shift towards rapid, transparent incident disclosure, emphasizing the need for advanced detection, streamlined reporting processes, and comprehensive incident response strategies.”

Incoming regulations have yet to be tested and well understood, but the well-established GDPR and similar regulations can provide a basic understanding of the methods needed for basic compliance requirements.

State-Sponsored Cyber Attacks

Even as administrations launch regulations designed to influence corporate behavior, other governments will sponsor cyberattacks to push their influence. Stephen Helm, product marketing director at Nisos, warned teams about what state-sponsored attacks will look like.

“As geopolitical waters become more turbulent, and with the US election season fast approaching, China, Russia, and Iran promise to redouble their efforts to sow confusion and discord across the globe as they further their own goals of expanded influence,” he said. “The use of sockpuppets, comment spamming, and bots to amplify narratives will continue to evolve to be more difficult to detect, thanks to AI and other tools.”

“Influence operations in Latin America in 2022-2023 demonstrate this evolution. The China News Service used to hijack permissions to invasively access and potentially take over subscribers’ Twitter, Sina Weibo, and Weixin accounts to push pro-Beijing content… Companies offering election manipulation services that leverage fake social media accounts, AI, and other digital assets now operate as legitimate businesses in some parts of the world.”

Over the past two years, attacks by Russia, China, Iran, and North Korea exploited vulnerabilities and created enormous challenges for public and private organizations of all sizes. Reading up on past attacks can provide hints for tactics and the speed at which nation-sponsored attacks can occur.

Increased Need for Regulatory Documentation

In addition to regulations and direct government actions, experts expect more enforcement from the US Security and Exchange Commission (SEC) and other agencies on recently passed legislation or rules. Cybersecurity teams need to improve documentation to defend themselves and their teams.

Nicole Sundin, CPO of Axio, predicted that “CISOs will need a system of record to protect themselves from the fallout of breaches. It’s no secret that the SEC now holds CISOs accountable for the risks organizations take. Currently, CISOs … make difficult choices, and act as they see necessary—but these may or may not be documented.”

Matt Wiseman, Senior Product Manager of Opswat, extended the warning to documenting third parties and the software bill of materials (SBOM). “Greater requests for SBOMs and more demand to understand tools at a deeper level will lead to increased requirements from regulatory organizations or government agencies,” Wiseman said.

“Given the growing concern for threats from vendors, third-parties, or nation-states, all software will be more thoroughly vetted before being deployed in critical areas.”

Last Year’s Cybersecurity Issues Continue

Some 2024 predictions simply acknowledge the continuing trends that started well before this year. The trends of weak security foundations, poor cybersecurity awareness, and ongoing ransomware attacks remain a major focus until these trends can be mitigated.

Weak Security Foundations

Even as vendors and technologies race ahead to tackle next year’s threats, many organizations lag in basic cybersecurity fundamentals such as asset management, identity, access management, defense in depth, and cybersecurity awareness and training.

“Some of the foundational requirements for securing an organization will continue to challenge InfoSec leaders – primarily, establishing comprehensive visibility into all assets and tight control over who can access them and with what level of privileges,” said Vinay Anand, Chief Product Officer of NetSPI.

Yaron Kassner, co-founder and CTO of Silverfort, added that “compromised identities will remain a favored weapon for cybercriminals. Countless organizations struggle to modernize their access systems amidst legacy constraints and a tangled web of identity providers.” It’s challenging to streamline access security when different teams have been using different strategies over decades. 

“We are beginning to see a shift in cybersecurity investment strategies that better reflect the current threat landscape,” said Roman Arutyunov, co-Founder and SVP of products at Xage Security. 

“Companies are recognizing that threat hunting and responding to endless detections and false positives uses too much of their precious security resources and they’re growing tired of chasing needles in a haystack. They are now turning their attention to reducing the attack surface by proactively protecting their assets.”

Poor Cybersecurity Awareness

Just as sexual harassment and anti-bias training continue to be a human resources priority, basic cybersecurity training must also become a regular fixture in the professional landscape.

Frank Gartland, chief product and technology officer from Skillable, reminded security teams that “eight-in-ten cyber-attacks occur due to human error, so providing people with regular cybersecurity training can make a significant difference to your cyber resilience.”

Nick Carroll, cyber incident response manager at Raytheon, noted an even broader need for a security culture. “Without a solid security culture at the foundation, security tools, such as expensive firewalls or endpoint detection and response (EDR), will ultimately become ineffective down the line,” he explained.

“If organizations haven’t already, they must begin to build cybersecurity awareness among employees and third-party partners, while also determining the best path for how to integrate security into the organization’s culture and operations.”

Continued Ransomware Attacks

Ransomware began dominating headlines during the pandemic and has only continued to be a problem. Desperate organizations, against the advice of law enforcement, continue to pay ransoms and fuel interest for cybercriminals.

Raffaele Mautone, CEO and founder of Judy Security, anticipated trouble for even small and medium-sized businesses. “Ransomware attacks will continue to diversify their targets, expanding beyond large enterprises to encompass small and medium-sized businesses, municipalities, and healthcare institutions. This trend will lead to a surge in attacks on SMBs, who may be more vulnerable due to limited cybersecurity resources.”

Kev Breen, director of cyber threat research at Immersive Labs, recommends preparing for the worst. “We should expect to see ransomware groups leveraging new techniques in endpoint detection and response (EDR) evasion, quickly weaponizing zero days and as well as new patched vulnerabilities, making it easy for them to bypass common defense strategies.

“As a result, security teams can’t rely on an old security playbook. Companies should not worry about how they can detect everything, and instead just assume at some point it will go badly [and] have plans in place to best respond.”

Ransomware requires access to endpoints to strike. While advanced attackers will seek novel evasion tactics, we can’t make their job easy by deploying sloppy cyberdefense. Consider implementing strong endpoint protection (antivirus, EDR, or XDR) as one of many layers of defense against ransomware and other attacks.

Ransomware has become a popular topic for media and podcasts. If you’re interested in hearing more about major security trends, check out our guide to the best cybersecurity podcasts for both amateurs and experts.

Bottom Line: Prepare Now Based on Risk

Predictions by experts deliver value only if acted upon. While none of these major trends for 2024 can be guaranteed, all of them are possible, and the continuing headaches already plague many organizations today.

Each organization must analyze each trend’s specific risk to the organization and its most valuable assets. The completed analysis will naturally define the trends most likely to cause issues and the ones most urgent to address.

For resources to help manage the risks your organization has identified, read our article on the best tools for risk management.

The post 5 Key Cybersecurity Trends to Know in 2024 appeared first on eSecurity Planet.

To truly understand the differences, get to know each solution at a basic level and then examine key differences. This information can inform how and when firewalls and SWGs can be used separately or even together.

SWG vs Firewall Overview

This table provides a quick overview of major capabilities and deployment options:

What Is a Secure Web Gateway?

A secure web gateway is a security tool that controls traffic to and from the internet to a network or to remote devices that connect to the internet through the SWG. SWGs can be deployed locally to protect specific networks, but many choose cloud-based deployments to take advantage of scale and to protect remote users and branch networks with a consolidated solution.

To enforce control over traffic, a SWG will:

• Block malicious traffic: Uses lists of known-malicious URLs and websites to block traffic to and from these IP addresses to cut off possible infection vectors.
• Deny undesired content: Applies administrator-defined blacklists (aka denylists) to block user access to undesired websites and applications (gambling, pornography, etc.).
• Manage network bandwidth: Limits the amount of bandwidth to less critical functions, such as streaming media, to ensure sufficient bandwidth for critical business functions.
• Monitor employee behavior: Enforces policies, simple rules, and even artificial intelligence (AI) anomaly detection to detect and block unwanted user behavior.
• Prevent discovery: Obscures IP addresses and assets protected by the SWG by inserting a web proxy in between the assets and the internet sources.

Advanced SWG tools often incorporate threat intelligence feeds and data loss prevention (DLP) inspection for sensitive data.

What Is a Firewall?

Firewalls are security controls that control traffic at the border of a network, a host-based or device-specific protection (server, router, PC), an application, a database, or even between two network segments. The most common type of firewall focuses on controlling traffic entering and exiting a network, but more advanced firewalls add features for email security, URL filtering, and malware detection.

When enforcing traffic control, firewalls will:

• Apply policies: Examines packets and drops them based on packet filtering rules, blocked ports, and even complex access rules such as port knocking.
• Block bad traffic: Uses stateful inspection, session filtering, and circuit-level gateway proxy capabilities to drop traffic unrelated to existing communication requests.
• Detect attacks: Inspects network traffic for signs of malware and even, for next generation firewalls (NGFW), decrypts traffic to analyze malicious behavior.

More complex firewall solutions, such as NGFW and unified threat management (UTM) will incorporate features associated with other types of security solutions. For example, they can screen data with an antivirus inspection, block malicious URLs like a SWG or domain name service (DNS), or inspect email like an email gateway. 

Key Similarities & Differences of SWGs vs Firewalls

Secure web gateways and firewalls, once distinct, now share features that deliver similar benefits, advantages, and disadvantages. To find the remaining distinguishing aspects, we dig deeper into the benefits, pros, and cons of these technologies.

Notable Benefits Comparison

As security solutions, firewalls and secure web gateways enjoy nearly identical benefits because they perform very similar roles to protect data flows at the edge of the network. Comparisons also become challenging because different types of firewalls offer different capabilities, with simple, traditional firewalls providing limited overlap with SWGs and NGFW providing strong overlap with SWG features.

Both SWGs and firewalls offer the following primary benefits:

• Protect against data loss: Enforce policies, detect anomalous behavior, and inspect data flows for regulated, sensitive, or secret information. 
• Screen attacks: Filter known-malicious domains, enable sandbox file inspection, and detect malicious packets using signatures, indicators, AI, or machine learning (ML).
• Simplify management: Manages the consolidated features that might otherwise require separate, non-integrated tools through a single installation and management dashboard.
• Throttle unproductive content: Block, limit access, or limit bandwidth to streaming media, gambling sites, pornographic sites, and other defined sites and applications.

The primary differences are primarily device, model, and implementation specific. Some vendors will focus SWG benefits on controlling website traffic and firewall benefits on the internal network data. In part, this is because the SWG focuses on analyzing data at the application layer and most firewalls focus on the network layer information of packets.

However, they often fail to note the types of firewalls that also scan packets at the application layer such as NGFW or web application firewalls (WAF). While it can be academically useful to draw distinct lines, in reality, the best SWGs and firewalls have heavy overlap of capabilities.

Primary Pros Comparison

The strongest pro for both SWGs and firewalls is good security protection against attacks. The distinct and shared advantages to their use reveal the specific ways in which each technology provides protection. SWGs provide strong security for email and HTTPS-encrypted traffic. Firewalls block internal network threats, apply quick policy-based filtering, and some firewalls can also inspect HTTPS-encrypted traffic.

Both SWGs and Firewalls can be installed in the cloud for high scalability and performance. SWGs and certain types of firewalls can also save significant money compared to buying the component tools separately, such as mail security, proxy gateways, data loss protection, and antivirus software.

	Firewall	SWG
Email protection
Monitor for network threats (intrusion detection and prevention systems (IDPS))	Some firewall models (NGFW, UTM, etc.)
Rapid policy-based threat filtering
Cloud-enabled scalability	Depends on installation	Depends on installation
HTTPS encrypted traffic malware inspection	Some firewall models (NGFW, WAF, FWaaS, etc.)
Save money and time compared to buying separate solutions for equivalent protection	Some firewall models (NGFW, UTM, FWaaS, etc.)

Significant Cons In Common

The benefits and pros make a strong argument that every organization needs both SWG and firewalls to add defense in depth security. Both technologies share the exact same drawbacks, which can introduce some hesitation to purchase, yet they don’t significantly undermine either solution.

• Complex configuration: While more simple to manage and maintain than a suite of tools, the consolidated features of advanced SWGs and firewalls create much more complex and time-consuming tools to initially setup and configure.
• High costs: Although cost effective in comparison to many individually purchased solutions, if you don’t need all of the features, advanced SWGs and firewalls are quite expensive to purchase, install, and configure.
• Variable capabilities: The same feature won’t perform the same or provide similar capabilities for all products; most SWG and firewalls offer ‘reports’ but the type of reports and the detailed contents will vary extremely from product to product.

The primary cons can be summarized as product confusion. An inexpensive, simple firewall won’t provide the same protection as an expensive NGFW, but some of the features will be labeled similarly. Likewise, while implementing three to five separate solutions takes much more time than setting up a robust SWG, most companies set up the separate solutions over time and can become overwhelmed by options setting up a complex tool.

Should You Use SWGs & Firewalls Together or Separately?

Most large organizations use both secure web gateways and a variety of firewalls. However, many small and medium businesses (SMBs) start with a firewall for basic security and incorporate a SWG as their security needs mature.

Firewall and SWG capabilities will also be incorporated into other modern security solutions to protect remote users and remote assets. For example, Enterprise virtual public networks (VPNs) enable safer access for remote users by adding basic firewall and SWG URL or malware filtering to cloud-based VPN infrastructure.

Secure service edge (SSE) incorporates FWaaS and SWG capabilities with other security technologies to protect remote users, application data, and cloud resources. Similarly, secure access service edge (SASE) builds off of SSE remote security to add software defined wide area network (SD-WAN) networks for location independent segmentation.

All of these solutions play important roles in securing businesses, non-profits, and government agencies, but buyers need to fully understand their own needs to understand which product provides the best fit. Additionally, given the wide range of capabilities within any product category, or even the products from a specific vendor, buyers also need to fully test tools to ensure that the theoretical capabilities match needs and expectations.

Use Case Comparisons

To best illustrate when and how to use SWG and firewall technologies, it helps to consider a variety of specific use cases. When exploring the needs to secure a headquarters, remote contractors, an international office architecture, or a cloud-based application, the benefits of and need for SWG and firewall solutions will vary considerably.

Headquarters Protection

A municipal government maintains a central headquarters building (city hall) with a data center. Previously established firewall protection is sufficient but they want additional protection against rising internet threats. They might add an on-prem SWG appliance to improve the layers of security between users and potential threats.

Remote Contractor Protection

A medical transcription company employs thousands of international and domestic contractors that use bring-your-own-device (BYOD) laptops and phones to access web-based applications (Google Docs, Office 365, Box, etc.). To protect against malware uploaded to company repositories, require all contractors to access resources through a secure web gateway that monitors up and down traffic for signs of trouble.

Multi-Office Global Infrastructure

A growing restaurant chain continues to rapidly expand overseas and needs to protect a wide number of restaurant networks, branch headquarters, and even monitor remote users. Without the sunk cost of existing infrastructure, they can deploy FWaaS and SWG in tandem to protect a wide variety of network and user data connections with reduced deployment and configuration requirements.

High Performance Web App

A streaming site builds cloud-based infrastructure to host and run the back-end applications to deliver video and audio content. Without users, much of the SWG features won’t be useful for this environment, and even a powerful NGFW would cause too many delays with packet inspections. Instead, deploy simple packet-screening firewalls, WAFs, and database firewalls to protect specific components of the architecture with minimal operational delay.

SWG & Firewall Considerations

To determine which solution or combination of solutions might be the best fit, a buyer needs to answer specific questions about how the technology will fit into the existing security stack and the resources available to use it. Honest answers to these questions filter out unrealistic hopes and deliver practical, functional solutions.

Replace Existing Technology or Add-on More Technology?

An organization with extensive and older legacy solutions might be ready to rip and replace all solutions with a multi-purpose solution. However, a handful of expensive, recently purchased solutions make it more attractive to add on a separate solution to add specific features. Pick a full-featured SWG or firewall solution when performing rip-and-replace, or select a tool with the specific security features required when adding on to the security stack.

What Architecture Is Required: Full-Control, Cloud, or SaaS?

Organizations with heavy compliance or secrecy needs require full control of all security controls in a local data center, but those prioritizing scalability requirements might prefer cloud-based solutions. SaaS solutions remove direct control and often reduce customization options, but organizations of all sizes enjoy the reduced maintenance and management demands of SaaS solutions. Select the correct SWG or firewall configuration to match the required architecture.

How Much Delay Is Tolerable?

High speed applications and communications systems can’t tolerate extensive packet and connection inspections. Data, connections, and security controls need to be streamlined to balance security with high speed data transmission. Different combinations of SWGs and firewall types can be used to perform specific security screens for different data flows within the network architecture for effective and rapid information transmission.

Is There a Resource Match?

Each tool will require different financial and technical resources to install, configure, maintain, and operate the solution. When comparing solutions, factor in all expected expenses and labor requirements to ensure sufficient resources to effectively reach the tool’s potential capabilities. This analysis will prevent the wasteful acquisition of expensive shelf-ware or a tool that can’t be used effectively with the current resources.

Does the Security Solution Fit the Existing Security Stack?

All security tools must fit into an existing security stack and processes without too many traumatic overhauls. Verify integration capabilities of the SWG or firewall under consideration with other related security tools such as IDS/IDP, privilege access management (PAM), security information and event management (SIEM), and network monitoring. This will ensure smooth transitions and compatibility with existing processes.

Bottom Line: Deploy Both SWG & Firewall Capabilities

As SWGs and firewalls continue to add features, advanced versions may reach the point where only one solution might provide effective security. Of course, that single solution will be quite expensive and complicated to implement, so expect more simple solutions to continue to satisfy needs for years to come. Once you figure out which solution(s) might be a good fit, contact the company for a demo and come armed with a list of features to explore in depth.

SWGs and firewalls help to secure the network perimeter, to consider other solutions might be required for a full security stack, read more about network security architecture.

The post Secure Web Gateway vs Firewall: Learn the Difference appeared first on eSecurity Planet.

To help you choose the right one for you, I’ve compared features, customer support offerings, pricing, and licensing information to rank the top solutions for professional use.

Here are the six best enterprise VPN solutions for businesses, non-profits, and government agencies of all sizes:

• Perimeter 81: Best overall VPN solution
• PureDome: Best for quick global access
• OpenVPN: Best for flexible deployment
• Twingate: Best for DevSecOps deployments
• NordLayer: Best for SaaS user security
• GoodAccess: Best customer service

Top Enterprise VPN Solutions Comparison

The following table provides a quick overview of the top six enterprise VPN solutions with regards to pricing and four key features: centralized dashboards for administrator (admin) management, security tool integrations, URL address filtering, and log retention.

	Centralized Dashboard	Security Tool Integrations	URL Address Filtering	Log Retention	Pricing
Perimeter 81					$8+/user + $40/gateway
PureDome (PureVPN)					$6.76+/user + $40/gateway
OpenVPN					$11+/user
Twingate					$5+/user
NordLayer					$8+/user
GoodAccess					$7+/user + $39/gateway

Despite very competitive scores among the top tools, I found Perimeter 81 to provide the best overall value for those seeking a secure software-as-a-service (SaaS) remote virtual private network connection for business. Continue on to read more about each of these top solutions in terms of pricing, features, and primary use cases, or jump down to see how I evaluated the products.

Note: All monthly prices are based on a one-year commitment unless otherwise noted.

Perimeter 81 – Best Overall

---

Overall Rating: 4.4/5

• Backend manager experience: 4.8/5
• Security features: 4.6/5
• User experience: 4.6/5
• Cost and licensing clarity: 3.2/5
• Customer support: 4.1/5

Perimeter 81 earns the top spot in our rankings because of the wide range of features that also earn the tool the top ranking for user experience, backend management experience, and network security features. Users will enjoy the high speed global connections protected by optional secure web gateway (SWG) filtering for malicious websites and malware. Admins will appreciate the security tool integrations, reporting, monitoring, and the consolidated dashboard.

Visit Perimeter 81

Pros

• Agentless application access
• Private global network in 40+ countries
• Supports multi-factor authentication (MFA)

Cons

• Some key features are add-ons
• 60-day log retention only for the top paid tier
• Many dedicated gateways will become costly

Pricing

• Essentials: $8/user/month + $40/gateway/month; minimum 10 users
• Premium: $12/user/month + $40/gateway/month; minimum 10 users
• Premium Plus: $16/user/month + $40/gateway/month; minimum 20 users
• Enterprise: Contact sales; minimum 50 users
• Add-ons: Additional fees for DNS filtering, web filtering, and malware protection
• Free trial: 30-day money-back guarantee
• Free demo: Contact to schedule

Key Features

• Broad security features: Supports IP whitelisting, zero-trust network access (ZTNA), user segmentation, and device posture checks for network access control (NAC).
• Wide availability: Provides connector apps for Windows, macOS, iOS, Android, Linux, and Chromebook as well as browser-based access for applications.
• Cloud access connections: Enables point-to-point connections for internal network connections and makes cloud assets available to NordLayer users.
• Enforce policy: Prevent user sign-out from VPN to access resources outside of protection and block access to undesirable sites (pornography, gambling, etc.).
• Supports integration: Connects with security information and event management (SIEM) tools and single-sign on (SSO) providers.

Screenshot

Alternatives

Perimeter 81’s private global network and security features come at a premium price. For those more sensitive to price and with less strict network security feature requirements, consider PureDome, which has access points from more than 70 countries.

PureDome – Best for Quick Global Access

---

Overall Rating: 4.1/5

• Backend manager experience: 4.4/5
• Security features: 3.6/5
• User experience: 4.3/5
• Cost and licensing clarity: 3.9/5
• Customer support: 4.4/5

PureDome builds off of its successful PureVPN consumer offering to provide a large global reach of high-speed (10+ Gbps) connections in more than 70 countries. Choose this vendor for large, geographically dispersed teams that need high-speed connections. PureDome supports a wide range of endpoint devices (Windows, macOS, iOS, Linux, Android, Chromebook) and protects users with group management, automated connections, and always-on VPN.

Visit PureDome

Pros

• Site-to-site connectors available
• Supports SSO, two-factor authentication (2FA)
• Device and session activity reports

Cons

• Lacks URL and website filtering
• Doesn’t scan traffic for malware
• No private global VPN network

Pricing

• Basic: $6.76/user/month + $40/dedicated gateway/month; minimum 5 users
• Professional: $9/user/month + $40/gateway/month; minimum 5 users
• Enterprise: $13.45/user/month + $40/gateway/month; minimum 5 users
• Free trial: 30-day money-back guarantee
• Free demo: Contact to schedule

Key Features

• High-speed connections: Supplies high speed connections in more than 70 countries, starting at 10 Gbps with upgraded 20 Gbps servers in key international locations.
• Effective management: Enables admins to view and manage teams, gateway loads, and user roles and access through a consolidated management console.
• Device review: Applies NAC profiles for professional and enterprise customers to block access to unpatched or insufficiently managed endpoint devices.
• Dedicated support: Provides dedicated customer executives by chat and email to all customers, with available phone and priority support for premium customers.
• Optional integration: Supports integration with identity and access solutions.

Screenshot

Alternatives

PureDome provides global access to a high-speed network, but some will prefer more security features. For a fully private global network with more security controls, consider Perimeter 81.

OpenVPN – Best for Flexible Deployment

---

Overall Rating: 4.1/5

• Backend manager experience: 4.1/5
• Security features: 4.5/5
• User experience: 3.4/5
• Cost and licensing clarity: 4.3/5
• Customer support: 4.2/5

OpenVPN provides the most flexible deployment options of any vendor because it is a tunneling protocol, an open-source project, and the company behind the two enterprise VPN solutions. Engage their CloudConnexa platform and provide users with direct access to OpenVPN’s cloud-hosted infrastructure. Alternatively, license the Access Server and build out your own private self-hosted network of access points and servers anywhere you want.

Visit OpenVPN

Pros

• Free for up to 3 connections
• Supports Internet of Things (IoT) connections
• Support Zero Trust access granularity

Cons

• Charges by the connection, not the user
• Cloud access slower than competition
• Third-party tools needed for strong reporting

Pricing

• Free: Supports up to 3 connections
• Growth: $11/connection/month; minimum 5 connections
• Enterprise: Contact sales; minimum 5 connections
• Free trial: 30-day money-back guarantee
• Free demo: Contact to schedule

Key Features

• Deployment options: Provides a unique option to build out self-hosted enterprise VPN infrastructure quickly and easily or to adopt a more convenient cloud-hosted option.
• Diverse MFA: Supports traditional multi-factor authentication (MFA), Security Assertion Markup Language (SAML) authentication, and device registration.
• Group access: Allows for group definitions and user-group connections to provide access templates for specific asset and application access.
• Web filtering: Enables self-hosted instances with network monitoring intrusion detection and intrusion prevention systems (IDS/IPS) options to perform domain name system (DNS) and website filtering of known-malicious and unwanted websites and categories.
• Transparent pricing: Offers both monthly and annual pricing as well as volume-based discounts; includes a price calculator on the pricing page of the website.

Screenshot

Alternatives

A self-hosted enterprise VPN brings back the maintenance and configuration headaches of traditional VPN infrastructure and OpenVPN’s gateway speeds tend to be slower than other top solutions. For an alternative self-hosted technology with less infrastructure overhead, consider Twingate’s peer-to-peer mesh network solution.

Twingate – Best for DevSecOps Deployments

---

Overall Rating: 4/5

• Backend manager experience: 4.5/5
• Security features: 3.8/5
• User experience: 3.9/5
• Cost and licensing clarity: 4.3/5
• Customer support: 3.4/5

Twingate’s unique technology permits the implementation of peer-to-peer zero-trust connections that programmers include in infrastructure-as-code. These headless service accounts launch on demand, integrate with existing infrastructure, modify access rules, and integrate with GitHub. Development, security, and operations (DevSecOps) teams creating websites and applications can insert secure Twingate connections into containers and other virtual architectures.

Visit Twingate

Pros

• Uses peer-to-peer architecture without gateways
• Also provides traditional SaaS connections
• Includes AWS, Azure, and other cloud connectors

Cons

• Doesn’t use traditional VPN protocols
• Only US-business hours support
• Uses partners to provide static IP addresses

Pricing

• Starter (free tier): Supports up to 5 users, 1 admin, 10 remote networks
• Teams: $5/user/month; up to 100 users, 3 admins, 20 remote networks
• Business: $10/user/month; up to 500 users, 10 admins, 100 remote networks
• Enterprise: Contact sales
• Free trial: 14 days
• Free demo: Contact to schedule

Key Features

• Unattended security: Implements zero trust controls for automated and unattended continuous integration and continuous delivery/deployment (CI/CD) processes.
• Monitoring integration: Feeds alerts to SIEMs and integrates with mobile device management (MDM) tools for enhanced security processes.
• Defines allowlists: Limits access to approved locations through an IP whitelist (aka: allowlist) that rejects unapproved IP addresses as an equivalent to URL filtering.
• Quasi-legal VPN: Uses a technology that bypasses gateways for peer-to-peer connections that doesn’t technically violate laws against VPN in China, etc.
• Optional gateways: Bypasses requirements for static IPs and gateways but also uses a partner to provide this legacy infrastructure for those that need it.

Screenshot

Alternatives

Twingate’s novel peer-to-peer technology may make some IT teams uncomfortable. For a more traditional approach to both on-site and cloud-hosted VPN, consider OpenVPN.

NordLayer – Best for SaaS User Security

---

Overall Rating: 3.9/5

• Backend manager experience: 4.1/5
• Security features: 3.9/5
• User experience: 4.2/5
• Cost and licensing clarity: 3.1/5
• Customer support: 4.2/5

NordLayer delivers a solid enterprise VPN candidate with competitive features and capabilities. However, unlike most competitors, Nord Security also offers SaaS file encryption (NordLocker), password management (NordPass), and managed detection and response (NordStellar). Buyers can select Nord to deliver multiple, fully compatible tools to provide robust, turnkey protection for remote users.

Visit NordLayer

Pros

• Browser plug-ins available
• Supports up to 6 devices per license
• Supports VPN network segmentation

Cons

• Connections don’t exceed 1 Gbps
• Many security features require premium tiers
• No user configuration profiles

Pricing

• Lite: $8/user/month; minimum 5 users
• Core: $11/user/month + $50/dedicated server/month; minimum 5 users
• Premium: $14/user/month + $50/dedicated server/month; minimum 5 users
• Enterprise: $7+/user/month; minimum 50 users
• Free trial: 14-day money-back guarantee
• Free demo: Contact to schedule

Key Features

• Rich add-ons: Provides a wealth of premium security (firewall policies, device posture check), access (static IPs, DNS filtering), and SaaS protections for remote users.
• Robust MFA: Enables secure access to the enterprise VPN app through SSO or a variety of MFA, including authenticator apps, security keys, or biometrics.
• Multiple VPN options: Allows admins to select from traditional IKEv2 or OpenVPN (UDP or TCP) protocols or the proprietary NordLynx protocol based on Wireguard.
• Included threat protection: Delivers ThreatBlock protection to all business tiers that automatically detects and blocks malicious domains based on threat intelligence feeds.
• Human-touch support: Supplies premium subscribers with dedicated account managers and technical architects for faster, smoother onboarding and integrations.

Screenshot

Alternatives

NordLayer is one of a suite of effective tools to protect remote users, but speeds max out at 1Gbps for connections. For speeds up to 10 Gbps, a global private network, and the best-rated customer service, consider GoodAccess.

GoodAccess – Best Customer Service

---

Overall Rating: 3.9/5

• Backend manager experience: 3.9/5
• Security features: 4.1/5
• User experience: 4/5
• Cost and licensing clarity: 3.2/5
• Customer support: 4.5/5

GoodAccess earns the best-rated customer support by providing strong support options for all tiers of customers. Premium customers gain priority and 24/7 phone support as well as the knowledge base access, chat, and email support enjoyed by regular customers. In addition to the broad support, GoodAccess also provides strong security features, unlimited data usage, and centralized client app distribution for all tiers of customers.

Visit GoodAccess

Pros

• Always-on VPN user protection
• Provides automatic wi-fi security
• Includes user device inventories

Cons

• Doesn’t provide cloud firewall protection
• Extra fees for dedicated gateways
• No auto-connect VPN or kill-switch

Pricing

• Essential: $7/user/month + $39/dedicated gateway/month; minimum 5 users
• Premium: $11/user/month + $39/dedicated gateway/month; minimum 5 users
• Enterprise: Contact sales
• Cloud and branch connectors: $29/connector/month
• Free trial: 14 days
• Free demo: Contact to schedule

Key Features

• Accessible support: Provides chat and email support and a solution architect for deployment assistance, even for the lowest levels of business customers.
• High-speed access: Use servers with 1 Gbps (standard) to 10 Gbps (premium) speeds supported by the faster WireGuard VPN protocol.
• Private global network: Deploys fully owned servers and network connections with access points placed in more than 35 global locations.
• DNS options: Allows customers to customize included DNS for client-specific DNS blocking or to use a private domain name server.
• Threat Blocker: Supplies all tiers of customers with Threat Blocker Premium, which automatically protects against known-malicious domains updated regularly by threat intelligence feeds and enhanced with customizable blacklists (aka: denylists).

Screenshot

Alternatives

Although GoodAccess is a strong enterprise VPN solution with superior customer support, customers that need more than just VPN access should consider an option that integrates with other user-protection SaaS solutions, such as NordLayer.

Top 5 Features of Enterprise VPNs

Enterprise VPNs need to provide convenient administration and global access, deploy quickly, and maintain strong security and a comfortable user experience. Each of these features helps to distinguish enterprise VPNs from competing methods to secure network access for remote users such as self-hosted VPNs, secure web gateways (SWG), or firewalls-as-a-service (FWaaS).

Easy Admin Management

Administrators need solutions that make it easier to manage and secure users. Effective enterprise VPNs provide a consolidated user management dashboard, easy integration of identity management and security tools, and good reporting and logs for investigation or compliance. Most tools deliver as SaaS for dramatically reduced maintenance when compared to self-hosted VPN, SWG, or firewall solutions.

Global Reach & Scalability

Growing companies expand overseas and require global access points that can scale as the company and its user-base increase. A large number of cloud-based international gateway access points provide low-latency access for remote users and SaaS delivery of the enterprise VPN backend enables scalable growth.

Quick Deployment & Implementation

A key differentiating feature of an enterprise VPN is the fast deployment. Traditional VPN providers such as Citrix, Fortinet, or Ivanti provide applications and connectors that integrate with their VPN solutions, but that takes significant time to implement, configure, and validate. Enterprise VPNs provide available infrastructure and apps that allow for single-day deployments of fully connected resources, applications, and users.

Strong Security Features

Enterprise VPNs must provide strong, secure connections. Multifactor authentication and encrypted tunnels secure the user side with better solutions while also providing DNS security, URL/website filtering, and malware detection. Strong encryption, point-to-point security, and group access management further secure access within the network and assure appropriate users access to sensitive resources.

User-Friendly Connections

Enterprise VPNs must provide easy-to-use clients for mobile devices and desktops so that users will have minimal motivation to avoid using the app. Additionally, good solutions provide low-latency access close to the user and high-speed gateways to provide an ongoing good user experience.

How I Evaluated the Best Enterprise VPN

To evaluate enterprise VPN solutions, I weighed five different criteria and each category consisted of sub-criteria with their own weights. The subcriteria summed up to a five-point rating for each category and combined to an overall five-point score for the tool. Based on the scores, I selected the top six tools and considered their pros, cons, and features. These capabilities helped me to define use cases in which each solution might be the best fit for a buyer.

Evaluation Criteria

Backend manager experience earned the highest weighting because overwhelmed security teams need easy to manage and implement tools that reduce headaches, not add to them. The solution also must work well, so security features and user experience were also heavily weighted. While price and customer service also matter and need to be considered, I didn’t weigh them as heavily as the key functional features.

• Backend manager experience (30%): Includes installation and use factors such as integration of cloud assets, identity management, or security tools, dedicated servers or IP addresses, centralized dashboards, user configuration profiles, and reporting.
  • Criterion winner: Perimeter 81
• Security features (25%): Factors important security features into the score such as IP whitelisting, firewall policies, attack filtering, session duration controls, and log retention.
  • Criterion winner: Perimeter 81
• User experience (20%): Consists of speed and user protection sub-criteria like endpoint compatibility, gateway speeds, kill switches, auto-connect, and always-on VPN.
  • Criterion winner: Perimeter 81
• Cost and licensing clarity (15%): Considers both the listed prices for various levels and user quantities as well as licensing transparency, user minimums, and discounts.
  • Criterion winner: Multiple winners
• Customer support (10%): Looks at the availability and options for rapid customer support (phone, chat), delayed customers support (email, tickets), self-help information, hours of operation, and the availability of dedicated customer support representatives.
  • Criterion winner: GoodAccess

Frequently Asked Questions (FAQs)

What Is the Difference Between an Enterprise VPN & Business VPN?

Enterprise VPNs are cloud-based remote access and Business VPN (aka, traditional VPN) is a  locally hosted VPN solution. The largest organizations will require on-site solutions, point-to-point VPN solutions, and high volume VPN capabilities, which are difficult to manage, take time to deploy, and are expensive to scale or deploy globally.

What Is the Difference Between an Enterprise VPN & a Self-Hosted VPN?

Enterprise VPNs are hosted by third-party cloud providers that also provide the software or access points for remote users. Self-hosted VPNs will be fully controlled and installed on cloud-based or local IT infrastructure of the purchasing organization. Some organizations deploy the equivalent of a self-hosted enterprise VPN using paired connection apps and VPN tools, but these are more expensive and time consuming to deploy and manage than enterprise VPN.

Do Business VPNs Need Stealth-Mode?

Most businesses don’t need the stealth-mode of consumer-oriented VPNs that hide the app from the ISPs or government firewalls (in China, Russia, Vietnam, etc.). Stealth-mode vendors also tend to promote privacy focused servers that don’t log use, but this undermines the typical businesses need to log and track users for compliance or breach investigations. 

Bottom Line: Enterprise VPNs Provide Fast, Remote Security

Remote users need secure access to applications and resources and enterprise VPNs provide quick-to-deploy options that enable fast action and a good experience for users and managers. Many small businesses will choose enterprise VPNs because they lack large teams to manage in-house VPNs and many large enterprises will select enterprise VPNs for potential cost savings. Test drive your preferred options to verify a good fit for your needs.

For an in-depth analysis of alternative ways to secure remote users, read VDI vs VPN vs RDP.

The post 6 Best Enterprise VPN Solutions for 2024 appeared first on eSecurity Planet.

Recent Healthcare Attacks & Breaches

Large breaches affected over 88 million individuals in the USA in 2023, a 60% increase from 2022. 2024 looks like it will only increase the number of affected individuals considering the scale of ransomware attacks from the first half of the year in the USA, Canada, and Australia.

Ascension Healthcare Ransomware Shutdown

Unusual activity detected on May 8, 2024, caused Ascension healthcare to shut down affected systems, notify authorities, and engage cybersecurity professionals. The attack caused major disruptions throughout the non-profit healthcare provider that operates 140 hospitals and 40 senior care facilities in 19 states plus the District of Columbia. Unfortunately, the disruptions remain unresolved in many places significantly affecting patient welfare.

Known Disruption & Damages

Ascension Healthcare continues to publicly disclose initial disruptions, including:

• Disrupted operations: Cited issues include diverted ambulances for emergency services, inoperative phone systems, and disrupted clinical operations.
• Unavailable health records: All electronic patient information became unavailable, including the MyChart patient self-service database, hospital records, and the systems used to order tests, procedures, and medications.
• Canceled treatments: The network paused all elective procedures for the first week and delayed providing the results of many completed medical tests.

The Detroit free press interviewed stressed employees who complained of “waiting four hours for head CT (scan) results on somebody having a stroke or brain bleed.” Others complained that multiple patients received the same temporary medical records, so there’s no confidence that blood test results will match the correct patients.

CNN reported the Black Basta ransomware gang performed the attack, although the company hasn’t officially confirmed the information. As of the last official confirmation on May 21, many facilities still operate using paper, many pharmacies remained closed and unable to supply medicine, and talks with vendors and partners to reconnect systems just started.

Exposed Technical Issues & Other Consequences

No clear information on the specific entry or the specific systems infected, so we can’t speculate about the potential breach or cause. However, it’s obvious that Ascension failed to restore systems quickly or accurately. This betrays a lack of preparation for disaster recovery and ineffective penetration testing of systems.

Ascension might try to blame financial troubles for lack of preparation. Ascension lost $2.66 billion on $28 billion in revenue in 2023, and cost cutting efforts narrowed the loss to $237.8 million for the first three quarters of FY 2024. However, this attack also comes three years after Ascension fired hundreds of local IT staff in a cost-cutting effort to outsource IT services to India.

Outsourcing alone doesn’t cause problems, but perhaps the Ascension’s management needs to make IT a larger priority. For the most recent year available, Ascension’s 2021 Form 990 shows:

• $13 million in CEO compensation for Joseph Impicciche
• $22 million in executive compensation for the next 8 highest paid executives
• $6.4 million in information technology expenses
• $1.3 million in consulting fees potentially for IT including $987k earned by World Wide Technology, a St.Louis IT services provider, and $306k for Accenture.

IT should never be the top expense for a healthcare organization. Still, after massive disruption and impact on patient welfare, it’s very difficult for Ascension to justify why the CEO earns roughly twice as much compensation as the organization’s investment in IT and the top 9 executives earn almost 580% of the IT spend at a non-profit organization.

Change Healthcare Ransomware

The United Healthcare Group (UHG) acquisition of Change Healthcare in 2022 started paying the wrong type of dividends this February when stolen credentials led to over $870 million in damages. The costs, affected patients, and consequences continue to be tallied.

Known Disruption & Damages

Ransomware attackers used stolen credentials to access a Change Healthcare Citrix portal setup without any multi-factor authentication (MFA) protection. Within nine days, the attackers navigated laterally through the network and executed a ransomware attack that shut down Change Healthcare’s processing and payment service that facilitates orders and payments for pharmacies, hospitals, and clinics nationwide.

Disclosed damages and costs include:

• 4TB of stolen data
• $22 million in paid ransom
• $593 million direct response costs
• $279 billion in business disruptions
• $1.6 billion in total potential damages by year-end

Although the impact on Change Healthcare and UHG will be quantified for the US Security Exchange Commission (SEC), the impact on the US healthcare industry is more difficult to measure. CNN interviewed small practitioners stranded without payments, and UGH wound up providing $6.5 billion in advanced financing to thousands of providers by April.

UGH admits to paying $22 million to the ALPHV (aka: BlackCat) ransomware-as-a-service (RaaS) group to prevent patient records from being leaked to the internet. Unfortunately, the ALPHV gang posted a faked law-enforcement take-down notice on their site and disappeared. The ‘notchy’ affiliate that executed the breach didn’t receive their payment and took the data to a new RaaS gang known as RansomHub, which began leaking patient data.

Exposed Technical Issues & Other Consequences

The initial information exposes the critical importance of using MFA to protect remote access systems and testing backup systems for disaster recovery. Companies should also use free tools available to them. Hudson Rock, a cybercrime intelligence tool vendor with free services, posted that they detected Citrix credentials stolen from Change Healthcare using infostealers a day after the initial attack.

UHG didn’t do itself any favors with their communication strategy. In UHG’s 10-K filing with the SEC at the end of February, the CEO signed off on a statement that claimed “as of the date of this report, we have not determined the incident is reasonably likely to materially impact our financial condition or results of operations.” While this denies certainty, it also implies that UHG still hoped that they could avoid financial repercussions for a nationwide outage.

Predictably, the US Congress soon called upon Andrew Witty, the top paid healthcare CEO with a compensation of more than $23 million, to testify about healthcare breaches. Witty’s testimony admits that the healthcare provider can’t identify the exfiltrated data or affected patients. Senator Thom Tillis replied, “shame on internal audit and external audit and your systems folks tasked with redundancy. They’re not doing their job. And as a result we have a data breach.”

Other Healthcare Ransomware Attacks

While the sheer scale and scope of the Ascension and Change ransomware attacks steal the headlines, many other healthcare providers also suffered attacks this year. Notable other events include:

• London Drugs: Shut down all pharmacy locations in western Canada in response to a late April ransomware attack; nearly a month later, some stores still can’t process prescriptions although all stores now have reopened.
• MediSecure: Took down the Australian prescription website after an incident originating from a third-party vendor allowed a ransomware attack to strike the organization.
• Group Health Cooperative of South Central Wisconsin: Experienced an attack that failed encryption but still stole the data of 530,000 individuals.

These attacks don’t offer many details to learn specific technical lessons, but they highlight that attackers pursue all sizes of organizations anywhere in the world.

Non-Ransomware Breaches

Given all the noise about ransomware, it can be easy to forget that there are other attacks and causes of breaches. While the damage might be reduced, the public embarrassment and fines will still cause reputation damage and potential business losses.

Notable alternative sources disclosed this year include:

• Email account compromise: The Los Angeles County Department of Health Services disclosed the data breach letter to individuals affected by a phishing attack that stole credentials and gained access to 23 employee email mailboxes.
• Online trackers: Kaiser Permanente disclosed a HIPAA breach of 1.34 million patient’s information caused by a third party tracker installed on the Kaiser patient portal.
• Social engineering: The US Office of Information Security issued a sector alert to warn of threat actors using social engineering tactics on the IT help desks for healthcare and public health providers to gain access to systems and hijack payments.

Note that only two of these breaches stem from external attacks. Kaiser Permanente intentionally added the third-party tracker that caused the data breach without understanding its full consequences and capabilities.

5 Key Cybersecurity Management Lessons to Learn

You can’t just hope to avoid cyberattacks or other disasters, you have to expect that something bad will happen. Learn lessons from the misery of others and plan for failure, cover the basics, take advantage of free resources, guard against third-party breaches, and watch out for potentially costly narratives.

Plan for Failure

Never assume everything will be fine. “It’s imperative for hospitals and all public and private sector organizations to have an assumed breach mindset,” explains Dan Lattimer, Vice President at Semperis. “Preparing now for inevitable disruptions will dramatically improve an organization’s operational resiliency and better prepare them to turn away adversaries, leading the threat actors to softer targets downstream.”

Plan, implement, and regularly drill for potential failure using:

• Integrated risk management: Aligns operations goals with security risk to identify and protect the critical points of failure to limit the blast radius of potential issues.
• Disaster recovery: Exceed the compliance minimums and implement data loss prevention best practices, as well as back up critical systems such as Active Directory, server configurations, and network equipment settings.
• Table top exercises: Talk through potential disasters and steps in advance so teams can identify points of failures and address them; where possible, execute recovery drills to gain experience with procedures and verify that disaster recovery plans actually work.

Steve Stone, the Head of Rubrik Zero Labs, adds that “we advocate that governments and private industry evaluate and enable recoverable backups for healthcare and a recurring sensitive data evaluation/reporting construct. “The University of Twente recently studied factors contributing to paying a ransom and recoverable backups were the single largest delineator with organizations having recoverable backups being 27 times less likely to pay a ransom.”

Cover the Basics of Cybersecurity

While you must plan for disaster, it’s even better to avoid it. Fortunately, a small number of basic security principles can prepare every organization for the bulk of attacks:

• Protect identity: Credentials will be stolen so implement MFA to make attacks harder to execute, implement active directory (AD) security to catch attempted credentials abuse.
• Test systems: Don’t assume correct installations and configurations, use penetration testing to validate initial and ongoing status of externally facing and high value systems.
• Patch known weaknesses: Vendors regularly issue patches to fix discovered flaws, so use patch or vulnerability management to prioritize, track, and implement fixes.
• Identify and manage assets: To ensure no overlooked devices, perform asset discovery and implement IT asset management – especially for high risk systems.
• Control regulated data: Use data tracing and identification through data loss prevention (DLP) and other tools to find data, control access, and protect it with encryption.

Yossi Rachman, Senior Director of Security Research, Semperis, emphasizes that “Active Directory environments are the most vulnerable entry points and one of the most negatively impactful attacks; hackers frequently target these environments, making it imperative that organizations have real time visibility to changes to elevated network accounts and groups.”

Use Free Resources

Healthcare, like most organizations, struggles to grow IT budgets. However, teams can invest a little time to use free resources without causing financial strain.

• Security tools: Open source penetration testing tools and vulnerability scanners, especially Nmap, provide powerful insight into possible weaknesses.
• Password breach sites: Free websites such as HaveIBeenPwned and Hudson Rock provide free resources to check for compromised identities and passwords.
• Government services: The US Cybersecurity & Infrastructure Security Agency (CISA) provides free assessment tools.

While these tools may require more time and expertise than commercial tools, helpful tips can be easily found in a large number of online articles, videos, and community forums.

Prevent Third-Party Breaches

As MediSecure experienced, trusted partners can become the source of attack. Jeremy Nichols, NTT Security Holdings Director, Global Threat Intelligence Center, recommends that “healthcare providers need to strongly assess supply chain providers, third party integrations, and customer and insurance web portals. These present major publicly facing entry points to provider, insurance, and patient data that leave both healthcare organizations and their patients at risk.”

• Track vendor risks: Third-party risk management tools help to track partners and to even conduct risk assessments against their infrastructure.
• Monitor software supply chains: Use software and website vulnerability scanners to scan libraries and software supply chain components for flaws and malware.
• Understand web plug-ins: Fully understand the capabilities and consequences of installing third-party plugins to websites to avoid inadvertent security breaches.
• Apply API security: Application programming interfaces (APIs) create fast software connections, but API vulnerabilities can be very hard to detect and quite dangerous.

Beware the Narrative

Overly optimistic initial assessments and denials not only create backlash, but also provide motivation and ammunition for punitive litigation. To make matters worse, recent decisions regarding IT spending or resource allocation will always be examined more than might be reasonable after a breach.

• Consider future optics: Before making outsourcing, budgets, and management pay decisions, consider how they might look in context to significant breaches.
• Avoid false certainty: Press teams always push for strong, confident statements to boost stakeholder confidence, but avoid optimistic interpretations.

While doom and gloom are equally useless, optimism provides more fuel for backlash. Keep statements simple, clear, and to the point.

Bottom Line: Learn Healthcare’s Lessons Before Suffering Pain

Ransomware and other attacks will continue to surge so long as attackers continue to profit. To avoid joining these high profile healthcare organizations in public shame and financial pain, apply the five key lessons to improve your organization’s security today. Security will never be completely foolproof, but it certainly can decrease the blast radius of a successful attack and keep you out of the news.

If you don’t have the resources to act, explore outsourcing as an option for improved security and read about managed security service providers (MSSPs).

The post Cybersecurity Management Lessons from Healthcare Woes appeared first on eSecurity Planet.

How Does SSE Work?

Security service edge introduces a control that connects to remote users and assets before they connect to each other. It solves the problem organizations experience in a modern IT environment where many users and assets reside outside of the protected corporate network.

Some organizations use virtual private networks (VPNs) to pull remote user access within the network, but these solutions cause huge bottlenecks and some users will bypass the VPN to access software-as-a-service (SaaS) and third-party websites. All SSE tools borrow from network security concepts to isolate communication within an envelope of protection and many introduce the granular security controls of zero trust as well.

5 Key Components & Capabilities of SSE

An integrated SSE tool needs to include capabilities for access control, acceptable use, data security, security monitoring, and threat protection. Additionally, SSE should integrate with other operations and security controls to enable connections to data centers, cloud resources, local networks, websites, and both in-house and third-party apps.

Access Control

Access controls validate user credentials, authorize access to specific assets, and block unauthorized devices, users, and access requests. The solution must also control access to external SaaS apps and third-party website access. Typical identity access management (IAM) tools won’t provide enough protection for cloud resources.

More robust solutions, such as a cloud access security broker (CASB), enterprise VPNs, or zero-trust network access (ZTNA), need to be used to ensure that remote users use the tool to access remote assets. Some SSEs will even check device posture and check for missing patches as part of additional network access control (NAC) features.

Acceptable Use

Within a local network, acceptable use of IT security policies needs to be enforced to prevent users from visiting unacceptable websites or misusing data. As with access control, traditional solutions generally can’t sufficiently protect SaaS app data, cloud resources, and direct website access for remote users.

SSEs combine CASB, secure web gateway (SWG), and user and entity behavior analytics (UEBA) capabilities. Combined, these controls monitor and block unacceptable access or use for all assets, applications, and websites.

Data Security & Threat Protection

Data security must protect incoming and outcoming data flows against leak or attack with equivalent protection to internal network firewall and network monitoring. SSE tools will often deploy a cloud-hosted firewall-as-a-service (FWaaS) as the fundamental tool to decrypt and examine traffic flows to block threats. SWG capabilities can also screen IP addresses and websites to protect against known-malicious sites.

Some SSEs add further protection to the endpoint through remote browser isolation (RBI) that maintains all work within the browser application to prevent data exfiltration and minimize malware access to the endpoint. Even more information security can also be applied through data loss protection (DLP) capabilities that track sensitive or secret data use.

Security Monitoring

The internal network intrusion detection and prevention systems (IDPS) don’t extend beyond the firewall, but traffic still needs monitoring to capture signs of attack on remote assets. Secure service edge tools use the FWaaS scanning to capture many signs of attack and can use CASB capabilities to scan SaaS data used to complement the firewall scanning. Some tools even use cloud security posture management (CSPM) capabilities to monitor cloud infrastructure.

Security Stack Integration

SSE tools provide strong security but must integrate with other systems to provide more comprehensive network security and protection for the organization overall. Common integrations needed include:

• Identity and access management (IAM): Connects identities and permissions to the SSE tool for appropriate access level grants and group authorizations.
• Managed detection and response (MDR): Provides security monitoring for the organization as a whole including local networks and the SSE environment.
• Software-defined wide area network (SD-WAN): Creates the interlink connections and microsegmentation to segregate assets or connect internal assets to the SSE.
• Security information and event management (SIEM): Captures activity logs for security review and potential event investigation.
• Security orchestration, automation, and response (SOAR): Automates some incident response and prioritizes alerts and threat intelligence for security analysts.
• Threat intelligence platforms: Consolidates vulnerability news, malware changes, and attack trends to inform security teams and security tools for improved response.

Connectors can be explicit and tailored for common solutions, but others will require using standardized application programming interfaces (APIs).

Primary Benefits of SSE

Secure service edge tools directly address the security and operations problems created by attempting to secure remote users and assets. Adopting SSE will reduce complexity, secure remote assets, and improve remote security, network traffic, and visibility into user behavior.

Improved Remote Security

Remote users often bypass VPN security to directly access cloud apps such as Office 365 and Salesforce or to browse the web. These direct connections lack security controls to adequately defend against viruses and prevent endpoint infections. SSE introduces additional cloud-based and scalable security controls to improve remote user security with minimal disruption.

Improved Network Traffic Performance

Traditional solutions use VPNs to route traffic within the corporate network only to send many connections right back out to the internet. Additionally, the traffic will be subject to network firewall and other security inspections for each traversal. SSE eliminates these bandwidth-wasting practices to improve performance and user experience.

Reduced Security Tool Complexity

A number of tools can replicate SSE capabilities for teams with the expertise and capability to perform the complex integration and installation. However, most will choose to benefit from an integrated SSE that consolidates the capabilities under a single management pane with dramatically less complicated integration and installation requirements.

Secure Access to All Assets

Traditional network security can only secure traffic rerouted into the local network using VPNs, so many users directly connect to SaaS apps and websites without sufficient protection. SSE extends security to all users, Internet of Things (IoT), operations technology (OT), cloud assets, and applications that reside outside of the internal network.

Visibility & Control of User Activities

Traditional security can’t track or monitor remote users that bypass VPN controls, which allows malicious insiders or users with stolen credentials to access or potentially exfiltrate sensitive data from remote assets (SaaS applications, cloud databases, etc.). SSE introduces full visibility into user behavior to detect and control unauthorized behavior.

Common Challenges of SSE

SSE provides distinct benefits to protect remote users. Yet the technology still introduces challenges that affect adoption or successful implementation.

• Integration difficulties: Some existing communications and security tools may lack support from specific SSE tools and require additional integration efforts or workarounds.
• Legacy architecture issues: SSE performs security in a dramatically different fashion for improved efficiency, but forcing SSE processes into legacy network architecture or security processes will introduce delays and performance issues. 
• SSE adaptation struggles: New technology requires review and heavy modification of policies and procedures developed for traditional security tools to cover SSE capabilities; may potentially need entirely new incident response plans and processes.
• Third-party packet inspection: Cloud-based SSE providers perform data inspection to protect against malware and malicious insider data use, which technically can expose secrets to third parties; this might be unacceptable and require modification.
• User resistance: SSE introduces new security controls where none previously existed, which may cause user complaints and other issues during implementation and training.

5 SSE Use Cases & Applications

The primary use case for SSE is to protect the remote users and assets outside of the network. However, what this means exactly will vary dramatically from organization to organization. To make this concept more tangible, consider the following five specific use cases incorporating video editing, international shipping, medical, human resources, and sales reps.

Break VPN Logjams

A large number of remote users at a video editing company still use VPN connections to access video editing suites that have moved to the cloud. The high-bandwidth video streaming requirements now pass through security and through the company’s VPN structure multiple times crushing bandwidth and performance. SSE adoption eliminates the VPN logjam to make direct connections that require less inspection to dramatically improve performance.

Global OT Monitoring

A fleet of transport ships will deploy a large number of sensors to monitor engines and other systems but lack the IT talent to maintain local networks. Deploying SSE enables secure connections between world-wide OT deployments, the cloud-based monitoring applications, and data lakes for sensor data storage.

Improved Medical Professional Experience

Doctors and nurses rush to address patients’ needs in a medical center, which makes them prone to forgetting login credentials or phishing attacks. Implementing SSE can enable single-sign-on experiences that eliminate login requirements and add security protection to block additional malware exposure. This improves the experience and security when checking Office 365 emails or accessing remote resources for medical imaging, billing, or messages.

Safer Resume Screening

Telling employees not to click on attachments to avoid malware doesn’t work for human resources professionals who must open and evaluate resume attachments as part of their job. An SSE deployment with remote browser isolation protects remote-work HR professionals with a sandboxed environment in their browser to open and evaluate PDF files and other attachments safely and securely.

Secure Remote SaaS Users

Sales reps need access to Salesforce, Box, and other SaaS tools to manage leads and distribute sales materials securely. To protect against unauthorized access using stolen credentials or unauthorized download of leads by quitting sales reps, SSE can be implemented to protect the reps, secure the SaaS resources, and block unauthorized use.

Top SSE Solution Options

For those considering an SSE tool, start with the top-ranked vendors in Gartner’s Magic Quadrant for Security Service Edge:

• Fortinet: The only vendor in the Challenger quadrant, FortiSASE also includes SD-WAN and builds off of their next-generation firewalls for strong packet filtering.
• Lookout: This cloud security provider in the Visionary quadrant focuses on data protection and claims a 60 minute or less deployment.
• Netskope: Using a private cloud network in 70+ regions, Netskope claims a spot in the Leader quadrant with strong operations capabilities for ZTNA.
• Palo Alto Networks: Strong security performance for ZTNA and firewall capabilities earn Prisma SASE (includes SD-WAN) a Leader quadrant position for SSE.
• Skyhigh Security: Remote browser isolation and data loss protection included in their SSE secure data effectively and earn Skyhigh a spot in the SSE Visionary quadrant.
• Zscaler: Their cloud-first architecture and built-in zero-trust capabilities for a wide variety of assets earn ZScaler a position in the Leaders quadrant for SSE.

While there is some overlap between secure access service edge (SASE) and SSE tools, many quality SSE tools will not qualify under SASE because they lack full SD-WAN integration.

Difference Between SSE, SASE & VPNs

SSE, SASE, and VPNs all manage remote access using different techniques and network security architectures. SASE essentially integrates SD-WAN capabilities into SSE to add additional network segmentation and operations capabilities such as quality of services (QoS). SASE vendors offer more capabilities but will also require more setup, network equipment, and possibly migration time to reproduce network connections.

Traditional VPNs route all traffic through the local network to use traditional network security controls to protect remote users and assets, but often suffer scalability problems and both network and internet connection bandwidth issues. Enterprise VPN addresses scalability and bandwidth problems through cloud-based gateways and access points but lacks the full SSE or SASE capabilities to secure remote applications and cloud infrastructure.

Key SSE Future Trends

Buyers can expect their own needs for service secure edge to change as the security standards, industry regulations, and the SSE tools themselves evolve. Look for changes to the market to center around tool adoption, expanding requirements, and improved support in addition to increased SSE capabilities.

Adoption Motivated by Security & Operations Advantages

SSE introduces additional agility, scalability, and operations improvements for organizations even as the need to secure remote users and assets continues to increase and add pressure to security and operations teams. These advantages and trends will drive increased deployments for organizations of all sizes.

Blurred Product Definitions

SSEs and VPNs once represented very distinct and different solutions. However, as enterprise VPNs and firewall providers continue to add additional SWG, CASB, and UEBA features to their products, the distinctions will blur as capabilities become similar. In the future, buyers will focus on implementation, integration, and price models as top distinguishing aspects.

Expanded Service Provider Support

Managed service providers (MSPs) will reflect the needs of their customers and continue to expand support for SSE integration and ongoing management. The current cloud-based providers already provide multi-tenant capabilities and service providers will discover opportunities to support customers as they add more and more users and assets to the SSE umbrella of protection. 

Increased Connectivity Requirements

As more IoT and OT become connected through traditional and mobile (5G, etc.) networks, SSE tools will need to expand capabilities to integrate protection for an increasingly diverse array of endpoints. Future endpoints should include sensors, security cameras, radio frequency identification (RFID) sensors, and much more.

Advanced Zero Trust Features

Currently, vendors with zero trust network access (ZTNA) promote it as a basic component of SSE. As Zero Trust becomes more defined by regulation and adoption of zero trust improves, vendors will apply zero trust principles to other aspects of the SSE tool, such as identity and website access, to further enhance security.

Bottom Line: SSE Locks Down the Modern Network

Secure service edge more than replaces traditional VPN security for remote users. SSE encompasses the remote IoT devices, cloud infrastructure, and SaaS apps that operate beyond normal VPN protection in our modern IT infrastructure. If it’s time to secure your remote assets, schedule a demo with a couple of top SSE candidates to learn how this solution can secure your architecture.

For those that only need to secure remote users, consider a more basic approach and read about VDI vs VPN vs RDP.

The post What Is Security Service Edge (SSE): All You Need to Know appeared first on eSecurity Planet.

How Does Digital Rights Management (DRM) Work?

Digital rights management wraps digital data into an encrypted wrapper tied to a license that contains the rules for how the content may be used. After encryption, you can distribute the file and users will access it according to the DRM license rules. DRM typically requires four stages to function: encryption, management, authorization, and verification.

• Encryption of digital files enforces content owner’s rights and restricts the future use of the protected data. A common restriction involves controlled access that will only allow file access in the presence of specific hardware (microchip set, etc.), IP address, geographic location, or device type. Other restrictions could include limited duration access, flagged ownership (watermarks, metadata, etc.), or use restrictions such as limited copies or blocked printing.
• Management of DRM defines the encryption process, controls the software performing encryption, defines the license terms, and controls the file access restrictions. The management software will also track encrypted file use and continuously enforce digital rights.
• Authorization provides the key for the encrypted file tied to the digital license with rules for how to use the content, but doesn’t unlock the asset without verification. The authorization can be associated with specific hardware, shared encryption keys, passwords, and more.
• Verification of the DRM process validates the authorization key and finally unlocks the file. This process can be built-in to the DRM encryption file itself for a combined authorization and verification step or require an internet connection to verification servers.

6 Benefits of Digital Rights Management

When an organization applies digital rights management to an asset, most seek the primary benefit of securing content. Yet, DRM also helps to claim ownership of the digital content, enables potential revenue streams, helps track files, provides enforcement evidence, and reduces labor costs for internal use.

Secures Content for Specific Use

DRM secures content to limit theft and restrict use to authorized users. This primary benefit extends to third-party partners to limit use and prevent damage from data breaches or attempts to illegally distribute or access the content. Secured content remains private until unlocked and can also be regionally restricted to comply with local laws regarding age or content restrictions.

Claims Ownership of Content

Applying DRM to content stakes an ownership claim as unobtrusive as a watermark for photos or marketing material or as complete as password-protected content with highly restrictive use restrictions. DRM reinforces copyright with tangible restrictions and can secure secret or sensitive information against theft or breach.

Enables Payment Opportunities

Secured DRM files protected against free use enable opportunities to unlock the files. Payments could be direct or related to subscriptions through third parties, such as a movie licensed to Netflix. Without DRM, copyright owners risk widespread distribution of intellectual property without compensation.

Permits File Tracking

The full range of free-use to fully-secured DRM content can be configured to contact a validation server. The IP address that sends the validation request can be tracked and used for usage statistics, geographic use limitations, or to comply with local regulations such as age restrictions or territorial licensing.

Provides Evidence for Enforcement

DRM incorporates watermarks and metadata that provide third parties with evidence of ownership. Third-party licensees will be more confident that their licensing fee investments are protected and law enforcement can also use the DRM to verify ownership when pursuing piracy or IP infringement cases.

Reduces Internal Use Labor Costs

DRM can apply to internal digital resources to help marketing, sales, legal, and other teams understand where and when digital resources may be safely used. By affiliating licensing or use information to the files themselves, teams save significant time because they don’t have to check databases, expiration dates, or go through permissions processes. Additionally, risk of misuse will be decreased which saves further time and legal costs from mistakes.

5 Challenges & Limitations of DRM

Digital rights management helps rights holders, but the technology also has limitations. It can bring about disrupted availability, usability issues, dissatisfied consumers, and insufficient security, and the tools tend to be limited.

• Disrupted availability: Products that require validation fail when used without internet access or when validation servers are disrupted or discontinued. Reduce this poor user experience by protecting servers sufficiently or a different DRM validation option.
• Diminished usability: DRM schemes can slow performance, fail to meet industry standards, or lose copyright holder support, which affects a user’s experience. Test DRM tools for potential performance issues in advance to avoid this issue.
• Disgruntled consumers: Consumer rights concerns and notable DRM incidents, such as the security flaw added by the 2005 Sony BMG DRM, introduces strong consumer resistance. Minimize resistance with a non-disruptive DRM experience.
• Incomplete security: Even good DRM exposes assets to theft or copying from expert users or under specific conditions (analog conversion, screen recording, etc.). Consider overlapping security controls where possible in anticipation of a small failure rate.
• Limited tools: DRM tools won’t protect all digital assets equally and may be specialized in specific types of assets or under specific conditions (ex: video streaming). Be sure to select a tool appropriate for the asset and maintain realistic expectations.

In addition to the challenges for an organization to use DRM, network security professionals must also worry about malicious use of DRM. Some attackers take advantage of DRM capabilities to protect files against antivirus inspection and conceal malware. While this proves the capabilities of DRM to secure assets, it also creates circumstances that undermine DRM adoption.

Common Use Cases of DRM-Protected Contents

Many different companies use DRM protection to protect assets. The most common examples seen daily include music, books, protected files or emails, software or games, and stock photography.

• Digital music: Applies various DRM to allow purchases of single songs (iTunes, etc.), or to track songs played to pay artists for streaming (Spotify, YouTube, etc.).
• eBooks: Limits sharing and devices, and can impose time-based restrictions for digital book files distributed to devices and apps such as the Kindle.
• Intellectual property: Implements DRM protection for patent documents, pharma research, and other top secret documents for secure sharing and tight access control.
• Regulated emails: Adds DRM email encryption for HIPAA-regulated health information and other sensitive content that must be shared with external parties.
• Software licenses: Use license numbers to unlock DRM and allow installation and continued use of software or games from Microsoft, Activision, Adobe, etc.
• Stock photography: Applies watermarks to photos and tracks metadata for licensed photos to ensure compliance with the terms of purchase and use.

The use of DRM will continue to expand as costs lower and more organizations seek the benefits of DRM protection.

DRM License Models & Architecture

Digital rights management uses three categories of licensing models and four general verification architectures to unlock DRM-protected assets. Once implemented, DRM will use one of two possible support architectures to enable DRM access. Each option provides unique advantages and disadvantages for implementation and user experience.

Licensing Models

DRM users license access to DRM products through subscriptions, pay-per-use fees, or perpetual licensing options.

• Subscription-based: Charges regular fees on a regular basis (monthly, annually, etc.) for continued access to the asset, such as a streaming music subscription.
• Pay-per-use: Requires users to pay for each access attempt or can allow for a limited duration with each purchase, such as seven-day access to a streamed movie.
• Perpetual licensing: Unlocks access to the asset for a single payment, either directly to the asset holder or through resellers, such as a video game purchased at a store.

All three models may be implemented directly by the DRM rights holder or may be outsourced to a third party to manage both the DRM and the payment infrastructure. For example, Disney offers a subscription-based access to movies through Disney+, pay-per-use access to movies through Amazon.com, and perpetual licenses when consumers buy DVDs from a retailer.

Subscriptions and pay-per-use options allow a rights holder to specify strict limitations for use and offer lower prices than perpetual licenses. However, many consumers prefer the ownership bestowed by a perpetual license, which can give additional rights (see Fair Use below).

Verification Architectures

DRM owners need to implement architecture to enable a selected licensing model. The four categories of verification architectures include online, always-on, offline, and hardware.

• Online verification: Requires a DRM license server available for users to access to validate access. This model supports all three license types but requires implementation of a licensing server, which can be vulnerable to disruption.
• Always-on verification: Provides a specialized version of online verification that regularly re-validates access. This model provides more stringent control over use (geolocation, time duration, etc.), but significantly increases server disruption risks.
• Offline verification: Eliminates DRM server requirements in favor of authentication and validation within the DRM encryption. This model broadens usability for the user and reduces support infrastructure, but requires validation mechanisms built into the DRM.
• Hardware verification: Represents a subcategory of offline verification using external hardware (ex: microchip), to validate access. This model improves protection, but requires significant preparation and expense. Costs can be offset by selling the hardware, such as a DVD player, for a separate fee.

To avoid poor user experiences, select a DRM verification that can be supported easily with the current available resources (budget, labor, technical talent).

DRM Support Architectures

Choosing a DRM solution also requires consideration of the technology required to continue to support the DRM. The two main options to select for support are DRM servers and viewers and each comes with associated security concerns:

• DRM license servers: Provide remote DRM validation on the web or through a local network and manage license restriction checks. However, server implementation requires various security solutions to protect this infrastructure from attacks such as distributed denial of service (DDoS).
• Specific DRM viewers: Enforce DRM capabilities through plugins, browsers, or installed software.
  • DRM plugins (ex: PDF plugin) enable quick and easy deployment, but can be bypassed by updates or other plugins. Users also need to download plugins and keep them updated.
  • Browser viewers use cloud-based asset storage and require the least user effort to implement, but can be slow, especially when combining large image files and slow local networks. 
  • Installed software offers the most control over user experience and the best security, but the local software installation will be resisted by some users and IT admins because it introduces requirements for regular maintenance and updates.

These security concerns will affect both corporate and user adoption and must be considered when examining DRM options to determine fit.

6 DRM Technologies to Use Now

Many vendors offer technologies to help manage internal and external assets with DRM protection. Some options, such as hardware-based DRM, will require extensive engineering and expense beyond the scope of this article. For much more turnkey DRM options, consider:

• Adobe Experience Manager: Supplies brands with cloud-based infrastructure for digital asset management (DAM) and DRM integrated with Creative Cloud applications.
• Fortra Digital Guardian: Facilitates secure collaboration for any file types without any software required for the end user to install.
• Kiteworks DRM: Provides editable file access for partners while retaining usage rights for office files, PDFs, graphics, and video files.
• Lock Lizard: Offers DRM protection for PDF files and a secure PDF viewer that provides control over file copies, printing, screenshots, or sharing.
• Red Points DRM: Supplies brands with a focused DRM solution to locate and counter counterfeits, gray markets, domain abuse, piracy, and similar issues.
• MemberSpace: Adds a membership paywall and DRM protection for websites to protect and monetize digital assets in a SaaS turnkey fashion.

When selecting a DRM option be sure to align the capabilities of the tool with the DRM needs. Specifically, the format of the digital files, tracking or monitoring requirements, infrastructure requirements, user installation requirements, and potential alerts to manage.

Legal Considerations of DRM

Digital rights management adds additional technical protections for assets, and the US Digital Millennium Copyright Act (DMCA) passed in 1998 makes it illegal for anyone but the entity that applied the DRM to remove it. However, enforcement of DMCA remains weak and many other countries tacitly or explicitly allow for DRM removal or circumvention:

• China: Doesn’t enforce or protect international copyright holders.
• European Union: Allows DRM circumvention under certain circumstances.
• Israel: Doesn’t prohibit DRM circumvention.
• Pakistan: Currently doesn’t criminalize DRM circumvention or enforce copyrights.

Some aspects of DRM that tightly restrict use conflict with the Fair Use clause of the US copyright law that allows free use under specific circumstances (parody, teaching, research, etc.). Similarly, DRM can conflict with the First Sale Doctrine, which provides the owner of a copyrighted work to sell, rent, lend, or share copies of the work. When adding DRM, be specific in the license terms presented to consumers to avoid potential conflicts with these laws.

Frequently Asked Questions (FAQs)

Bottom Line: DRM Provides Special-Use Encryption

Digital rights management progresses past the normal locked or unlocked nature of encryption to provide more granular control over digital asset use. When adopting DRM, you retain the protections of encryption and add additional options for collaboration, monetization, and secure distribution. Consider how DRM can expand your opportunities and explore the option that fits your specific use case.

To learn about various categories of more traditional encryption, read about the best encryption software and tools.

The post What Is DRM? Understanding Digital Rights Management appeared first on eSecurity Planet.

Here are the six best Active Directory security tools:

• Tenable Identity Exposure: Best overall Active Directory security tool
• Varonis Data Security Platform: Best for integrated data discovery
• CrowdStrike Falcon Identity Protection: Best for integrated EDR
• SolarWinds ARM: Best for integrated Active Directory operations
• Netwrix Auditor: Best for compliance reporting for data access
• Semperis Directory Services Protector: Best for free tool options

Top Active Directory Security Tools Comparison

The following table provides a quick overview of the top six tools across four important AD security functions and pricing.

	Audit Accounts & Privileges	Attack Path Discovery	Real-Time Protection	AD Backup & Recovery	Pricing
Tenable Identity Exposure					Contact for quote
Varonis Data Security Platform					Contact for quote
CrowdStrike Falcon Identity Protection					$24.71+/ month/ endpoint for 1,000 licenses
SolarWinds ARM					$2,083+
Netwrix Auditor					Contact for quote
Semperis Directory Services Protector					Contact for quote

Although some Active Directory tools may score highly in one category or another, I found that Tenable Identity Exposure offers the best overall value. Learn more below how each solution fared in terms of pricing, features, and primary use cases, or jump down to see how I evaluated the products.

Tenable Identity Exposure – Best Overall AD Security Tool

---

Overall Rating: 4.4/5

• Audit and harden features: 4.8/5
• Monitoring, response, and recovery features: 4.6/5
• Ease of use: 4.5/5
• Price and value: 3.6/5
• Support availability: 3.4/5

Tenable Identity Exposure earns the highest score overall and the top score for audits and hardening features. The tool uses an intuitive GUI to clearly expose vulnerabilities, misconfigurations, attack paths, and groups policy object (GPO) issues through an interactive topology. The AD and Entra ID (formerly Azure AD) protection tool also tops ease of use with flexible software-as-a-service (SaaS), local, or even Tenable One platform deployment options.

Visit Tenable

Pros

• Doesn’t use installed agents
• Checks for password strength and other issues
• One tool and one dashboard for all AD needs

Cons

• No pricing transparency
• Doesn’t automatically block attacks
• Doesn’t perform AD backup and recovery

Pricing

• Tenable Identity Exposure: Licensed per user, contact for quote
• Tenable One: Licensed per asset, contact sales for pricing
• Customer support: Standard, Advanced, Premier, and Elite; contact sales for price
• Free trial: 7 days for Tenable One, available for Identity Exposure, but no term listed
• Free demo: Contact to schedule

Key Features

• Full-range protection: Provides investigation and real time threat detection capabilities in addition to auditing and monitoring capabilities.
• Attack path visualization: Displays potential attack paths and actual AD change history through intuitive graphic displays for faster comprehension, analysis, and action.
• Alert integration: Connects to security information and event monitoring (SIEM) and security orchestration, automation, and response (SOAR) tools.
• Interactive topology: Uses a color-coded and interactive graphic topology to display user and group access to illuminate exposures and risky relationships.
• Threat detection: Implements a robust range of indicators of exposure (IoE) and indicators of attack (IoA) to provide alerts prioritized by asset criticality.

Screenshot

Alternatives

Tenable Identity Exposure provides a full spectrum of Active Directory defense, but depends upon SOAR for automated response to attacks. For similar capabilities and fully automated defense, consider Varonis for Active Directory.

Varonis Data Security Platform – Best for Integrated Data Discovery

---

Overall Rating: 4.3/5

• Audit and harden features: 4.7/5
• Monitoring, response, and recovery features: 4.6/5
• Ease of use: 4.2/5
• Price and value: 3.5/5
• Support availability: 3.2/5

The cloud-native Varonis for Active Directory not only provides a full range of identity threat detection and response (ITDR) features; the platform also finds, classifies, and labels sensitive data to define the most critical assets to protect. In addition to protecting identity, Varonis integrates advanced user and entity behavior analytics (UEBA) capabilities and data protection capabilities to provide holistic user and data tracking, monitoring, and protection.

Visit Varonis

Pros

• No agent required for installation
• Provides APIs for SIEM and other integrations
• Includes least privilege automation

Cons

• Only available as a SaaS solution
• Doesn’t check password strength or compromise
• No pricing transparency

Pricing

• Varonis Data Security Platform: Licensed per user, contact for quote
• Customer support: Standard business hours or premium 24/7 support levels
• Free trial: 30 days
• Free demo: Contact to schedule

Key Features

• Analyzed data: Discovers and classifies data types across local and cloud resources to detect sensitive data locations, access, and users.
• Automated actions: Enables pre-set alerts and actions to automatically react and block various AD attacks, such as: Kerberoasting, DCSync or DCShadow.
• Extensive Logs: Tracks all changes performed in AD with who, what, and when details and alerts on changes outside of change control windows and other critical issues.
• Live updates: Constantly adds threat models to the SaaS tool based on active threats observed to protect all customers against the latest attacks.
• Prioritized alerts: Ranks users, assets, and threat models to enable efficient analysis of alerts based on threat levels to priority assets and protected data.

Screenshot

Alternatives

The Varonis Data Security Platform provides powerful capabilities, but only as a SaaS provider that tracks and receives all access information. For similar capabilities and options for a fully-on-site installation, consider Tenable Identity Exposure.

CrowdStrike Falcon Identity Protection – Best for Integrated EDR

---

Overall Rating: 4.1/5

• Audit and harden features: 4.7/5
• Monitoring, response, and recovery features: 4.5/5
• Ease of use: 3.4/5
• Price and value: 3.7/5
• Support availability: 2.9/5

The CrowdStrike Falcon Identity Protection provides good auditing and stellar AD threat detection and active protection. Some customers will purchase the tool separately, but many will opt to add Identity Protection through existing endpoint detection and response (EDR) or extended detection and response (XDR) agents. Once combined, Crowdstrike provides unified endpoint and ITDR protection.

Visit CrowdStrike

Pros

• Monitors AD, Entra AD, Okta, and more.
• AI-enhanced attack detection
• Offers free identity security risk review

Cons

• Only available as SaaS
• Requires an installed agent
• Attack path analysis may require other licenses

Pricing

• Falcon Identity Protection: $61+ per user, some connectors extra
• Customer support: Standard, Express, Essential, and Elite support levels available
• Free trial: 15 days
• Free demo: Tuesdays or on-demand

Key Features

• Dynamic MFA: Enforces multi-factor authentication (MFA) conditionally depending upon risk factors such as asset value and potential compromise.
• Guided onboarding: Provides premium support customers with onboarding webinars, kick-off calls, and up to 90 days of support for installation, configuration, and integration.
• Password protection: Inspects password hashes for strength and potential compromise; compromised passwords can be automatically reset.
• Real-time alerts: Dynamically detects changes and potential compromise of AD and the endpoint to send rapid alerts for automatic action or prompt investigation.
• Unified action: Enables coordinated endpoint and AD actions to quickly detect lateral movement and block access to both identity resources as well as the endpoint device.

Screenshot

Alternatives

CrowdStrike’s integrated network security solution might be less attractive for customers that use non-CrowdStrike solutions for endpoint protection. For a local-installation option without endpoint security conflicts, consider Semperis Directory Services Protector.

SolarWinds ARM – Best for Integrated AD Operations

---

Overall Rating: 4.1/5

• Audit and harden features: 4.6/5
• Monitoring, response, and recovery features: 3.9/5
• Ease of use: 3.8/5
• Price and value: 4.0/5
• Support availability: 3.6/5

SolarWind Access Rights Manager (ARM) combines Active Directory auditing and AD operations. This allows IT teams to save time by automating password reset and delegating rights management to group managers. The tool also scored highest for both support availability and price and licensing information, thanks to clear pricing, 24/7 phone support, onboarding support options, and robust self-help documentation.

Visit SolarWinds

Pros

• Can fully provision or deprovision users.
• Role-specific templates
• Clear pricing options and an extended free trial

Cons

• Weak threat detection capabilities
• Reports don’t support investigation well
• No real-time alerts on changes

Pricing

• SolarWinds Access Rights Manager: $2,083+ depending upon purchase option (perpetual license + annual maintenance, annual subscription, multi-year sub, etc.)
• SolarWinds ARM Audit Edition: Includes permissions analysis, auditing, monitoring, risk analysis overview, and Windows distributed file systems scans
• SolarWinds ARM Full Edition: Adds risk management, user provisioning, delegation of access rights management, self-service permissions, and remediation options
• Purchase options: Perpetual license with annual maintenance, subscription
• Customer support: Premium support is available, contact sales for more information
• Free trial: 30 days
• Free demo: Contact to schedule

Key Features

• Accelerated management: Combines operations and security auditing for faster, more accurate management of user provisioning, password resets, and access control.
• Expanded support: Extends typical AD and Entra AD support to include access provisioning and auditing for EMC, SAP, Sharepoint, OneDrive, and more.
• Reduced bandwidth: Reduces network bandwidth requirements through optional ARM collectors installed in geographically remote locations.
• Robust reporting: Provides customizable report templates for a variety of AD change, security risk, and compliance reports (GDPR, HIPAA, etc.).
• Self-service portal: Eliminates management overhead with a web-based self-service permissions portal so users can request access rights directly.

Screenshot

Alternatives

SolarWinds provides an effective blend of AD operations and auditing, but lacks threat detection and forensic investigation features. For a more full-range, on-site tool with robust compliance reporting capabilities, consider Netwrix Auditor.

Netwrix Auditor – Best for Compliance Reporting

---

Overall Rating: 4/5

• Audit and harden features: 4.7/5
• Monitoring, response, and recovery features: 5.0/5
• Ease of use: 3.2/5
• Price and value: 2.9/5
• Support availability: 2.5/5

Netwrix Auditor anchors the Netwrix suite of AD tools and provides the templated and customizable reports. Automated report options and on-demand customization will satisfy broad compliance requirements by documenting user access to regulated data in detail and as needed. These tools combine to earn the top score for monitoring, response and recovery features to provide strong overall security for AD as well.

Visit Netwrix

Pros

• All data stays local
• Optional AD backup and recovery tool
• Real-time alerts and

Cons

• Requires multiple licenses to fully secure AD
• Unclear licensing and pricing requirements
• Requires multiple dashboards to operate

Pricing

• Free Auditor Community Edition: One AD domain, most features and limited support
• Auditor Business Essentials: Full support, more features, 250 users, contact for quote
• Auditor Enterprise Advanced: Full audit features, contact for quote
• GroupID: Formerly Imanami GroupID, contact for quote
• Threat Manager: Formerly StealthDEFEND, contact for quote
• Recovery of Active Directory: Formerly StealthRECOVER, contact for quote
• Customer support: All paid customers enjoy the same level of tech support
• Free trial: 20 days 
• Free demo: Contact Netwrix for a one-to-one demo or launch the in-browser demo

Key Features

• Robust compliance: Provides customizable report templates for extensive compliance standards such as HIPAA, ISO/IEC 27001, PCI DSS v3.2, FERPA, SOX, and more.
• Anomaly detection: Creates benchmark activity profiles, provides adjusted risk profiles, and issues alerts based on anomalous user behavior.
• Broad automation: Schedule compliance reports to send automatically, enable user self-service, and trigger automated remediation tasks based on events.
• Integrated operations: Automates password reset, enables delegation of rights management, and takes operations burdens off of the help desk team.
• Wide support: Extends capabilities beyond AD to encompass access monitoring for Microsoft 365, Exchange, Sharepoint, NetApp, SQL Server, VMware, and more.

Screenshot

Alternatives

While a robust network security solution for AD protection, some buyers will balk at the number of tools to purchase and operations teams may prefer a single management console. For a consolidated security and operations tool, consider SolarWinds Access Rights Manager (ARM).

Semperis Directory Services Protector – Best for Free Tool Options

---

Overall Rating: 4/5

• Audit and harden features: 4.8/5
• Monitoring, response, and recovery features: 4.9/5
• Ease of use: 3.5/5
• Price and value: 2.0/5
• Support availability: 3.4/5

Semperis Directory Services Protector (DSP) delivers the core of the Semperis Identity Resilience Platform complimented by two powerful free tools: Purple Knight and Forest Druid. Many teams start with Purple Knights user auditing or Forest Druid’s attack path mapping for initial security and then graduate to DSP or other Semperis modules as needs and sophistication grow. The light free software requires no integration and has low system requirements. 

Visit Semperis

Pros

• Many components run without installation
• 24/7 phone support for paid customers
• Real-time notifications

Cons

• Uses many tools and dashboards to protect AD
• Opaque pricing and licensing options
• Doesn’t check for weak or breached passwords

Pricing

• Purple Knight: Free AD assessment tool
• Forest Druid: Free AD forest attack patch discovery tool
• Contact for quote: Directory Service Protector, Active Directory Forest Recovery (ADFR), Disaster Recovery for Entra Tenant, Migrator for Active Directory
• Customer support: All paid customers enjoy the same level of tech support.
• Free trial: Doesn’t offer a free trial, has free tools
• Free demo: Contact to schedule

Key Features

• Assisted investigation: Enables forensic and incident investigation of AD changes and potential attacks with detailed records and even optional investigation consulting.
• Free tools: Provide even the smallest business with resources to perform AD assessments (Purple Knight) or inspect AD forests (Forest Druid).
• Fully local: Software installs on local servers to assess data and store information locally, with no shared data sent back to Sempris or cloud servers.
• Interactive discovery: Offers fully interactive attack path discovery through Forest Druid with a graphically intuitive mapping of user and group access.
• Resilient recovery: Backs up AD and Entra data and configurations for faster recovery from small and large changes, including complete failure.

Screenshot

Alternatives

Semperis focuses on providing modular on-site flexibility, but some organizations prefer to outsource the infrastructure and management of AD security. Such organizations may prefer to consider an integrated SaaS provider, such as CrowdStrike Falcon Identity Protection.

Top 5 Features of Active Directory Security

The top five features of Active Directory security harden, monitor, and enable quick reactions to attacks through examination of connections, integrating with existing security infrastructure, change monitoring, rapid alerts, and inspection of user and group permissions.

AD Forest Inspection

AD Forest inspection examines the connections between assets (data, devices, etc.), users (individuals, system functions, APIs, etc.), and groups (authorization categories). The examination focuses on Tier0 assets that can directly control the most secure levels of Active Directory and checks for excessive permissions and dangerous attack paths.

Alert & Log Integration

Security professionals require alerts and logs from AD security to integrate with existing SIEM, SOAR, and other network security tools. The sheer volume of information coming from security infrastructure will quickly overwhelm a team if they need to implement, learn, and monitor separate processes just for Active Directory.

AD Changes Auditing

AD security tools monitor and record details related to changes to active directory and permit change auditing to verify authenticity. All tools need to record changes, better tools enable roll-back of unauthorized changes, and the best tools can automatically detect and reverse unapproved changes.

Real-Time Alerts

Real-time alerts enable security teams to capture information on potential threats promptly and react quickly. In an environment of continuous attacks, security teams can no longer wait to check log files individually and require systems to identify, prioritize, and rapidly bring potential threats to the forefront.

User & Group Access Auditing

User and group access auditing inspects access rights for individuals and the user group classifications used to manage group permissions. AD provides manual functionality, but effective AD security tools enable users to quickly expose potentially dangerous issues such as excessive administrator rights, weak passwords, non-expiring passwords, and continuing access for terminated employees.

How I Evaluated the Best Active Directory Security Tools

The evaluation of the AD security tools weighed five different criteria, with the most emphasis placed on overall features. Each category contained a number of sub-criteria with their own weights that helped produce a five-point rating for each category and in total. After determining the top six tools based on their overall score, I considered the tools’ pros, cons, and features to identify strong use cases for each solution.

Evaluation Criteria

To evaluate the tools, I focused primarily on the breadth of features needed for active directory security. Next, I considered usability, support availability, and price and licensing information.

• Audit and harden features (30%): Assesses tool capabilities to check accounts for vulnerabilities, identify attack paths, harden security, and manage rights effectively.
  • Criterion winner: Tenable Identity Exposure
• Monitoring, response, and recovery features (30%): Examines tool capabilities to monitor changes, issue alerts, aid investigations, and provide compliance reports.
  • Criterion winner: Netwrix Auditor
• Ease of use (15%): Considers the number of installations, dashboards, and agents to provide AD security, other identities managed (Okta, 365, etc.), and installation options.
  • Criterion winner: Tenable Identity Exposure
• Price and licensing info (15%): Bases evaluations on price and licensing information transparency, the number of licenses required, and free tools and trials available.
  • Criterion winner: SolarWinds Access Rights Manager
• Support availability (10%): Considers the different support options for everyday use and initial installation, support hours, and premium support options.
  • Criterion winner: SolarWinds Access Rights Manager

Frequently Asked Questions (FAQs)

How Are AD Security Tools Helpful?

AD security tools help manage Active Directory more intuitively, rapidly, and comprehensively to tighten control over the critical functions that AD delivers. They also analyze existing identities for potential issues, track changes for signs of malicious activity, and provide alerts for any detected attacks.

What Is the Difference Between AD Security & ITDR?

AD security secures the lightweight directory access protocol (LDAP) functions delivered by AD and similar tools. Identity threat detection and response (ITDR) expands the scope to include integration with MFA, SOAR, identity and access management (IAM), privilege access management (PAM), and other tools for a more comprehensive overview and integration into the security stack.

How Does AD Security Satisfy Compliance Requirements?

AD security adds controls to protect the access management required by all major cybersecurity compliance standards. AD security tool reports should directly provide information that proves user activity and data access fall within specific compliance requirements to avoid additional efforts to meet regular compliance requirements.

Bottom Line: AD Security Provides Fundamental Protection

Active directory stores access permissions and authorization throughout a network and literally defines who holds the keys to the kingdom. Make sure to implement effective AD security to provide this critical component with the protection and monitoring necessary to provide a foundation for the rest of an organization’s security stack. Start by selecting the most promising option and experience a demo or try out the free version.

This article explains how to secure AD against future attacks, but to determine if past attacks have been successful, read about how to tell if Active Directory is compromised. 

The post Top 6 Active Directory Security Tools for Auditing, Monitoring & Protection appeared first on eSecurity Planet.

Small business owners tend to adopt Tinyproxy and also tend to use part-time IT resources which potentially threatens related supply chains with third-party risk. From the other end of the supply chain, many vendors build Cinterion Cellular Modems into their internet-of-things (IoT) or operations technology (OT) equipment such as sensors, meters, or even medical devices. How long will it take to address these supply chain issues?

The average company probably won’t know about a problem until they’re under attack. Fortunately, the stress and high expense of attacks can be avoided by proactively tracking assets, staying informed, and allocating some resources to eliminating vulnerabilities before they become ballooning disasters.

May 5, 2024

Tinyproxy Vulnerability Potentially Exposes 50,000+ Hosts

Type of vulnerability: Use after free.

The problem: Cisco Talos researchers published a proof of concept for CVE-2023-49606 and Censys detected over 50,000 potentially vulnerable Tinyproxy hosts. Tinyproxy provides a lightweight, open-source HTTP/S proxy adopted by individuals and small businesses for basic proxy functionality. Attackers can send specially crafted HTTP Connection headers to trigger memory corruption, cause denial of service (DoS), and possibly remote code execution (RCE).

The Talos team published that they received no response from the Tinyproxy open-source developers, and therefore they published the proof of concept before a patch was available for this vulnerability with a CVSSv3 rating of 9.8 out of 10. The Tinyproxy team complained that Talos researchers failed to use any of the official channels to contact them when they released the patch. No active exploits are known at this time.

The fix: The next version Tinyproxy (1.11.2) will contain the security fix, but the fix can be pulled from GitHub and manually applied for at-risk deployments exposed to the internet.

To coordinate tracking and remediating vulnerabilities, consider a vulnerability management solution.

May 8, 2024

Citrix Hypervisor 8.2 CU1 LTSR Requires Manual PuTTY Update

Type of vulnerability: Deterministic cryptographic number generation.

The problem: As disclosed in the April 22nd vulnerability recap, PuTTY didn’t generate sufficiently random numbers for encryption keys. Older versions of XenCenter for Citrix Hypervisor included vulnerable versions of PuTTY, which could allow guests on a VM to determine associated XenCenter administrator SSH private keys.

The fix: XenCenter for Citrix Hypervisor versions from 8.2.7 don’t include PuTTY and require no action. Owners of older versions will need to either:

• Remove PuTTY components
• Upgrade PuTTY to at least version 0.81
• Upgrade XenCenter for Citrix Hypervisor

F5 BIG-IP Next Central Manager Device Takeover Vulnerabilities

Type of vulnerability: OData injection, SQL injection (SQLi).

The problem: F5 patched their unified BIG-IP Next controller, Next Central Manager, to fix a pair of official vulnerabilities: CVE-2024-21793 and CVE-2024-26026. Both flaws rate CVSSv3 7.5 out of 10 and successful exploitation of these vulnerabilities can disclose user and administrator password hashes.

Researchers at Eclypsium published a proof of concept that describes five vulnerabilities, of which only two have been assigned CVE numbers and formally patched by F5. The proof of concept demonstrates that unpatched management consoles may be remotely compromised. Obtaining access to the password hashes from the compromise can lead to complete takeover of the F5 management consoles and, by extension, F5 devices managed by the console.

The fix: All device configurations contain the vulnerabilities. F5 recommends installing BIG-IP Next Central Manager version 20.2.0 or higher.

Unsure if your systems remain vulnerable? Consider performing a penetration test on specific systems.

May 9, 2024

Google Patches Actively Exploited Zero-Day Vulnerability in Chrome

Type of vulnerability: Use after free.

The problem: Google sent out Windows and MacOS Chrome updates (Liux to follow shortly) and disclosed their fifth actively-exploited vulnerability of 2024: CVE-2024-4671. Anonymous researchers disclosed the flaw, rated CVSSv3 8.8 out of 10, that could trigger data leakage, code execution, or crashing.

The fix: Chrome should update automatically, but may need to be closed and reopened. Users should be encouraged to restart their browsers and can verify installation of the latest version by selecting “Settings > About Chrome.”

May 10, 2024

Telit IoT Cinterion Cellular Modem Flaws With Unknown Threat Scope

Type of vulnerability: Heap overflow, digital signature check bypass, unauthorized code execution, privilege escalation.

The problem: Vendors integrate Telit’s Cinterion modems into internet of things (IoT) devices such as industrial equipment, medical devices, vehicle tracking sensors, and smart meters. The most significant vulnerability, CVE-2023-47610 rates CVSSv3 9.8 out of 10, and researchers at Kaspersky note that exploitation could lead to remote code execution and unauthorized privilege escalation to take over these devices potentially connected to critical infrastructure.

The other vulnerabilities involve mishandling Java applets running on the IoT. Exploitation of the other vulnerabilities could expose confidential data and allow the device to provide entry to connected networks. Unfortunately, no comprehensive list exists of devices incorporating the modems to provide warnings for all vulnerabile products, so organizations must proactively investigate for possible exposure.

The fix: Owners of IoT with cellular connections should check for the presence of Cinterion modems and patches through the device manufacturers. Kaspersky recommends disabling non-essential SMS messaging capabilities and private access code names (APNs) with strict security settings to counter the most critical vulnerability.

The Java applet-handling flaws can be mitigated through strict and rigorous enforcement of digital signature verification for MIDlets. Kaspersky also recommends regular security audits and controlling physical access to the devices.

Read next:

• Vulnerability Recap 5/6/24 – Aruba, Dropbox, GitLab Bugs
• Penetration Testing vs Vulnerability Scanning: What’s the Difference?
• How to Maximize the Value of Penetration Tests

The post Vulnerability Recap 5/13/24 – F5, Citrix & Chrome appeared first on eSecurity Planet.

This picture comes from an analysis of specific statistics and by reading between the lines in reports from 1Password, Cisco, CrowdStrike, Flashpoint, Google Threat Analysis Group/Mandiant, NetScout, Pentera, and Sophos. This article details two major findings from the report: five major cybersecurity threats and prioritization problems. After covering these findings, we will also briefly provide an overview of the reports themselves.

But first, here are five key cybersecurity takeaways to consider from the reports:

5 Major Cybersecurity Threats

Huge numbers of vulnerabilities and attackers exist and no organization can defend against all of them equally well. Fortunately, vendor surveys identify five key cybersecurity threats to watch for in 2024: compromised credentials, attacks on infrastructure, organized and advanced adversaries, ransomware, and uncontrolled devices. Read on for more details on these threats or jump down to see the linked vendor reports.

Compromised Credentials

Compromised identities from phishing, info stealers, keyloggers, and bad password habits provide the entry point for most ransomware attacks and data breaches. The vendor reports show that most attackers want credentials, most malware development is in credential-stealing software, and the market for stolen credentials is booming:

• Cisco: Found 54% of organizations experienced a cybersecurity incident; and of those incidents, 54% involved phishing and 37% involved credentials stuffing.
• Sophos: Noted that 43% of all 2023 malware signature updates are for stealers, spyware, and keyloggers often used to steal credentials from devices.
• CrowdStrike: Detected significant signs of credentials theft:
  • 76% YoY increase in victims named on eCrime dedicated link sites.
  • 20% increase accesses of specific organizations advertised.
  • 583% increase in Kerberoasting [password hash cracking] attacks.

Attackers can compromise credentials because of extensive user password problems throughout most organizations; however, a number of security solutions provide credentials protection for both basic and advanced needs.

User Password Problems

Although these data points illustrate the magnitude of the problem, they don’t explain why credential theft and credential stuffing works. 1Password reveals that most employees, especially managers, use poor password practices such as “reusing passwords or neglecting to reset the IT-selected defaults.”

Specifically, the password problems that the report reveals are:

• 61% of [all] employees use poor password practices.
• 64% of managers and higher admit to poor password practices.
• 23% use identical passwords or follow a similar pattern.
• 13% maintain access to company tools or resources after leaving the organization.
• 9% share credentials for work tools with people outside the company.

Credentials Protection

Despite the increase in attacks, you can deploy many different tools and techniques to protect credentials. First, all organizations need to improve, enforce, and test their password policies not only against complexity and reuse, but also against private and public password breach databases. These steps take some time, but cost no money.

Additional security all organizations should consider for a modest investment include:

• Active directory security: Guards the password storage and management system against attack for Windows, Azure, and other equivalent identity management systems.
• Identity and access management (IAM): Helps improve management of users, single-sign-on (SSO), and more in Active Directory through automated workflows.
• Password manager: Stores passwords securely, enforces quality, permits safe internal and external sharing, and ties into HR software for effective off-boarding of users.
• Privileged access management (PAM): Improves discovery, procedures, storage, just-in-time deployment, monitoring, and control of privileged access.
• Multi-factor authentication: Protects stolen credentials against use by requiring more than a simple username and password combination for access to resources.

More sophisticated organizations can further protect identity with investments in tools such as:

• Application programming interface (API) security: Guards against attacks using program-to-program communication protocols.
• Risk-based analytics: Considers the level of risk as the context for the level of permission needed to access systems, applications, and data.
• Passwordless authentication: Eliminates passwords in favor of other types of authentication such as passkeys, SSO, biometrics, or email access.
• User and entity behavior analytics (UEBA): Monitors behavior of users, hardware, and network traffic to detect and potentially block abnormal and malicious activity.
• Zero-trust: Treats each access as a separate evaluation for permissions and enables granular levels of access for users, networks, applications, data, and systems.

Infrastructure Attacks

Attacks on infrastructure seek pure disruption, an angle for extortion, or peripheral benefits ranging from advantages in videogames to cover for ransomware activity. Vendor reports note huge volume of attacks on local and public infrastructure, such as:

• CrowdStrike: Monitored hacktivist and nation-state distributed denial of service (DDoS) attacks related to the Israli-Palestinian conflict, including against a US airport.
• NetScout: Observed 13,142,840 DDoS attacks, including:
  • 104,216 video gaming enterprise attacks.
  • 20,551 gambling industry attacks.
  • 50,000 DDoS attacks on public domain name service (DNS) resolvers.
  • 553% increase in DNS Flood attacks from 1H 2020 to 2H 2023.

DDoS attacks on single networks or websites render them unavailable, but DDoS attacks on DNS resolvers bring down all networks and websites using that DNS resource. Netscout identifies two key DDoS issues to stopping attacks; however, there are also a range of infrastructure protection controls that help to protect DNS and other critical functions.

2 Key DDoS Issues

NetScout identifies two key issues to defeating DDoS attacks: a sophistication gap and outgoing DDoS attacks from company infrastructure. The sophistication gap presents security professionals with the dilemma where “on one end, advanced attackers employ custom tools and cloud infrastructure; on the other, some still use basic, often free services.” Defenders need the tools and the skill to block the entire spectrum of attacks.

Outgoing DDoS attacks originate within corporate infrastructure and can lead to a company being placed on denylists and blocked. Unmanaged internal DDoS attacks can affect company reputation and ignore the fact that a large number of internal devices are showing signs of compromise. Company instructions to keep hands off internal network traffic leads to internet service provider (ISP) suppression of only 1% of the 100,000 monthly outgoing DDoS attacks.

Infrastructure Protection

Defense against DDoS and DNS attacks starts with effective network security architecture. Create redundant systems, hidden from casual access, and protected by load balancing and layers of defense to manage traffic surges until deploying other defenses. Defense can be further improved using:

• DDoS protection service: Provides turnkey and often automated defense of infrastructure through cloud-scalable infrastructure and targeted expertise.
• Deny-lists (aka: blacklist): Blocks specific websites or IP addresses by adding them to a list for firewalls to ignore; very difficult to manage at scale.
• Next generation (NGFW) or web and application firewalls (WAF): Include DDoS protection within the large number of features and capabilities to protect network traffic.

Organized Adversaries

Nation-state, hacktivist, and organized criminal organizations continue to increase in number, capability, and impact. The vendor reports analyzed trends and found:

• Cisco: 62% of companies highlighted external actors as the biggest threat versus 31% for internal actors; a huge shift from 2023, which saw the threats as equal.
• CrowdStrike: Tracked significant increases in organized adversary activity:
  • +34 new adversary groups (+18% of named groups, +35% active).
  • +60% year over year increase in interactive (expert guided) intrusion campaigns.
  • Attackers began to deliver malware to users through legitimate and common IT support tools such as ConnectWise ScreenConnect.
• Google/Mandiant: Analyzed zero-day exploits by adversaries from 2023 and found:
  • 50% increase in exploited zero-days, to 97.
  • 60% of all mobile and browser zero-days are exploited by spyware vendors.
  • Vendors reduced common vulnerabilities, so attackers shift targets to third-party components (Linux utilities, etc.) and software libraries to attack the supply chain.
• Sophos: Observed changes in attacker behavior in response to improved defenses:
  • Adopted vulnerable or malicious drivers once Windows blocked macros.
  • Deployed malvertising and SEO poisoning to evade detection tools.
  • Used active multi-email engagements after effective phishing screenings.

No specific tool exists to defend specifically against nation state attacks, ransomware gangs, or hacktivists. Instead, apply defense in depth, provide employee cybersecurity training, and use threat intelligence platforms to provide general protection and educate both non-technical and security teams about the latest threats.

Ransomware & Data Theft

Organizations worldwide continue to feel the pain of ransomware attacks, although many ransomware gangs may be shifting to extortion over data theft instead of encrypted data. The vendor surveys report that:

• Cisco: Analyzed that 35% of all attacks in 2023 were ransomware.
• CrowdStrike: Observed politically affiliated ransomware attacks against Israel.
• Google/Mandiant: At least four ransomware gangs exploited zero-day vulnerabilities.
• Sophos: Focused their report on small and medium business (SMB):
  • 70% ransomware attacks targeted SMBs.
  • > 90% of attacks reported by customers involve data or credential theft.
• Flashpoint: Gathered statistics on disclosed ransomware and data breaches:
  • +84% global growth year over year in ransomware attacks.
  • +34.5% globally, +19.8% US for data breaches for 2023.
  • +30% data breaches and +23% ransomware for the first two months of 2024.
  • 60% of all breaches come from the USA.
  • 19.3% of all data breaches came from the MOVEit vulnerability, CVE-2023-34362, including breached third-party data disclosures.
  • > 54% of all data breaches come from ransomware attacks in manufacturing, healthcare, government, financial, retail, and technology industries.

Despite the continuing surge in ransomware attacks, many vendors provide effective solutions to detect, slow, and even block ransomware or data theft attempts before they become crippling events.

Ransomware & Data Theft Protection

Ransomware and data breaches rely primarily on vulnerabilities exposed to the internet, phishing, and the endpoint. All organizations should at least deploy basic security tools to monitor endpoints and secure access points, such as:

• Antivirus (AV): Provides the most basic malware protection on the endpoint to block known malicious software and protect against basic attacks.
• Email security tools: Screens emails and attachments for known malware, malicious URLs, and SPAM before delivery to the end user. 
• Host based and other firewall types: Filter traffic into the network or at the endpoint for malicious URLs, known malware, and other types of attacks.
• Secure remote access: Enables encrypted connections between internal network resources and remote users using a variety of methods.

More advanced security tools can incorporate artificial intelligence (AI) or machine learning (ML) to provide automated recognition and remediation for threats. However, also consider deploying specialized tools or tools with expanded capabilities, such as:

• Basic input output system (BIOS) security: Operates outside of the operating system to guard the firmware and other basic software connecting the operating system to a PC.
• Data Loss Protection (DLP): Monitors sensitive data, and alerts and blocks unauthorized access, transit, or exfiltration by both authorized and unauthorized users.
• Endpoint protection platform (EPP) and Endpoint detection and response (EDR): Add features to antivirus to detect malicious behavior and proactively block attacks.
• Extended detection and response (XDR): Extends endpoint protection to include network monitoring and protection capabilities.

Unmanaged Devices

Although organized adversaries continue to launch increasingly sophisticated attacks, most succeed by locating unmanaged and unprotected devices that can access the network or other key assets. Unmanaged devices include a combination of corporate devices without strong policy enforcement, personal devices used for work, unmonitored cloud infrastructure, and obsolete devices no longer maintained. Vendor research specifically finds that:

• 1Password: Documents the meager control of software and personal device access:
  • 92% of company policies require, but 59% enforce IT approval for software.
  • 34% of workers use unapproved applications or software.
  • 17% of workers work only on personal or public computers.
• Cisco: Notes the common access of personal devices and unmanaged cloud hazards:
  • 43% of employees use unmanaged devices to access corporate networks.
  • 20% of employee time is spent on company networks.
  • 27% of all attacks mine crypto currencies, usually on unmonitored cloud systems.
• CrowdStrike: Observes the top attack vector in 2023 and predicts 2024’s targets:
  • Unmanaged network appliances (edge gateway, firewall, virtual private network/VPN) remain the most observed initial access vector exploited in 2023.
  • Attackers will target network peripheral devices: network attached storage (NAS), backup storage, telephones, network equipment, and end-of-life assets.
• Pentera: Focuses on the top breach origins cited by enterprise clients:
  • 60% remote devices.
  • 54% on-prem infrastructure.
  • 50% cloud targets.
• Sophos: Finds that unprotected devices are the primary entry point for SMB attacks.

Some unmanaged devices can’t support installed technical controls, and companies often won’t install controls on employee devices. Yet, different security products can still provide defensive measures for unmanaged devices.

Unmanaged Device Defense

Many security tools help to protect against unmanaged devices, but perhaps the first step would be to authorize IT to lock down devices and enforce the requirement for IT to grant permission for all software installations. This simple step makes malware installation more challenging and compliments by other tools that either manage assets or monitor traffic, such as:

• IT asset management (ITAM): Identifies, tracks and manages devices in the organization to track software licenses, manage updates, and detect anomalies.
• Intrusion detection or prevention systems (IDS/IPS): Monitors network traffic for known malicious packets, attack patterns, and other indicators of compromise.
• Network access control (NAC): Checks device status and authorizes users attempting to access the network; can quarantine devices that need remediation.
• Network monitoring: Tracks behavior, traffic, and health of local and cloud network components for signs of failure and indicators of malicious compromise.
• Segmentation or micro-segmentation: Segregates the network and can control user, application, and device access in fine detail between segments.

More sophisticated organizations can apply more robust security, such as:

• Cloud security: Deploys cloud-native or cloud-specific security to monitor and protect cloud infrastructure and assets against attack.
• Internet of Things (IoT) security: Provides protection for peripherals and devices that can’t support on-device security protection (antivirus, etc.).
• Secure service edge or secure access secure edge (SASE): Expands security beyond the local network to secure remote and cloud resources.

Cybersecurity Preparedness: A Prioritization Problem

Organizations plan to be secure, yet breaches still occur. It’s always tempting to blame budgets, but most CISOs feel confident about their budgets and have already deployed significant resources. Unfortunately, the vendor surveys reveal that installed tools tend to overload teams already struggling to fill positions, and many vulnerabilities remain unfixed.

Many vendors attempt to address the labor issue with AI or ML enhanced automation. Yet, the prioritization problem will likely persist until vendors provide more transparency for vulnerabilities and organizations practice integrated risk management to tie priorities to the most significant impacts to the business. Let’s examine the funding, alerts, talent shortages, and unaddressed vulnerabilities in more detail.

Funded Cybersecurity Programs, But Still Incomplete

Regarding budgeting, the vendor reports show relative strength:

• Cisco: Surveyed a broad number of businesses around the world and found:
  • 97% planning to increase spending.
  • 80% feel moderately to very confident in defense.
• Pentera: Focused on large enterprise CISO’s with a minimum of 1,000 employees:
  • 53% report decreasing or stagnating 2024 IT security budgets.
  • $1.27 million per year for the average IT security budget.
  • 51% recorded breaches within the last 24 months.
• 1Password: 24% of surveyed SMB describe budgets as inadequate.

So while many large companies are flat or cutting back, the average company plans to increase spending and claims to be confident. Even with budget-conscious SMBs, more than three out of four identify their budget as adequate. Yet, despite some confidence, most security managers also expect failure:

• 1Password: 79% of security pros don’t feel their security protections are adequate.
• Cisco: Found similar sentiments from managers and explored breach details:
  • 73% expect business disruption in the next 12-24 months.
  • 52% said previous breaches cost their organization at least US$300,000.
  • 12% said previous breaches cost US$1 million or more.

Breach damages of $300k to $1 million may be within the risk tolerance for some, and many may expect to recoup damages from cybersecurity insurance. Still, the challenge of restraining the damages from an incident to policy limits faces the significant challenges we cover below.

Overloaded Alerts

1Password found that 32% of their surveyed security professionals switched security tools or vendors in the past year to ones that provide more complete end-to-end solutions. The motivation for this switch comes from the average number of tools and alerts already in place:

• 1Password: Probed security responsiveness:
  • 69% are at least partly reactive.
  • 61% are pulled in too many conflicting directions.
• Cisco: Explored the number of security solutions in the security stack:
  • 67% have 10+ specialty security solutions.
  • 25% have 30+ specialty security solutions.
  • 80% admit multiple solutions slow detection, incident response, and recovery.
• Pentera: Analyzed the security solutions and alerts for the best funded enterprises:
  • 89% of 1,000+ employee enterprises have at least 20 security solutions.
  • 21% have at least 76 specialty security solutions.
  • 90% report at least 250 security events per week.
  • 30% report at least 1000 security events per week.

The large number of tools generate a flood of alerts (security incident, vulnerability to patch, etc.) and pull teams in conflicting directions. Large teams might make enough progress to become proactive, but most teams remain understaffed.

Inadequate Talent

Many cybersecurity initiatives fail to progress due to inadequate staffing levels:

• 1Password: 21% are understaffed, 20% have a lack of internal knowledge or skill sets.
• Cisco: 90% cite a shortage of talent, with 46% having at least 10 open security team slots.
• Pentera: 42% don’t conduct pentests more often because of pentester availability.

Lack of staff leads to a number of issues. The most obvious mistakes lead to headline-making such as the password issues for Okta customers (2022), because staff must remain on-call 24/7. Most mistakes remain hidden risks waiting to be exploited – especially in the form of exposed vulnerabilities.

Exposed Vulnerabilities

Most security teams worry the most about zero-day attacks that strike without warning. However, far more concern should be applied to known and unaddressed vulnerabilities:

• 1Password: 24% have difficulty staying up to date on patch/update cycles.
• Flashpoint: Investigated the severity and exploits of vulnerabilities:
  • 52% of vulnerabilities rate high to critical.
  • 35% of vulnerabilities have publicly known exploits.
• Pentera: Probed how security professionals prioritize which vulnerabilities to prioritize:
  • 34% based on business impact.
  • 40% based on CVSS scores.
  • 44% based on vendor risk scoring.

Almost one out of four organizations struggle to keep up with patching, which starts to sound acceptable until an organization considers vendors and suppliers. Suddenly, the specter of third-party risk becomes more pronounced when it becomes probable that at least part of every supply chain will have exposed vulnerabilities.

Additionally, two out of five prioritize based on formal vulnerability ratings, but Flashpoint notes that over 100,000 vulnerabilities lack a tracking ID number, including prominent vendors such as Apache, Google, Microsoft, and Zoho. Attackers actively exploit hundreds of these non-tracked vulnerabilities in the wild, and this doesn’t even include disputed vulnerabilities such as the ShadowRay AI framework exposure.

Penetration tests can uncover both exposed and unacknowledged vulnerabilities, but most penetration tests don’t cover a full organization.

Partial Penetration Testing

Penetration testing verifies existing controls, uncovers mistakes, and reveals exposed assets before an attacker can exploit them. Yet, Pentera finds that even well-funded organizations struggle to conduct sufficient pentests:

• 73% change systems significantly in a quarter, while only 40% pen test quarterly.
• Organizations selectively test infrastructure:
  • 49% test cloud resources.
  • 49% test external facing assets.
  • 44% test priority internal network assets.
  • 15% test individual applications.
• 31% conduct pentesting to assess the potential damage of a successful attack.

When even the most funded organizations struggle, we can easily see why breaches remain common. Close to one out of three organizations conducting pentests do so retroactively as part of a breach investigation. This reveals the price to pay for exposed vulnerabilities, understaffed teams, and alert overload: always playing catchup instead of staying ahead of breaches.

About the Sources

This article pulls from eight vendor reports on 2023 trends from 1Password, Cisco, CrowdStrike, Flashpoint, Google Threat Analysis Group/Mandiant, NetScout, Pentera, and Sophos:

• 1Password State of Enterprise Security Report 2024: Surveyed 1,500 white-collar workers including 500 security pros and 300 managers for companies of all sizes.
• 2024 Cisco Cybersecurity Readiness Index: Covers 8,136 private sector security leaders in 30 global markets and includes small, mid-sized, and large companies.
• CrowdStrike 2024 Global Threat Report: Compiles data and insights from their cybersecurity tools and threat hunting teams working worldwide.
• Flashpoint 2024 Global Threat Intelligence Report: Examines the current threat environment based on 2023 public and proprietary threat intelligence data.
• Google Threat Analysis Group / Mandiant Year in Review of Zero-days: Presents data on zero-days from public sources with additional insight from Google experts.
• NetScout DDoS Threat Report: Summarizes data from NetScout’s ATLAS telemetry platform and 2023’s DDoS threat responses.
• Pentera 2024 State of Pentesting: Surveys 450 security professionals at enterprises with at least 1,000 employees and with penetration testing practices in place.
• 2024 Sophos Threat Report: Analyzes Sophos’ X-Ops data for their SMB customers that represent 75% of their team’s incident response services.

Bottom Line: The Current Cybersecurity Status Needs Improvement

The 2023 reports depict an acceptable, but hardly stellar, cybersecurity environment in which security professionals are almost as confident in a business disruption (73%) as in their readiness (80% moderately to very confident). Of course, labor shortages, alert overload, and exposed vulnerabilities provide excuses for breaches and reasons for breaches.

Many solutions exist, but the correct solution depends on current network architecture, existing security investments, and fit with existing strategies. Some should embrace AI to automate remediation, some should pursue platforms to consolidate alerts, and some should outsource to managed security service providers (MSSPs). To make 2024 successful, explore options now to shift your organization from reactive to prepared.

To explore the outsourcing option for security, consider reading more about managed security service providers (MSSPs).

The post 2024 State of Cybersecurity: Reports of More Threats & Prioritization Issues appeared first on eSecurity Planet.

Both new and old vulnerabilities can enable an attacker with suitable skills to exploit them, regardless of the CVS score severity. It seems that many continue to struggle to keep up with patching and updating backlogs, which suggests that more organizations need outside help from patch management as a service or managed service providers (MSPs) to catch up.

April 22, 2024

CISA Adds 2022 Windows Print Spooler Vulnerability to KEV Catalog

Type of vulnerability: Elevation of privilege.

The problem: Microsoft Threat Intelligence published a report on how a Russian threat group, known as APT28 or Forest Blizzard, used customized malware to exploit the CVE-2022-38028 vulnerability in the Windows Print Spooler to gain elevated permissions. Although fixed in the October 2022 updates, Microsoft notes that the zero-day vulnerability may have been exploited as early as April 2019.

The fix: Microsoft fixed this vulnerability in their October 2022 patches, but didn’t disclose active exploitation of the vulnerability until this month. The exploitation disclosure led the US Cybersecurity Infrastructure and Security Agency (CISA) to add the vulnerability to the known exploited vulnerabilities (KEV) catalog. Federal agencies have until May 14, 2024, to apply patches or disable vulnerable software.

Consider reading more about forensic tools and processes to investigate attacks.

April 23, 2024

Palo Alto Updates Pan-OS Remediation & Siemens RUGGEDCOM Impacted

Type of vulnerability: Command injection vulnerability.

The problem: The CVSS 10.0/10.0 Pan-OS vulnerability, CVE-2024-3400, makes this recap for the third consecutive week thanks to a new disclosure from Siemens and a revised remediation from Palo Alto. Siemens issued a notice that the RUGGEDCOM APE 1808, an industrial platform hardened for harsh physical environments, could come pre-installed with Palo Alto next generation firewalls vulnerable to the Pan-OS vulnerability.

The fix: Siemens recommends customers contact customer service for patches or apply mitigations: disable GlobalProtect gateway and GlobalProtect portal (disabled by default) or apply Threat Prevention subscription blocks.

Palo Alto also revised their remediation, which now advises four potential levels of fixes (after installing the latest PAN-OS hotfix) based upon detected compromise levels:

1. Unsuccessful exploitation attempt: Create a master key and elect AES-256-GCM.
2. Vulnerability tested, 0-byte file created, no indication of unauthorized command injection: Perform the same remediation as exploit level 1.
3. A file is found copied to a location accessible via web request (typically running_config.xml): Perform a Private Data Reset of the device.
4. Interactive command execution evidence detected (shell-based back doors, introduction of code, etc.): Perform a Factory Reset and reconfigure the device.

Warning: Performing the last two fixes will destroy data and eliminate the possibility to capture forensic artifacts. Destruction of forensic artifacts will prevent incident response investigations and criminal investigations, and could affect cybersecurity insurance processes.

10.0 Flowmon Vulnerability Threatens a Small Number of Huge Customers

Type of vulnerability: Command injection vulnerability.

The problem: Progress Software released patches to fix CVE-2024-2389 in their Flowmon network performance and security software tool. In a proof of concept published by Rhino Security, a specially crafted application programming interface (API) command allows system commands without authentication and permits full compromise of the Flowmon server with root permissions.

Although web vulnerability search engines such as Shodan show less than 100 servers exposed to the internet, Flowmon’s customers tend to be the largest enterprises like KIA, Orange, TDK, and Volkswagen. This network software uses full access to the network to function, so a compromise of the server provides attackers with enormous access to the enterprise.

The fix: Patch Flowmon immediately to version 11.1.14 or 12.3.5 and upgrade all Flowmon modules to the latest available versions. There is no workaround available, and the published proof of concept will probably allow attacks in the near future.

Attackers can easily exploit 10.0 vulnerabilities, so be prepared and develop an incident response plan.

April 24, 2024

Cisco Patches Firewall Vulnerabilities Actively Exploited for Espionage

Type of vulnerability: Command injection vulnerability, denial of service, persistent local code execution.

The problem: Members of the Cisco Talos and Duo Security Research team uncovered zero-day flaws, named Arcane Door, actively exploited by state actors to exfiltrate network data through Adaptive Security Appliances (ASAs) and Firepower Threat Defense. The initial access remains unknown, but indicators of compromise include gaps in logging, unexpected reboots, and access by a set of IP addresses suspected to be controlled by the adversary.

Cisco suspects the attacker began exploitation as early as July 2023, and the UK, Canadian, and Australian cybersecurity agencies issued a joint advisory. Cisco’s announcement and the advisory explains how attackers used the flaws to exfiltrate device configuration files, disable system logging, and modify configuration to provide authorized direct access for attacker-controlled devices.

The fix: Cisco’s event notice recommends immediate upgrade of affected devices. To check for signs of compromise, Cisco recommends a process to collect data for review by Cisco’s Technical Assistance Center.

Google Patches One Critical & Two High-Severity Chrome Bugs

Type of vulnerability: Out-of-bounds read, type confusion, use-after-free.

The problem: Google released new Chrome versions for Windows, Mac, and Linux to fix multiple security issues and chose to highlight three critical to high vulnerabilities reported by security researchers. The critical exploit type bug, CVE-2024-4058, could be exploited for arbitrary code execution (ACE) or sandbox escapes.

The fix: For those with Chrome updates automatically enabled, make sure that all users restart their browsers. For manual updates, perform updates promptly.

Broadcom Patches Brocade SANnav Flaw 19 Months After Discovery

Type of vulnerability: Password storage.

The problem: The Brocade management application for storage area networks (SANs), SANnav, operates as a virtual machine that lacks built-in firewalls and can be manipulated into sending credentials via clear-text (HTTP). The latest update addresses 18 vulnerabilities discovered by researcher Pierre Barre (AKA: Pierre Kim), who disclosed that he brought these issues to Broadcom 19 months ago.

The report timeline reveals that Brocade rejected penetration tests performed in August 2022 and February 2023 because they hadn’t been on the latest version of their software. Only after additional testing in May 2023 did Brocade accept the vulnerabilities existed, but did not issue patches until December 2023. Broadcom further embargoed publishing CVEs, security bulletins, or disclosure of Brocade Fibre Channel siteches until April 2024.

The fix: Broadcom support recommends upgrading to Brocade v2.3.1, v2.3.0a, and later releases.

Having trouble keeping up with patches? Try patch management as a service (PMaaS).

April 25, 2024

WP Automatic Plugin for WordPress Actively Exploited to Hijack Websites

Type of vulnerability: SQL injection.

The problem: Attackers actively seek to exploit vulnerability CVE-2024-27956, with a CVSS score of 9.8/10, in the WP-Automatic plugin. WPScan explains the exploitation process, which starts with a SQL injection attack that executes unauthorized database queries to create new admin-level user accounts on the WordPress websites. Then attackers can upload malicious plugins, web shells, backdoors, and even rename the WP-Automatic file to prevent exploitation by rival attackers.

The fix: Immediately update the plugin to version 3.92.1. 

Unfixed September 2023 Qlik Sense Vulns Under Ransomware Attack

Type of vulnerability: Arbitrary code execution.

The problem: The Qlik Sense business intelligence software issued patches in August 2023 and September 2023 for vulnerabilities that could allow ACE. Arctic Wolf warned of a Cactus ransomware campaign against these vulnerabilities at the end of November, yet Fox-IT still detected over 3,000 vulnerable servers this April. 

The fix: Update the software as soon as possible to avoid ransomware attacks.

Read next:

• Vulnerability Recap 4/22/24 – Cisco, Ivanti, Oracle & More
• Best Ransomware Protection & Removal Tools
• Managed IT Service Providers (MSPs): A Fast Way to Secure IT

The post Vulnerability Recap 4/29/24 – Cisco, Microsoft, Palo Alto & More appeared first on eSecurity Planet.