As always, the best way to get flaws quickly patched is to scan for vulnerabilities frequently and have a plan for fixing and documenting them. Make sure your security teams know their specific role in that process, and have frequent conversations about vulnerabilities so everyone knows what’s going on both in your infrastructure and in the industry overall.

August 19, 2024

Critical WordPress Vulnerability Jeopardizes Millions of Sites

Type of vulnerability: Privilege escalation.

The problem: LiteSpeed Cache, a WordPress plugin designed to reduce caching speeds and optimize page loads, has a vulnerability that affects at least 5 million WordPress instances. A member of security provider PatchStack’s Alliance community discovered the vulnerability and reported it to PatchStack, who then notified LiteSpeed Technologies, the plugin’s developer.

The plugin has a feature that creates a temporary user to crawl sites and cache web pages. “The vulnerability exploits a user simulation feature in the plugin which is protected by a weak security hash that uses known values,” PatchStack said. Unauthenticated users can exploit the weak hashes to escalate their privileges and upload malicious plugins or files.

The fix: Upgrade your LiteSpeed plugin to version 6.4.1, which includes the patch.

August 20, 2024

AWS Application Load Balancer Sees Configuration Issues

Type of vulnerability: Configuration issue leading to authentication bypass.

The problem: Application detection and response provider Miggo discovered a configuration vulnerability in Amazon Web Services’ Application Load Balancer (ALB) authentication feature. If an application is misconfigured as an ALB target group and is directly accessible, a threat actor could bypass ALB and use a shared public key server to set an arbitrary key ID, according to Liad Eliyahu from Miggo. The threat has been nicknamed ALBeast.

Aside from misconfiguration, misimplementation and issuer forgery also put AWS authentication processes at risk. “Until recently, the AWS ALB user authentication docs did not include guidance on validating a token’s signer—a crucial field for ensuring that the token was signed by the trusted ALB,” Eliyahu said. “Without this validation, applications might trust an attacker-crafted token.” An attacker could also forge an authentic token signed by ALBeast.

Applications that are exposed to the internet are particularly vulnerable to this flaw.

AWS updated its documentation after Miggo disclosed the vulnerability to its researchers. Now, an authentication signature needs to be verified and validated. AWS added new code that’s designed to validate the signer — the ALB instance that signs the token — according to Miggo.

The fix: Comply with all relevant documentation from AWS — use the new code they’ve provided to validate signatures. Miggo noted that AWS doesn’t consider issue forgery a formal vulnerability and has decided to reach out to customers with suboptimal configurations instead of changing the entire ALB component.

Learning about vulnerabilities as soon as possible is critical to protect your computer systems and networks, but it can be difficult to do manually. I recommend using a comprehensive vulnerability scanning product to find issues that must be fixed quickly.

August 21, 2024

Upgrade Chrome As Soon As Possible

Type of vulnerability: Type confusion.

The problem: A bug in the V8 JavaScript and Web Assembly engine affects Google Chrome on personal computers. The vulnerability allows remote threat actors to use specifically crafted HTML pages to exploit heap correction. They could potentially use the falsified HTML page to take control of your Chrome instance.

The vulnerability is tracked as CVE-2024-7971. It exists in versions of Chrome prior to 128.0.6613.84.

The fix: Chrome stable channel updates from Google include 128.0.6613.84/.85 for Windows and Mac devices and 128.0.6613.84 for Linux machines. To update to these versions:

• Open the Chrome browser and select the three vertical dots in the right corner.
• Click Help.
• Click About Chrome.
• If Chrome checks for updates and finds one, it will update the browser. Select Relaunch after it updates.

August 23, 2024

Another SolarWinds Web Help Desk Flaw Emerges

Type of vulnerability: Hardcoded credential.

The problem: Last week, I mentioned a Java deserialization flaw in SolarWinds Web Help Desk. This week, researchers have discovered another vulnerability in WHD, this one a hardcoded credential issue. If exploited, it allows an unauthenticated remote user to access the Web Help Desk’s controls and modify its data. Zach Hanley of Horizon3.ai discovered and reported the vulnerability. 

The flaw is tracked as CVE-2024-28987 and has a CVSS score of 9.1.

The fix: SolarWinds has released a hotfix, 12.8.3 number 2, that solves both last week’s remote code execution vulnerability and this week’s credential one.

CISA Adds Versa Director Vulnerability to Catalog

Type of vulnerability: Dangerous file type upload vulnerability. 

The problem: Versa Networks’ Director product has GUI customization options available for users who have Provider-Data-Center-Admin or Provider-Data-Center-System-Admin permissions. According to NIST, a malicious user with those privileges could use the “Change Favicon” option within the GUI to upload a malicious file that has a .png extension.

The file would masquerade as an image file, according to NIST. The exploit is only possible after a user with the correct privileges has logged into the Versa Director GUI successfully. Versa Networks noted that managed service providers are likely to be the main targets.

The vulnerability is tracked as CVE-2024-39717 and has a severity rating of 6.6.

The CISA has added this vulnerability to its catalog of Known Exploited Vulnerabilities (KEV). It has a High severity rating. According to NIST, Versa Networks is aware of one instance where the vulnerability was exploited because the customer didn’t implement older firewall guidelines.

The fix: To remediate CVE-2024-39717, upgrade to one of the following updated versions, with links to the download page provided by Versa Networks:

• 21.2.3: https://support.versa-networks.com/support/solutions/articles/23000024323-release-21-2-3
• 22.1.2: https://support.versa-networks.com/support/solutions/articles/23000025680-release-22-1-2
• 22.1.3: https://support.versa-networks.com/support/solutions/articles/23000026033-release-22-1-3
• 22.1.4: Not affected. 

Additionally, follow all of Versa Networks’ firewall guidelines and hardening best practices.

Double RCE Vulnerabilities Affect GPS Tracking Tool Traccar

Type of vulnerability: Path traversal leading to potential remote code execution.

The problem: Open-source GPS tracking solution Traccar has two path traversal vulnerabilities that could allow unauthenticated threat actors to execute code remotely. According to Horizon3.ai researcher Naven Sunkavally, Traccar is vulnerable when guest registration is enabled, which is its default configuration.

Traccar allows users to register their devices to be tracked, and Traccar shows their location when the devices communicate with the Traccar server. In version 5.1 of the solution, an image upload feature allows users to upload a picture of their device, but Traccar’s code has vulnerabilities in managing image file uploads.

The first vulnerability is tracked as CVE-2024-24809 and has a CVSS score of 8.5, with a high rating. The second is tracked as CVE-2024-31214 and has a critical CVSS score of 9.7. Both allow remote code execution if exploited.

“The net result of CVE-2024-31214 and CVE-2024-24809 is that an attacker can place files with arbitrary content anywhere on the file system,” Sunkavally said. “However, an attacker only has partial control over the filename.” The filename has to be a particular structure for the attackers to be successful.

The fix: Sunkavally recommends upgrading to Traccar 6. Alternatively, you can switch the registration setting to false so user self-registration isn’t automatically enabled.

Read next:

• Vulnerability Recap 8/20/24 – Microsoft Has the Spotlight This Week
• Best Vulnerability Management Software & Systems

The post Vulnerability Recap 8/27/24 – Wide Range of Vulnerabilities This Week appeared first on eSecurity Planet.

Here are the six best alternative solutions to CrowdStrike Falcon:

• Palo Alto Cortex XDR: Best for advanced security capabilities
• Trend Micro Vision One: Best for smaller teams with advanced needs
• Cybereason Defense Platform: Best for visualizing incidents and threats
• Bitdefender GravityZone: Best for small business budgets
• Sophos Intercept X: Best for basic EDR requirements
• Symantec Endpoint Security: Best for large-scale endpoint management

Top CrowdStrike Alternatives Compared

The following table compares a few features of CrowdStrike’s major competitors and the availability of a free trial.

	Behavioral Analytics	Device Controls	Custom Detection Rules	Free Trial
Palo Alto Cortex XDR
Trend Micro Vision One				30 days
Cybereason Defense Platform
Bitdefender GravityZone				One month
Sophos Intercept X				30 days
Symantec Endpoint Security

= yes    = no     = add-on

While these solutions are the best in the endpoint detection market, I found that Palo Alto Cortex XDR was the best overall platform to replace CrowdStrike Falcon. Continue reading to learn more about these products, or skip down to see how I evaluated the best EDR alternatives to CrowdStrike.

Palo Alto Cortex XDR – Best for Advanced Security Capabilities

---

Overall Rating: 4.1/5

• Pricing: 2.4/5
• Core features: 3.8/5
• Advanced features: 4.3/5
• Ease of use and administration: 4.7/5
• MITRE scores: 5/5
• Customer support: 4.5/5

Palo Alto Cortex XDR is a highly advanced security platform for protecting endpoints across your business infrastructure. Palo Alto Networks is renowned for its excellent security — it most recently posted perfect scores in the MITRE ATT&CK evaluations — and like CrowdStrike, it offers advanced features like custom detection rules and incident triage. I recommend Palo Alto for experienced teams that need top-notch security and can manage a large platform.

Visit Palo Alto

Pros

• Plenty of EDR features
• Fantastic technical security capabilities
• Available as a managed service

Cons

• On the more expensive side
• May be complex for smaller teams to use
• No free trial

Pricing

• Contact for quote: Custom pricing available; some pricing information available from Amazon Web Services
• Free demo: Contact to schedule

Key Features

• Forensics: Cortex XDR investigates incidents involving endpoints even when they aren’t connected to the network.
• Root cause analysis: Palo Alto allows admins to examine the root causes of incidents and the sequence of events leading to them.
• Behavioral analytics: The platform analyzes threat trends and malicious behavior to detect malicious insider attacks and credential abuse.
• Incident prioritization: Cortex XDR prioritizes fixing incidents by grouping alerts and scoring the incidents.

Screenshot

Alternatives

Although Palo Alto Cortex XDR is a great security solution for enterprises, it will take less experienced teams significant time to learn and use effectively. If you need an easier-to-use platform, look at Sophos instead.

Trend Micro Vision One – Best for Smaller Teams With Advanced Needs

---

Overall Rating: 3.9/5

• Pricing: 3/5
• Core features: 3.8/5
• Advanced features: 4.1/5
• Ease of use and administration: 5/5
• MITRE scores: 3.5/5
• Customer support: 3.4/5

Trend Micro Vision One is a unified security platform for businesses of all sizes. With features like remediation suggestions and customized playbooks, it’s designed to protect the entire security infrastructure. Trend Micro has been consistently building its security business for years, and Vision One is proof of that, with functionality for both large enterprises and SMBs. Similar to CrowdStrike, Vision One is designed to cover multiple facets of business security.

Visit Trend Micro

Pros

• Multiple customer support channels
• Available as a managed service
• Free trial lasts a month

Cons

• No native device control features
• Incident prioritization capabilities are unclear
• No official product demo

Pricing

• Contact for quote: Custom pricing available
• Free trial: 30 days

Key Features

• Attack surface discovery: Vision One tracks down unknown assets and attack surfaces that aren’t yet scanned and protected.
• Vulnerability management: The platform shows admins data like commonly exploited vulnerabilities and legacy operating systems being used.
• Risk scores: Trend Micro uses global threat intelligence sources to help determine which vulnerabilities are the most critical and should be fixed first.
• Variety of response options: Vision One can isolate endpoints, terminate processes, send threats to a sandbox, and force users to reset their passwords.

Screenshot

Alternatives

Vision One is a great solution for teams that want a comprehensive security platform, but a couple of its endpoint security features are unclear, including device controls and incident triage. If these are big priorities for you, consider Cybereason instead.

Cybereason – Best for Visualizing Incidents & Threats

---

Overall Rating: 3.8/5

• Pricing: 2.2/5
• Core features: 3.8/5
• Advanced features: 4/5
• Ease of use and administration: 4.2/5
• MITRE scores: 5/5
• Customer support: 3.8/5

Cybereason is an enterprise-grade detection and response platform ideal for larger teams, though SMBs with a sizable budget can certainly benefit from it, too. One of its differentiating features is the MalOp, or malicious operation, a method of tracking individual threats and all associated data. If you’re looking for a strong managed defense platform similar to CrowdStrike, Cybereason is a great choice, particularly for threat visualization.

Visit Cybereason

Pros

• Excellent practical security testing results
• Available as a managed service
• Excellent MITRE scores in recent testing

Cons

• Limited incident quarantine functionality
• Lacks pricing and licensing transparency
• No free trial

Pricing

• Custom pricing available: Contact Cybereason for a quote or purchase from resellers
• Free demo: Contact to schedule

Key Features

• Endpoint control: Within a single interface, admins can set rules for specific endpoints based on their business’s security policies.
• Threat intelligence: Cybereason compares multiple threat feeds using machine learning-based analysis to determine which feeds are most helpful.
• Remediation assistance: The platform shows admins which tools threat actors use and helps them quickly block threats and isolate malicious files.
• Integrations: Technology partners of the Cybereason Defense Platform include Okta, Proofpoint, Fortinet, and Palo Alto.

Screenshot

Alternatives

Cybereason is a strong choice for large enterprises and security teams that want to truly visualize the connections between different events. However, it’s not the best choice for small teams; consider Bitdefender instead if your business needs something a bit simpler.

Bitdefender GravityZone – Best for Small Business Budgets

---

Overall Rating: 3.7/5

• Pricing: 4.5/5
• Core features: 3.7/5
• Advanced features: 2.8/5
• Ease of use and administration: 3.8/5
• MITRE scores: 3.8/5
• Customer support: 3.4/5

Bitdefender GravityZone is a multi-purpose security platform for both small businesses and enterprises. You can choose your GravityZone package based on need; the most basic plan truly is an SMB solution, with features like web control and filtering. However, the enterprise option offers plenty for large and experienced teams, like correlation across endpoints and response suggestions. Like CrowdStrike Falcon, GravityZone provides pricing for small teams.

Visit Bitdefender

Pros

• Strong set of endpoint protection features
• Transparent pricing for very small teams
• Month-long free trial

Cons

• Not available as a managed service
• No support email or live chat available
• No native incident triage or threat intel

Pricing

• 100 devices: Between $4,000-$5,810 per year
• More than 100 devices: Contact for quote
• Free trial: One month

Key Features

• Ransomware mitigation: When GravityZone detects strange encryption procedures, it creates tamper-proof file copies so the data won’t be lost.
• Risk management: Bitdefender assigns risk scores to individual threats and prioritizes misconfigurations and behaviors depending on criticality.
• Sandboxing: GravityZone can automatically send suspicious files or code to the Sandbox Analyzer, determining whether it’s malicious.
• Single pane of glass: GravityZone combines the whole Business Security platform into one management console, so your admins can manage everything from one location.

Screenshot

Alternatives

GravityZone is a great endpoint security solution for businesses but is unavailable as a managed service. If your business needs an MDR platform, look at Trend Micro instead.

Sophos Intercept X – Best for Basic EDR Needs

---

Overall Rating: 3.4/5

• Pricing: 3.4/5
• Core features: 3/5
• Advanced features: 2.4/5
• Ease of use and administration: 5/5
• MITRE scores: 4/5
• Customer support: 4.3/5

Sophos is an extremely popular network security and EDR provider with customers. It offers tools like application and peripheral device control for managing endpoints. Renowned for its usability, Sophos is a strong solution for SMBs and less experienced teams, though it provides features like data loss prevention for larger companies. While CrowdStrike is a highly advanced platform, Sophos is ideal for teams that need a basic but strong EDR foundation.

Visit Sophos

Pros

• Plenty of usability features, like training videos
• Managed service option through Sophos MDR
• User interface is popular with customers

Cons

• Limited pricing details
• No custom detection rules
• No rogue device discovery

Pricing

• Contact for quote: Custom pricing available
• Free trial: 30 days
• Free demo: Contact to schedule

Key Features

• Prioritized detection: Intercept X uses artificial intelligence to prioritize which threats to detect.
• Web protection: Sophos examines web pages and data like IP addresses and blocks user access to malicious sites when needed.
• Behavioral analysis: The platform works over a period of time to gather process, registry, and file event data and determine threats versus normal activity.
• File integrity monitoring: Sophos protects Windows servers by identifying changes to the critical files on the servers.

Screenshot

Alternatives

Sophos is an outstanding solution for smaller teams and more basic EDR requirements, but it might not have enough advanced features for large enterprises. If your team needs more functionality, consider Palo Alto instead.

If you’re working to protect your entire business network, learn more about different types of network security solutions, like virtual private networks and firewalls.

Symantec Endpoint Security – Best for Large-Scale Endpoint Management

---

Overall Rating: 3.6/5

• Pricing: 2/5
• Core features: 4.4/5
• Advanced features: 4.1/5
• Ease of use and administration: 5/5
• MITRE scores: 2/5
• Customer support: 2.6/5

Symantec, recently acquired by Broadcom, is an EDR solution offering broad endpoint and server management. Features include custom detection rules and suggestions for remediation. Symantec’s security capabilities extend to multiple operating systems and mobile devices. It’s designed to protect data centers, hybrid infrastructures, and storage solutions like cloud buckets and network-attached storage. Like CrowdStrike, Symantec offers managed security services.

Visit Symantec

Pros

• Support for multiple storage environments
• Multiple training videos available
• Protects multiple data center deployments

Cons

• Limited incident prioritization features
• MITRE detection scores lacking
• Complaints about support after acquisition

Pricing

• Contact for quote: Custom pricing available

Key Features

• Device controls: Security teams can develop rules to control peripheral devices like USBs connecting to endpoints within the infrastructure.
• Attack visibility: Symantec EDR shows you the attack chain of events during an incident, which you can sort chronologically and then perform remediations.
• Managing assets: Part of the endpoint management solution, asset relationships and software license management help teams better visualize their organization’s hardware and software.
• Custom rules: You can add your own incident detection rules to find threats that Symantec’s existing rules don’t already cover.

Screenshot

Alternatives

While Symantec is a strong endpoint security solution, some customers complained about customer support responsiveness after the Broadcom acquisition. Consider Sophos if you’re looking for a solution with high customer service reviews.

5 Key Features of CrowdStrike Competitors

Endpoint security platforms like CrowdStrike Falcon typically offer features like device control, incident isolation, suggestions for remediation, threat intelligence, and mobile device support.

Device Controls

Endpoint security platforms typically offer device controls so teams can block or isolate devices that are seeing — or causing — security problems. This could be a strain of malware on a laptop or a mobile application trying to gain unauthorized access to a service. Admins can isolate the device so any threat won’t spread or block certain malicious processes.

Incident Quarantine

Often, threat actors use lateral movement to travel through IT environments, but they can do that because of insufficient permissions and the connection points between devices and applications. Endpoint security solutions should allow admins to quarantine incidents, or whole devices, so threats like malware can’t spread further.

Remediation Recommendations

Endpoint detection and response often include suggestions for remediating threats. A management console might provide threat data like affected applications and then give a listed process for mitigating the threat, like quarantining it or sending it to a sandbox. These suggestions are helpful for security admins because they’re based on data that the EDR solution has already compiled, and the automation also saves the admins manual work.

Threat Intelligence

Endpoint security vendors like CrowdStrike often integrate with popular threat intelligence feeds or perform their own threat research. Security platforms like EDR and XDR need to have accurate sources of threat data. These platforms will be better prepared to combat threats with a strong understanding of them and their associated indicators of compromise.

Support for Mobile Operating Systems

Ideally, endpoint security suites like CrowdStrike should cover mobile devices like phones, not just laptops and servers. Mobile phones can be just as much of a threat to enterprise security as computers, especially if they’re connected to a business network or are used to store sensitive data. Often, security platforms like EDR cover Android and iOS.

Flaws in mobile devices aren’t the only threats to business networks. Read more about major network security threats, including malware and denial of service, in our guide.

How I Evaluated CrowdStrike’s Main Competitors

To analyze the best alternatives to CrowdStrike Falcon, the vendor’s main platform, I created a product scoring rubric that analyzed solutions in the endpoint security, EDR, and XDR spaces. The rubric included six major categories that buyers look for in endpoint security solutions. Each category had its own weight, and each also included multiple subcriteria. How well each security product met the subcriteria and their weighting contributed to their final score.

Evaluation Criteria

I started with core endpoint security features, like device controls, when creating the rubric. Then I looked at usability and administrative features, like documentation and training videos. Next, I considered pricing, which included free trials, and advanced features, such as threat hunting. I also scored the products based on vendors’ MITRE Evaluation scores, which come from independent tests. Finally, I looked at customer support, including the availability of demos.

• Core features (25%): This category included the most important endpoint security features, like vulnerability management, remediation suggestions, and device control.
  • Criterion winner: Symantec
• Ease of use and administration (20%): I evaluated usability features like documentation, APIs, and a single management console.
  • Criterion winner: Multiple winners
• Pricing (15%): I looked at the availability of pricing information, including from resellers, and also evaluated free trials.
  • Criterion winner: Bitdefender
• Advanced features (15%): These included nice-to-have capabilities like threat hunting and rogue device discovery, which are particularly helpful for enterprises.
  • Criterion winner: Palo Alto
• MITRE scores (15%): I scored the products based on their MITRE Evaluation results, which indicate how well they can actually protect computer systems.
  • Criterion winner: Multiple winners
• Customer support (10%): I considered customer support channels, like phone and email, as well as product demo availability.
  • Criterion winner: Palo Alto

Frequently Asked Questions (FAQs)

Is CrowdStrike Better Than Competitors?

The top endpoint security and EDR platforms excel in different areas, including detection, protection, threat intelligence, and research. CrowdStrike is particularly renowned for its defense capabilities. However, multiple other providers do well in threat protection — just look for signs like strong independent testing scores; these show that vendors can actually use the features they claim to offer.

Who Is CrowdStrike’s Biggest Competitor?

CrowdStrike has plenty of competitors, but the most notable one is probably Palo Alto Networks, one of the world’s best detection and response providers. It offers similar features and earns very comparable independent testing scores. Palo Alto actually received the best score in the most recent MITRE ATT&CK evaluations and was the only vendor to stop all tests perfectly.

What’s the Difference Between Antivirus, Endpoint Protection Platforms & EDR?

CrowdStrike and its competitors all offer features in the antivirus, endpoint protection, and EDR families. However, the three have distinctions, even if they’re typically combined on CrowdStrike Falcon and other platforms. Antivirus solutions are mainly concerned with protecting computer systems from viruses and malware. Endpoint protection platforms prevent threats on devices like laptops, and EDR platforms combine preventative features with direct response.

Learn more about the differences between antivirus, endpoint protection platforms, and endpoint detection and response in our guide to the three.

Bottom Line: Choosing An Alternative to CrowdStrike

Whether you’re looking for your business’s first EDR platform or trying to replace an existing instance of CrowdStrike Falcon, consider the key features your team needs when evaluating competitors. Falcon is renowned for its threat prevention capabilities, but other solutions can provide that, too. Look for strong independent testing scores that indicate actual ability, but consider administrative and support features that affect usability, too.

Is your business specifically looking for a managed endpoint security solution? Check out our guide to the best managed detection and response solutions, including Alert Logic and SentinelOne.

The post CrowdStrike Competitors for 2024: Top Alternatives Reviewed appeared first on eSecurity Planet.

August 12, 2024

Ivanti Runs Into Snag With Virtual Traffic Manager

Type of vulnerability: Authentication bypass. 

The problem: Ivanti Virtual Traffic Manager has a vulnerability that could lead to authentication bypass and subsequent creation of an administrator when exploited. According to the National Institute of Standards and Technology, the vulnerability stems from an incorrect implementation of authentication algorithms and exists in all vTM versions except 22.2R1 and 22.7R2.

“Customers who have ensured their management interface is bound to an internal network or private IP address have significantly reduced their attack surface,” the Ivanti notice reads. The vendor didn’t notice any active exploits when it released the security notice.

The flaw is tracked as CVE-2024-7593 and has a CVSS score of 9.8, a critical rating. 

The fix: Ivanti recommends updating Virtual Traffic Manager to the latest version, which you can do by logging into the Ivanti standard downloads portal.

August 13, 2024

Microsoft Patch Tuesday Sees Elevation of Privilege Vulnerability

Type of vulnerability: Multiple, including elevation of privilege.

The problem: Last week, Microsoft’s monthly Patch Tuesday announced 90 new CVEs, including multiple zero-day vulnerabilities. According to Trend Micro Zero Day Initiative researcher Dustin Childs, Microsoft listed four of the CVEs as public, and six are being actively exploited. That’s unusual for a single release, he said.

One of the vulnerabilities highlighted in Patch Tuesday was an elevation-of-privilege flaw in Windows Update. According to Microsoft, the vulnerability allows a threat actor with basic privileges to reintroduce old vulnerabilities that had already been mitigated. The attack would also need “additional interaction by a privileged user to be successful.”

The vulnerability is tracked as CVE-2024-38202 and has a severity score of 7.3.

The fix: There isn’t an official mitigation strategy for the EoP vulnerability yet; Microsoft will update its security notice whenever it releases a patch or other fix.

Patch Tuesday Lineup Also Includes RCE Flaw

Type of vulnerability: Remote code execution.

The problem: Microsoft discovered a vulnerability in Transmission Control Protocol (TCP) / Internet Protocol (IP) that affects Windows machines running IPv6. This vulnerability also belonged to the month’s Patch Tuesday roundup and is one of the more severe flaws patched recently, with a CVSS score of 9.8.

“An unauthenticated attacker could repeatedly send IPv6 packets, that include specially crafted packets, to a Windows machine which could enable remote code execution,” the notice said. Microsoft Security Response Center announced the vulnerability and instructed users to patch it. The flaw affects Windows Server, Windows 10, and Windows 11.

The fix: Install the most recent Windows security updates, which have the vulnerability patched. While disabling IPv6 is a possible fix, it’s not recommended, since that could stop other Windows components from working properly.

If your team is overwhelmed by new vulnerabilities, check out our guide to the best vulnerability scanners. These products automatically search your systems for flaws, based on known vulnerabilities.

August 15, 2024

SolarWinds Flaw Should Be Immediately Patched

Type of vulnerability: Deserialization, leading to remote code execution.

The problem: SolarWinds Web Help Desk is vulnerable to a Java deserialization flaw that allows remote threat actors to execute code on hosts. Researchers reported the issue to SolarWinds as an unauthenticated vulnerability, but according to Tenable, SolarWinds hasn’t been able to recreate the exploit without authentication, so it’s likely a difficult flaw to exploit. The vulnerability is tracked as CVE-2024-28986 and has a base CVSS score of 9.8.

The fix: Tenable recommends patching your instance of Web Help Desk despite SolarWinds’ inability to reproduce the exploit without authentication. Install Web Help Desk version 12.8.3 first, and then install the hotfix once you’ve updated the software.

Third-Party Application Package Installed on Pixel Devices

Type of vulnerability: Third-party application package installed on Pixel device firmware, with insufficient security controls.

The problem: Mobile security vendor iVerify’s EDR product discovered an unsecured Android device at data analytics firm Palantir Technologies. Researchers investigating the threat found an Android application package, Showcase.apk, that’s part of the device firmware. When it’s enabled, the package allows threat actors to access the operating system.

This vulnerability also opens Androids to code injection, man-in-the-middle attacks, and spyware, according to iVerify’s blog post about the vulnerability. The application runs with too-high privileges, and it’s installed on many Pixel devices that have been shipped for the past seven years.

iVerify notified Google about the vulnerability, and Google plans to release an update that removes Showcase.apk from its Pixel phones. Palantir Technologies plans to phase out Android phones and begin using Apple devices after performing the investigation.

The fix: If you have a Pixel phone, update to the newest operating system as soon as Google releases it. If you have a different Android phone, watch for new versions and update your phone immediately when the next version is released.

Entra ID Vulnerability Affects Hybrid Environments

Type of vulnerability: Authentication bypass.

The problem: Researchers at security firm Cymulate have discovered a vulnerability within Microsoft Entra ID, the product recently known as Azure Active Directory (AAD). This is the cloud-based version of Active Directory, not the on-premises one (which is known simply as Active Directory). The flaw occurs when Entra ID users are syncing multiple on-prem Active Directory domains to one Microsoft Azure tenant, which is in the cloud.

“This issue arises when authentication requests are mishandled by pass-through authentication (PTA) agents for different on-prem domains, leading to potential unauthorized access,” Cymulate’s report said. Threat actors manipulate credential validation and then don’t have to submit to typical security checks. 

“This vulnerability effectively turns the PTA agent into a double agent, allowing attackers to log in as any synced AD user without knowing their actual password; this could potentially grant access to a global admin user if such privileges were assigned.”

This can happen regardless of the threat actor’s initial Active Directory domain and allow them to move to another on-prem domain, Cymulate researchers Ilan Kalendarov and Elad Beber said. The researchers reported the issue to Microsoft in July. As of the release of Cymulate’s report, there’s no current estimated timeline for the fix.

The fix: Despite that, Cymulate recommends some mitigation strategies for this vulnerability, including enabling two-factor authentication for all synced users. They also remind customers that following Microsoft’s Secure Privilege Access guide helps harden the Microsoft Entra Connect Server.

August 17, 2024

Linux Vulnerability Affects Kernel’s Memory Allocation

Type of vulnerability: Linux DMA allocation.

The problem: Researchers discovered and fixed a vulnerability within the Linux kernel’s Direct Memory Access (DMA) allocation process. The flaw exists in the dmam_free_coherent() function and requires the call order to be fixed.

The dmam_free_coherent() function frees a DMA allocation. The freed vaddr is then available to be reused and then calls the devres_destroy() function to remove and free the data structure that tracks the DMA allocation. Between the two calls, a concurrent task could make an allocation with the same vaddr and add it to the devres list.

“If this happens, there will be two entries in the devres list with the same vaddr and devres_destroy() can free the wrong entry, triggering the WARN_ON() in dmam_match,” said the advisory.

The fix: This vulnerability is solved by destroying the devres entry before freeing the DMA allocation, according to the GitHub advisory posted for the vulnerability.

Read next:

• Vulnerability Recap 8/13/24 – Old Vulnerabilities Unexpectedly Emerge
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 8/20/24 – Microsoft Has the Spotlight This Week appeared first on eSecurity Planet.

The other major news — which could affect both businesses and individuals — is a zero-day vulnerability found in most major web browsers on both Mac and Linux machines. You’ll want to update your computer as soon as you learn about this — I certainly did. Look at our rundown, and make sure your security teams are apprised of any relevant vulnerabilities from this past week’s news.

August 5, 2024

Another Apache OfBiz Vulnerability to Watch

Type of vulnerability: Remote code execution.

The problem: Last week, I mentioned a path traversal vulnerability in the open-source framework Apache OfBiz that had been patched earlier in the year but was more recently being exploited. This new OfBiz flaw is a separate one. It’s tracked as CVE-2024-38856 and allows a threat actor to use a specifically created request to execute code on endpoints without authorization.

The vulnerability has a CVSS severity rating of 9.8 and affects all versions of Apache OfBiz up to 18.12.14.

The fix: Upgrade to version 18.12.15.

August 7, 2024

18-Year-Old Browser Flaw Requires Immediate Updates

Type of vulnerability: Zero-day code execution.

The problem: Researchers from application security vendor Oligo recently discovered a web browser vulnerability 18 years in the making. The flaw allows threat actors to fingerprint and identify browser users and to use an IP address of 0.0.0.0 to execute unauthorized code. The vulnerability applies to all major browsers running on macOS and Linux systems but not on Windows.

“Public websites (like domains ending in .com) are able to communicate with services running on the local network (localhost) and potentially execute arbitrary code on the visitor’s host by using the address 0.0.0.0 instead of localhost/127.0.0.1,” Oligo researcher Avi Lumelsky said.

According to Oligo, the initial vulnerability, designed to identify browser users for legitimacy, also allows threat actors to fingerprint users by port-scanning them. By the time this was recognized as a major threat, it already existed in most browsers and would be quite challenging to solve, Lumelsky explained.  

The fix: If you use Google Chrome, click the three vertical dots at the top of the right corner of the browser window. Select “Help” and then “About Google Chrome.” From there, select the option to upgrade to a new browser. If you see “Relaunch,” click that, or Chrome may relaunch the browser automatically after closing the windows.

If you use Safari, click the Apple icon to open the menu and choose “System Settings.” Select “General” and then “Software Update.” Select “Update Now” if there’s a new update available, and follow any further instructions.

Microsoft Edge users should open the browser and select the three dots in the upper right-hand corner. Then, choose “Help and feedback” and select “About Microsoft Edge.” If there are updates available, Edge should automatically perform them. Then, you’ll need to restart Edge as prompted to apply those software updates.

If you use Mozilla Firefox, open Firefox and select the three horizontal lines at the top right of the browser. Click “Help” and then “About Firefox,” where Firefox will execute any available updates automatically. After the update process, select “Restart to Update Firefox.”

For further details on updating your browsers, Fox News provides instructions here.

If your security team has started to feel overwhelmed by tracking down vulnerability news, consider a scanning product that helps automate vulnerability tracking procedures. We’ve selected the best vulnerability scanners for businesses so you can pick a good option for your team.

Sinkclose Vulnerability Affects 18 Years of Processors

Type of vulnerability: Improper validation and potentially arbitrary code execution.

The problem: This week, we have not one but two 18-year-old vulnerabilities: researchers at IOActive discovered a flaw in AMD central processing units that has existed in processors made as early as 2006. It’s only just now been discovered and is known as Sinkclose. If exploited, the vulnerability would allow a threat actor to execute their own code within the processor’s firmware using System Management Mode (SMM). This can happen even when SMM is locked.

To successfully complete the attack, the malicious program would need to have access to  ring0, which is the layer of the firmware with the highest privileges and with access to the system kernel. The threat actor must get there first before they can exploit this flaw; this could be part of the reason it hasn’t been heavily exploited. The vulnerability is tracked as CVE-2023-31315 and has a CVSS score of 7.5.

The fix: AMD will patch some of its processors but not all; check out AMD’s security bulletin for a list of hardware that will receive a patch.

Windows Downgrade Attack Puts Operating System in Danger

Type of attack: OS version rollback.

The problem: A recently discovered flaw in Windows systems allows threat actors to roll operating systems back to older versions that have vulnerabilities in them. The researcher who discovered the flaw six months ago, Alon Leviev, presented his findings at the Black Hat conference last week. He was able to use the Windows Updates function to create OS downgrading updates and bypass the verification steps typically required for a system update.

“Armed with these capabilities, we managed to downgrade critical OS components, including DLLs, drivers, and even the NT kernel,” Leviev said. “Afterwards, the OS reported it’s fully updated, unable to install future updates, with recovery and scanning tools unable to detect issues.”

The vulnerability also applied to Microsoft Hyper-V, the vendor’s hypervisor for supporting virtual environments. Leviev was able to downgrade Hyper-V, as well as the Isolated User Mode process within Windows Credential Guard.

In this scenario, a computer that appears to be fully patched could actually be running an older operating system with multiple open vulnerabilities.

Microsoft hasn’t officially spoken on the vulnerability, but it published advisories for CVE-2024-38202 and CVE-2024-21302 around the same time that Leviev presented at Black Hat.

The fix: The vendor currently offers no solution. If your business uses Windows, restrict administrative privileges as much as you can and require password resets as soon as possible.

August 10, 2024

Google Quick Share Has 10 Flaws on Windows

Type of vulnerability: 

The problem: SafeBreach researchers discovered 10 different vulnerabilities in Google Quick Share, a wireless data transfer utility. When put together, some of them could lead to remote code execution attacks against Quick Share on Windows machines. This potential attack chain is now known as QuickShell.

The vulnerabilities included remote unauthorized file writes, remote forced Wi-Fi connection, and remote denial-of-service. According to SafeBreach, Google has fixed all the vulnerabilities and issued two CVEs: CVE-2024-38271 and CVE-2024-38272.

According to the researchers, a significant portion of the application code resides in an open-source repository, which could make it a valuable target for threat actors.

The fix: Google has fixed the flaws, so update your Android, Windows, and Chrome systems to the most recent versions.

August 12, 2024

OpenSSH Flaw Opens the Door for RCE

Type of vulnerability: Remote code execution.

The problem: OpenSSH, a network utilities suite based on the Secure Shell protocol, has a signal safety flaw, according to researchers at FreeBSD. FreeBSD, an open-source operating system project, released a security bulletin about the vulnerability, which occurs in a signal handler in sshd(8). According to the researchers, the logging function that the handler calls isn’t automatically async-signal-safe.

“The signal handler is invoked when a client does not authenticate within the LoginGraceTime seconds (120 by default),” FreeBSD said in its notice. “This signal handler executes in the context of the sshd(8)’s privileged code, which is not sandboxed and runs with full root privileges.”

If exploited, the vulnerability allows a threat actor to execute remote code as root in OpenSSH. This affects the safety of OpenSSH’s encryption and transport security features.

The vulnerability is tracked as CVE-2024-7589 and has a CVSS score of 7.4.

The fix: FreeBSD instructs users to upgrade their system to a supported FreeBSD stable or release / security branch (releng) from after the date the flaw was fixed. After you’ve upgraded, restart sshd. FreeBSD provides more specific upgrade details as well.

Read next:

• Vulnerability Recap 8/5/24 – Already-Fixed Flaws Are Still Targeted
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 8/13/24 – Old Vulnerabilities Unexpectedly Emerge appeared first on eSecurity Planet.

July 31, 2024

Mirai Botnet Targets Apache OfBiz 

Type of vulnerability: Path traversal.

The problem: Apache OfBiz, a Java-based framework for developing enterprise resource planning (ERP) apps, had a path traversal vulnerability in May of this year. The update released for the flaw, which affected OFBiz versions before 18.12.13, fixed the issue. Recently, researcher Johannes Ulrich has seen increased activity against the vulnerability. In particular, the Mirai Botnet has been attacking it.

The flaw is tracked as CVE-2024-32113. Ulrich explained the attacker’s process when exploiting the vulnerability:

“The directory traversal is easily triggered by inserting a semicolon. All an attacker has to find is a URL they can access and append a semicolon followed by a restricted URL. The exploit URL we currently see is:

/webtools/control/forgotPassword;/ProgramExport

“forgotPassword” does not require any authentication and is public. “ProgramExport” is interesting because it allows arbitrary code execution.”

The threat actor would have to use a POST request to exploit the flaw sufficiently, Ulrich said, but they don’t automatically need a request body.

The fix: Upgrade your instance of Apache OfBiz to ​​version 18.12.13.

Android Weakness Exploited by Malware for Over Two Years

Type of vulnerability: Read permission given to malicious applications on Android devices.

The problem: Researchers at mobile security firm Zimperium discovered a malware campaign against Android devices in 2022 and have continued to track the malware since then. The campaign is SMS stealing, targeted at one-time passwords sent through text, so threat actors can use them to access accounts that they aren’t authorized to access.

The zLabs team has identified more than 107,000 malware samples throughout its research of over two years. They found that typically, a victim is fooled into sideloading an application onto the phone through a falsified app store or a similar tactic, and the application requests read permission for SMS messages on the device, which Android allows. Once the malware is on the Android device, it hides in wait and monitors SMS messages, looking for OTPs in particular.

The fix: There is currently no clear patch or redirect from the vendor. Zimperium mentions the importance of increasing enterprise mobile security measures. If you have an Android device, I recommend using an email address to receive one-time passwords instead of a phone number whenever possible.

Apple Fixes Multiple Vulnerabilities in Siri

Type of vulnerability: Access to sensitive information via voice prompts.

The problem: The mobile security issues continue, this time with Apple. The vendor recently patched vulnerabilities in Apple Watch, iPadOS, and iOS that could allow a threat actor to take sensitive data from a locked mobile device. Four of the vulnerabilities were related to Siri, Apple’s voice assistant. Malwarebytes released a security notice emphasizing the dangers of Siri’s ability to respond to voice commands from a locked device screen.

“Apple has restricted these options to stop an attacker with physical access from being able to access contacts from the lock screen and access other sensitive user data,” Malwarebytes said.

The fix: Update to iOS 17.6 or iPadOS 17.6 if you haven’t already.

August 1, 2024

Rockwell Automation Flaw Has Been Fixed

Type of vulnerability: Security bypass.

The problem: Security research firm Claroty found a vulnerability in Rockwell Automation ControlLogix 1756 devices that allowed an attacker to bypass Rockwell’s trusted slot feature. This capability is designed to enforce security on the devices and block communications on the local chassis if they happen on untrusted paths.

Claroty wrote in its report, “The vulnerability we found, before it was fixed, allowed an attacker to jump between local backplane slots within a 1756 chassis using CIP routing, traversing the security boundary meant to protect the CPU from untrusted cards.”

The threat actor needs network access to exploit the vulnerability in the devices. If successfully exploited, the threat actor could bypass the controls and send commands to the PLC CPU, Claroty said. The vulnerability affects ControlLogix, GuardLogix, and 1756 ControlLogix I/O modules.

Claroty disclosed the vulnerability to Rockwell, which then fixed the flaw.

The fix: Rockwell Automation provided the following table with the fixed firmware versions for each affected product.

If your team needs more consistent vulnerability information in a faster timeframe, check out our picks for the best vulnerability scanners, which can help you more quickly identify what to patch and protect.

VMware eSXI Vulnerability Still Being Exploited

Type of vulnerability: Authentication bypass.

The problem: A vulnerability affecting VMware eSXI hypervisors was patched recently but has seen multiple ransomware exploits. If a threat actor has sufficient Active Directory permissions, they could get full access to the eSXI host if it had previously been configured to use Active Directory to manage users. According to NIST’s National Vulnerability Database, the threat actor would recreate the eSXI Admin group on AD after it was deleted.

Microsoft researchers discovered the vulnerability and announced it in a research report last week. They disclosed the vulnerability to VMware through a coordinated vulnerability disclosure (CVD). 

eSXI hypervisors sometimes host virtual machines, which may support critical workloads and servers. Microsoft said, “In a ransomware attack, having full administrative permission on an ESXi hypervisor can mean that the threat actor can encrypt the file system, which may affect the ability of the hosted servers to run and function. It also allows the threat actor to access hosted VMs and possibly to exfiltrate data or move laterally within the network.”

The vulnerability is tracked as CVE-2024-37085. It has a CVSS score of 7.2 from NIST and a base score of 6.8 from VMware.

The fix: Make sure you’ve patched any eSXI hypervisors, and also use two-factor authentication to make it harder for threat actors to gain unauthorized access.

August 5, 2024

Windows Security Features Have Multiple Flaws

Type of vulnerability: Security bypass.

The problem: Microsoft Windows’ Smart Screen and Smart App Control features have a number of security issues, which Elastic Security Labs reported earlier today. These flaws can lead to “initial access with no security warnings and minimal user interaction,” according to the researchers. No security popups or warnings will alert users that the attacker has gotten access, either, making this challenging to detect.

Smart Screen examines web pages for potential security issues and sends a warning notice to users if it finds one. Smart App Control predicts whether an application is safe to run on the computer system where it’s installed and blocks it if not.

The fix: Elastic Security Labs recommends that teams carefully study downloads happening on their computer system and avoid relying only on OS security features.

Read next:

• Vulnerability Recap 7/29/24 — Multiple Old Security Flaws Reappear
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 8/5/24 – Already-Fixed Flaws Are Still Targeted appeared first on eSecurity Planet.

Top Cybersecurity Companies

The following table compares our top 20 providers, including the number of times they’ve made it into one of our buyer’s guides.

Palo Alto Networks

Best Protection Against Network, Endpoint & Remote Asset Attacks

Headquarters: Santa Clara, California

Founded: 2005

Annual Revenue: $7.52 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 14

Palo Alto Networks (NASDAQ: PANW) delivers a broad portfolio of security products and a long history of top scores in rigorous independent security tests. Known for strong next-generation firewalls (NGFW) and endpoint detection and response (EDR) products, it also ranks for network security tools, zero trust, extended detection and response (XDR), IoT security, software-defined wide area network (SD-WAN), and secure access service edge (SASE).

While known primarily for its comprehensive cybersecurity solutions, Palo Alto managed a top-four finish in the first MITRE managed security tests, showing that it’s no slouch in security services either. Its security product tests have been consistently excellent, including in the latest MITRE endpoint security tests and CyberRatings firewall tests. Analysts predict that the 19-year-old firm will grow its annual revenue at an 18% rate over the next five years.

Fortinet

Best for Network Security Perimeter Protection

Headquarters: Sunnyvale, California

Founded: 2000

Annual Revenue: $5.3 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 15

Fortinet (NASDAQ: FTNT) turned its firewall expertise into leadership positions in NGFW, web application firewalls (WAF), unified threat management (UTM) and adjacent markets like software-defined wide area networks (SD-WAN) and enterprise virtual private networks (VPNs). Analysts project a 14.6% annual growth rate for the next five years.

The network security vendor doesn’t shy away from rigorous testing, and customer satisfaction ratings are high in key areas like product capabilities, value, ease of use, and support. This also helps Fortinet make inroads into small business markets.

Cisco

Best for Integrated Network Security

Headquarters: San Jose, California

Founded: 1984

Annual Revenue: $57.2 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 16

Cisco (NASDAQ: CSCO) pioneered networking and developed its network security offerings through internal development and acquisition. Splunk provided the headline acquisition in 2023, but Cisco also acquired Isovalent, Lightspin, Oort, and Working Group Two.

Cisco’s existing networking customers primarily drive the adoption of its security solutions for built-in compatibility with existing infrastructure. Still, Cisco earned a spot on our top security product lists such as network detection and response and zero trust.

CrowdStrike

Best for Endpoint Security & Services

Headquarters: Sunnyvale, California

Founded: 2011

Annual Revenue: $3.4 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 8

CrowdStrike (NASDAQ: CRWD) builds off of its strength in endpoint protection to offer solutions for XDR, MDR, vulnerability management as a service (VMaaS), and cloud security posture management (CSPM). Analysts predict five-year revenue growth of 31.8% and it earns high marks in both MITRE’s technical and MSSP evaluations.

Zscaler

Best for Cloud Security

Headquarters: San Jose, CA

Founded: 2007

Annual Revenue: $1.9 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 5

Zscaler (NASDAQ: ZS) delivers cloud security and edge security through a cloud-native platform that transforms IT infrastructure from castle-and-moat networks to distributed, zero trust environments. Analysts see promise in this model and forecast a 5-year growth rate of 38.2%. Other top solutions provided by Zscaler include secure web gateways (SWGs) and deception tools.

IBM

Best for Advanced Encryption

Headquarters: Armonk, New York

Founded: 1911

Annual Revenue: $61.9 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 13

IBM’s biggest strength might be its research depth, which drives advances in areas like homomorphic encryption. Big Blue (NYSE: IBM) earns mention for unified endpoint management (UEM), SOAR, SIEM, encryption, database security, threat intelligence platform, single sign-on, and managed security service providers (MSSPs).

Trend Micro

Best for Small Businesses

Headquarters: Tokyo, Japan

Founded: 1988

Annual Revenue: $1.3 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 14

Trend Micro (OTC: TMICY) customers cite high value and ease of use across a portfolio of tools such as antivirus, full disk encryption, cloud workload protection platforms (CWPP), and intrusion detection and prevention systems (IDPSs). With $1.3 billion in revenue, Trend Micro continues to grow steadily past its status as a first-gen antivirus vendor.

Okta

Best for Access Management

Headquarters: San Francisco

Founded: 2009

Annual Revenue: $2.3 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 3

Okta (NASDAQ: OKTA) delivers leading identity and access management (IAM) and zero trust solutions. With easy to use, deploy, and manage products, Okta continues to attract security buyers, and analysts project a long-term expected growth rate of 25% despite several highly publicized breaches.

OneTrust

Best for Privacy and Compliance

Headquarters: Atlanta, Georgia

Founded: 2016

Annual Revenue: $0.4 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 2

OneTrust (private) is an eight-year-old privacy compliance technology startup that has ridden data privacy laws like GDPR and CCPA to rapid growth. The company provides solutions to quantify and assess the risks associated with data exposure and earns places on our risk management, third-party risk management, and hot cybersecurity startups lists.

Rapid7

Best for Integrated Vulnerability & Threat Management

Headquarters: Boston, Mass.

Founded: 2000

Annual Revenue: $0.8 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 10

The Rapid7 (NASDAQ: RPD) security portfolio builds on a strong base in vulnerability detection and management and adds SIEM and threat detection capabilities. An emphasis on pricing transparency, value, and ease of use drives growth that analysts project will reach 52% over the next five years. That combination has landed Rapid7 on 10 of our top product lists, with vulnerability management being a major highlight.

Proofpoint

Best for End User Data Security

Headquarters: Sunnyvale, California

Founded: 2002

Annual Revenue: $1.1 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 7

Proofpoint (private) focuses on securing end users with a product portfolio that includes cloud access security broker (CASB), data loss prevention (DLP), zero trust, threat intelligence, email security, and email gateways. The company cleared the $1 billion revenue mark before Thoma Bravo took it private in 2021.

Tenable

Best for Vulnerability Management

Headquarters: Columbia, Maryland

Founded: 2002

Annual Revenue: $0.8 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 9

Tenable (NASDAQ: TENB) seeks to reduce the attack surface through a portfolio of solutions that includes vulnerability management, vulnerability scanning, patch management, cloud security, Active Directory security, pen testing, and breach and attack simulation. The focus on enabling critical, yet difficult to achieve, security processes earns Tenable strong positive reviews across their portfolio.

KnowBe4

Best for Security Awareness Training

Headquarters: Clearwater, Florida

Founded: 2010

Annual Revenue: $0.2 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 2

KnowBe4 (private) gained first mover advantage in cybersecurity training – a critically important practice for reducing the source of most cyberattacks. The training enjoys very positive customer reviews, which drives success and motivated the $4.6 billion take-private acquisition by Vista Equity Partners in February 2023.

Darktrace

Best for AI-Powered Security

Headquarters: Cambridge, UK

Founded: 2013

Annual Revenue: $0.5 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 1

The UK-based venture between British intelligence agencies and Cambridge mathematicians, Darktrace (LSE: DARK), pioneers AI-based security. Their quality earns a top spot for NDR tools, but the product often challenges categorization with both security and operations features for prevention, detection, incident response, and automated healing.

Check Point

Best for Firewalls

Headquarters: Tel Aviv, Israel, and San Carlos, California

Founded: 1993

Annual Revenue: $2.4 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 11

Check Point (NASDAQ: CHKP), the 30-year-old firewall pioneer, offers a complete security portfolio that ranks highly on independent security tests (MITRE, etc.). It offers strong security and value through traditional solutions such as firewalls, gateways, UTM, DLP, and encryption, as well as a strong service portfolio.

In addition to incident response and threat intelligence services, Check Point continues to invest in software-as-a-service (SaaS) providers and recently acquired both Atmosec and Perimeter81.

Sophos

Best for Home and Small Office Security

Headquarters: Abingdon, United Kingdom

Founded: 1985

Annual Revenue: $0.6 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 10

Sophos (private), founded in the 1980s, provides both consumer antivirus and enterprise solutions for WAF, NGFW, UTM, EDR, cloud workload protection platform (CWPP), encryption, XDR, MDR, and ransomware removal. Thoma Bravo took the company private in 2020, with services being a major focus area under the new ownership.

Customer reviews have been among the best on this list, showing plenty of demand for products that offer good security, value, and ease of use.

Broadcom

Best for Endpoint Management

Headquarters: San Jose, California

Founded: 1991

Annual Revenue: $35.8 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 12

Broadcom (NASDAQ: AVGO) offers a robust portfolio of security solutions such as CASB, DLP, SASE, SD-WAN, and zero trust. However, their product and service mix continues to shift as they attempt to digest acquisition brands such as Symantec’s enterprise security tools and VMware’s portfolio that also includes Carbon Black.

Trellix

Best for Combined XDR & Cloud Needs

Headquarters: San Jose, California

Founded: 2022 (Trellix), 1987 (McAfee), 2004 (FireEye)

Annual Revenue: Privately held

Appearances on eSecurity Planet‘s Top Vendors lists: 6

Trellix focuses on its core network security market and related technology that protects against network threats, such as IDPS, SOAR, and encryption. The company was formed in 2022 when the private equity group Symphony Technology Group (STG) merged technologies and products from FireEye and McAfee Enterprise.

Microsoft

Best for Windows Security

Headquarters: Redmond, Washington

Founded: 1975

Annual Revenue: $227.6 billion

Appearances on eSecurity Planet‘s Top Vendors lists: 13

Microsoft’s (MSFT) continues to build out its security portfolio that already includes IAM, endpoint protection, cloud security services, DDoS protection, database security, and more. In addition to quantity, the solutions also provide quality, with performance near the top of MITRE’s endpoint and MSSP evaluations.

Barracuda Networks

Best for Remote Worker Protection

Headquarters: Campbell, CA

Founded: 2003

Annual Revenue: Private

Appearances on eSecurity Planet‘s Top Vendors lists: 11

Barracuda Networks builds on their pioneering email security products to deliver solutions for WAF, UTM, SASE, and zero trust. The reliable products perform well in testing and customer satisfaction rankings, which also helps place Barracuda in our list of top tools and software for SMBs.

Other Cybersecurity Market Leaders

The cybersecurity industry is loaded with great companies. The following didn’t make our top 20 cybersecurity companies, but that doesn’t mean they don’t have great products and services. Some continue to gain traction and in other cases, mergers and private equity takeovers have limited our visibility. But all these vendors make our top product lists and meet the needs of many users.

Methodology

To compile our list, we started with innovation and market leadership, hence our focus on our rigorously researched top security product lists, or buyer’s guides. Consistent performance, revenue, and growth were ranking factors, as were strong independent security test results in a market that’s starved for information. User reviews, product features, benefits and use cases, and analyst reports also played a role in our analysis.

Specialization can be a good thing in cybersecurity, with the likes of CrowdStrike, Okta, and OneTrust high on our list. The vendors at the top of the list shouldn’t surprise longtime readers — Palo Alto Networks and Fortinet continue to impress us — and a number of other vendors have also withstood the test of time.

Frequently Asked Questions (FAQs)

The following questions are some of the most common from individuals researching security technologies and jobs.

What Are the Main Types of Cybersecurity?

While the security industry is broad and nuanced, there are a few widely recognized categories of security:

• Network security: Protects the connections between networks, including data transfers to and from the internet, and hardware like routers and switches.
• Endpoint security: Defends devices like laptops, phones, and servers.
• Application security: Adds protection for software, data, and access at the individual application level.
• Cloud security: Protects cloud environments and data from vulnerabilities and threat actors.

Also note that some security solutions cover multiple categories. Extended detection and response (XDR), for example, pulls alerts from endpoints, networks, and applications into a single console for centralized management.

How Do You Choose a Cybersecurity Company?

Choosing a cybersecurity vendor involves multiple factors, including company focus, integration issues, customer support needs, your team’s skill level, and your budget. Consider the following questions when choosing a cybersecurity vendor:

1. What is the company’s overall focus? If you’re searching for a container security solution, consider a vendor that specializes in cloud and application security.
2. How many of their solutions will you use? If you have software or hardware from another security vendor, do they integrate well? And look at support for other applications too.
3. What are your customer support needs? Signs that a vendor has good technical service include 24/7 support in multiple channels and high praise for the support team in reviews.
4. Can your business afford it? Some smaller businesses might not have the budget for vendors like Palo Alto and CrowdStrike, and that’s okay. There are plenty of providers that have security solutions designed for small companies.

Will Cybersecurity Jobs Become Obsolete?

If you’re a job seeker in the security industry or considering a career change, know that cybersecurity careers aren’t going anywhere. They might continue to change as the industry evolves, but demand for cybersecurity skills and training remains strong. Today’s IT climate requires knowledge of large security platforms, detection and response technologies, and even sometimes distributed systems.Job seekers will need to research the field and curate skills that will be most useful to potential employers. Organizations like EC-Council and CompTIA+ have certifications that provide a springboard for individuals wanting to start a security career. And continued education is critical for staying on top of threats — never stop learning.

What Are the Top Cybersecurity Companies to Work For?

The following companies are a sample of highly rated enterprises with strong security solutions. If you’re job searching or considering a career change, look at open roles with these tech organizations.

SentinelOne offers good benefits and receives 4.4 out of 5 stars on Glassdoor. It is also comparatively small in the security industry, with fewer than a thousand employees. And the company boasts some pretty stellar cybersecurity products too.

Netskope offers flexible spending accounts, a 401(k), and employee stock purchase plans to its personnel. It earns 4.2 stars from Glassdoor employee reviews. Netskope specializes in SASE, CASB, and SD-WAN technology.

Palo Alto Networks has employee benefits like stock purchase plans, development courses, and a 401(k). It earns 4 stars on Glassdoor. Palo Alto has some of the best and broadest security in the entire industry, so there’s lots of opportunity to experience different facets of security.

Fortinet offers benefits like unlimited PTO, a health savings account, and a 401(k) to employees. It, too, has 4 stars on Glassdoor. Fortinet is known for its firewalls but excels elsewhere as well, including in SIEM and EDR.

And don’t forget big IT vendors with a security presence. Cisco (4.3 stars from Glassdoor) and Microsoft (4.2) are two standouts to consider.

And lastly, CyberArk offers an investment program, employee recognition program, and tuition reimbursement. The IAM leader receives 4.3 stars on Glassdoor.

Bottom Line: Top Cybersecurity Companies

The enterprise security market is a wide one, covering a range of technologies and systems that need to be protected. Some vendors offer a variety of products, while others specialize in just one or two.

To choose a potential provider for your business, consider your needs first before searching for the right fit. While all the vendors listed above offer strong solutions, it’s worth the effort to research and demo products until you find one well suited to your organization’s cybersecurity needs.

Crave more insight into the cybersecurity companies in the market? Read about the top cybersecurity startups.

Drew Robb, Jenna Phipps, and Chad Kime contributed to this research report.

The post Top 39 Cybersecurity Companies You Need to Know 2024 appeared first on eSecurity Planet.

Here are the top six vulnerability management systems:

• Tenable Nessus and Tenable Vulnerability Management: Best overall
• Microsoft Defender Vulnerability Management: Best for Microsoft environments
• Rapid7 InsightVM: Best solution for enterprise needs
• Qualys VMDR: Best for organizations with complex infrastructures
• Holm Security: Best tool for improving employee security posture
• Digital Defense Fortra VM: Best for SMB vulnerability testing

Top Vulnerability Management Software Compared

The following table briefly compares our top picks, including features like asset categorization and risk scores as well as pricing details.

	Asset Grouping	Risk Scoring	IoT Asset Identification	Pricing
Tenable Nessus & Tenable Vulnerability Management				• Nessus Professional plan: $3,990/year • Nessus Expert plan: $5,990/year • Tenable VM: $3,500 for 100 assets • Tenable VM: $7,000 for 200 assets
Microsoft Defender Vulnerability Management				• Standalone product: $3/user/month • Defender for Endpoint add-on: $2/user/month
Rapid7 InsightVM				• $1.93/asset/month for 500 assets
Qualys VMDR				• Priced per asset; requires quote request
Holm Security				• Requires quote request
Digital Defense Frontline VM				• Requires quote request

While all these products are strong vulnerability management solutions, I found Tenable to be the best based on its features, pricing, and overall capabilities. Read more about our picks for the top vulnerability management products, or jump down to see how I evaluated them across six different categories.

Tenable Nessus & Tenable Vulnerability Management – Best Overall Vulnerability Management Solution

---

Overall Rating: 4.2/5

• Pricing: 3.5/5
• Core features: 4.7/5
• Additional features: 3.5/5
• Ease of use and admin: 4/5
• Customer support: 4.2/5
• Integrations and customization: 5/5

Tenable Vulnerability Management is a vulnerability assessment solution for both businesses and security contractors. It’s built on Nessus, Tenable’s scanning solution, and offers features like role-based access controls, as well as asset grouping to simplify threat remediation for similar issues. SMBs, developers, pen testers, and consultants will find Nessus Expert useful, and features like external attack surface scanning have broad appeal.

Visit Tenable Nessus

Pros

• Designed for contractors like pen testers
• 24/7 advanced support available as an add-on
• Good option for small businesses

Cons

• Might not serve all the needs of large businesses
• Nessus Pro and Expert trials are only 7 days
• Lacks some features like IoT asset identification

Pricing

Tenable Nessus offers two plans:

• Professional: $3,990/year
• Expert: $5,990/year
• Support pricing: Advanced customer support requires add-on pricing
• Free trial: 7 days for Nessus

Tenable Vulnerability Management is priced by asset:

• 100 assets: $3,500
• 200 assets: $7,000
• More than 250 assets: Contact for quote

Key Features

• Third-party integrations: Splunk, Fortinet, and Palo Alto are highlights.
• Role-based access controls: Customers can choose to enable these if they like.
• Asset grouping: Asset lists help to logically organize assets by business function.
• Preconfigured templates: Nessus offers over 450 prebuilt vulnerability templates.

Screenshot

Alternatives

Because Nessus lacks a couple advanced VM features, it’s not the best choice for enterprises. If you’re a large business, consider a product like Holm Security, which offers features like IoT asset identification and some patch management functionality.

Microsoft Defender Vulnerability Management – Best Tool for Extensive Microsoft Ecosystems

---

Overall Rating: 4.1/5

• Pricing: 5/5
• Core features: 3.6/5
• Additional features: 4/5
• Ease of use and admin: 4.2/5
• Customer support: 4.3/5
• Integrations and customization: 4.3/5

Microsoft Defender Vulnerability Management is a VM product that makes sense for existing Microsoft customers, but it can stand on its own, too. Microsoft’s security business is impressive, if its recent MITRE scores are any indication, and it offers features like app blocking. Defender VM also integrates with plenty of other Microsoft products, including Microsoft Sentinel. Consider Defender if you want to build out your Windows security infrastructure.

Visit Microsoft Defender

Pros

• Users can view vulnerable device reports
• Integrates with other Microsoft products
• Free trial lasts 90 days

Cons

• Standalone product lacks risk scoring
• No patch management or rollback features
• Non-Windows integrations could be tough

Pricing

• $2/user/month: Add-on pricing applicable to Microsoft Defender for Endpoint Plan 2 and Microsoft 365 E5
• $3/user/month: A standalone solution designed to support EDR products
• Free demo: Contact to schedule

Key Features

• Application blocking: Defender is able to block vulnerable programs and alert customers with specific messages about the applications.
• Security assessments: Teams can compare their security posture to industry benchmarks like National Institute of Standards and Technology (NIST) and CIS.
• Threat intelligence data: Defender provides information on the potential for breaches and which endpoint devices are vulnerable.
• Regular assessments: Defender looks for outdated certificates, insufficient algorithms for digital signatures, and misconfigurations.

Screenshot

Alternatives

If your team uses a lot of non-Windows tech, you may want to consider a solution like Tenable, which supports Mac, Linux, and Windows operating systems. Tenable also offers risk scoring, and Defender doesn’t.

Rapid7 InsightVM – Best Solution for Enterprise Needs

---

Overall Rating: 4.1/5

• Pricing: 5/5
• Core features: 4.4/5
• Additional features: 3.3/5
• Ease of use and admin: 3.9/5
• Customer support: 3.4/5
• Integrations and customization: 3.9/5

Rapid7 InsightVM is a scalable vulnerability management solution for enterprises of all sizes. One of its most sought-after features is risk prioritization, with step-by-step instructions for effective remediation. Good value and automation make InsightVM particularly useful for SMBs, but organizations with greater expertise can benefit from its risk prioritization capabilities. For those lacking sophisticated security teams, InsightVM is also available as a managed service.

Visit Rapid7 InsightVM

Pros

• Reasonable pricing for smaller enterprises
• Supports exceptions if you need to accept a risk
• Available as a managed service

Cons

• Lacks patch rollback features
• Lacks some role-based access control features
• No support for identifying IoT assets

Pricing

• Cost: For 500 assets minimum, Rapid7 costs approximately $1.93/asset/month
• Free trial: 30 days
• Free demo: Contact to schedule

Key Features

• Real-time risk viewing: Customizable dashboards offer up-to-date vulnerability information.
• Integrated threat feeds: Teams can view the most relevant threats at the moment.
• Third-party integrations: InsightVM integrates with tools like CyberArk, Palo Alto, and McAfee.
• Asset grouping: This helps teams target and report on specific asset groups.

Screenshot

Alternatives

While InsightVM is a strong overall solution for multiple teams, it doesn’t support IoT assets. Consider Holm Security if you’re looking for a VM solution that supports IoT devices and still serves both SMBs and large teams.

Qualys VMDR – Best for Organizations with Complex Infrastructures

---

Overall Rating: 3.9/5

• Pricing: 3/5
• Core features: 4.7/5
• Additional features: 3.5/5
• Ease of use and admin: 3.9/5
• Customer support: 3.2/5
• Integrations and customization: 4.3/5

Qualys VMDR is an enterprise-grade cyber risk management solution for complex security environments. VMDR uses Center for Internet Security (CIS) benchmarks to find misconfigurations and vulnerabilities in your business’s assets. Consider Qualys if you’re a medium-to-large organization with a security infrastructure that’s already built out. It’s a good solution for complex environments because it can scan IoT devices and operational tech.

Visit Qualys VMDR

Pros

• Plenty of customer support options
• Supports a variety of assets, including OT and IoT
• Has a strong set of core management features

Cons

• Limited pricing information
• No industry benchmarking capabilities
• Not available as a managed service

Pricing

• 128 assets: $5,964 per year
• 256 assets: $9,423 per year
• 512 assets: $14,889 per year
• Free trial: 30 days
• Free demo: Contact to schedule

Key Features

• Identification of IoT assets: Teams get a more extensive inventory of their IoT landscape.
• Training videos: A video library with setup instructions helps teams get started with VMDR.
• No-code automation: Teams can design workflow automation for vulnerability remediation tasks.
• Patch management: VMDR automatically finds vulnerabilities and deploys the associated patches.

Screenshot

Alternatives

Qualys isn’t available as a managed service. If your team needs that, consider Rapid7 instead – it offers InsightVM as a managed product and also offers vulnerability exception features, which are limited on Qualys’ side.

Holm Security – Best Tool for Improving Employee Security Posture

---

Overall Rating: 3.5/5

• Pricing: 1.5/5
• Core features: 4.5/5
• Additional features: 4.5/5
• Ease of use and administration: 2.5/5
• Customer support: 3.2/5
• Integrations and customization: 4.3/5

Holm Security VMP is a next-gen vulnerability management platform that helps detect weaknesses across your network and human assets on a single platform. Among the platform’s standout features is its phishing module, which simulates phishing attacks on employees to identify weaknesses and train teams in security. Holm Security is preferred by SMBs thanks to its value and features like phishing awareness, but its capabilities also apply to large teams.

Visit Holm Security

Pros

• Designed for comprehensive security
• Offers ticketing, CMDB, and SSO integrations
• Good choice for both small and large teams

Cons

• Lacks transparent pricing information
• Lacks patch rollback features
• Not available as a managed service

Pricing

• Contact for quote: Custom pricing available
• Free demo: Contact to schedule

Key Features

• Integrations with CI/CD tools: Teams can find vulnerabilities in their business’s codebases.
• Finding IoT assets: Holm Security looks for vulnerabilities in devices across your infrastructure.
• Role-based access controls: These manage teams’ access to important applications.
• Integrations with other security tools: Highlights include Splunk and Microsoft Sentinel.

Screenshot

Alternatives

Holm Security isn’t available as a managed service. If your business wants a powerful VM solution offered as a service, consider Rapid7 instead. Rapid7 also offers risk exception features, which Holm lacks.

Digital Defense Fortra VM – Best for SMB Vulnerability Testing

---

Overall Rating: 3.4/5

• Pricing: 2/5
• Core features: 3.5/5
• Additional features: 3.5/5
• Ease of use and admin: 3.8/5
• Customer support: 4.3/5
• Integrations and customization: 3.5/5

Digital Defense Frontline Vulnerability Manager (Frontline VM) is a comprehensive SaaS VM tool that covers all network assets. Frontline VM is among the most user-friendly tools on this list. It’s well suited to the vulnerability and penetration testing demands of SMBs. That said, Digital Defense’s on-demand service can also meet the needs of a large-scale organization — just keep in mind that you’ll need to source your patch management functionality elsewhere.

Visit Digital Defense Frontline VM

Pros

• Users find Frontline VM easy to use overall
• Offered as a managed service
• Support is available 24/7 via phone and email

Cons

• No patch management or rollback features
• No transparent enterprise pricing
• Limited documentation and training videos

Pricing

• Contact for quote: Custom pricing available
• Free trial: 14 days
• Free demo: Contact to schedule

Key Features

• Security integrations: These include vendors like ServiceNow, LogRhythm, and Palo Alto.
• Role-based access controls: Security teams can restrict employee access to sensitive data.
• Risk scores: Scoring comes from either prebuilt or configured risk profiles that take threat rankings into account.
• Network mapping: Businesses can visualize threats across their network devices with filtering and asset relationships.

Screenshot

Alternatives

Consider Qualys if your business is looking for internal patch management in a vulnerability management product; Qualys is also a good choice for larger teams.

5 Key Features of Vulnerability Management Software

Shortlist the top features your business needs, including monitoring, risk scores, attack surface visualization, automation, and reports, when you’re selecting any cybersecurity solution.

Continuous Monitoring & Scanning

Vulnerability management systems should be a consistently-active line of defense, scanning for new and old threats and monitoring your business networks and applications. Your vulnerability management software should continuously look for potential problems when you aren’t able to. Zero-day vulnerability management, in particular, needs to rapidly identify issues so your business can mitigate threats before they cost you money.

Risk Scoring

Cataloging and remediating risks can easily become overwhelming if your security team doesn’t know exactly what steps to take. Scoring risks based on their severity helps personnel prioritize remediation tasks. For example, an unpatched zero day is probably a more urgent fix than an employee’s outdated version of Microsoft Word. Risk scoring plays a critical role in ensuring that vulnerability management is successful over time because it helps employees avoid overwhelm.

Attack Surface Visualization

Attack surface visualization is intended to simplify the process of identifying all the places your business could be attacked. It should cover internet-facing and internal assets to give your team a complete picture of its vulnerabilities and the areas that the team needs to protect. A strong attack surface visualization solution needs to be comprehensive so you aren’t missing key pieces of the security puzzle.

Automated Remediation

Security teams don’t always have time to fix every vulnerability. This is where automation comes in: Remediation strategies should ideally have automatic fixes for at least some vulnerability management tasks. For example, a predesigned patch management workflow might be triggered when a vulnerability scanner detects an unpatched asset. Then your security team knows exactly what to patch.

Customizable Reporting

Often, other teams in your organization need to know what’s going on in the IT department. Reports help security teams provide the most relevant information to company stakeholders, including the executive team.

Policy-driven compliance reports are also important, not just current vulnerability stats. Ideally, the reporting feature in a vulnerability management tool should offer both premade templates and customization options so your security team can tailor reports to your business’s needs.

How I Evaluated the Best Vulnerability Management Software

We evaluated a broad selection of vulnerability management products using a product scoring rubric. I looked at available information, including vendor product pages, data sheets, and independent user reviews, to determine which products are best for our audience. I divided the rubric into six major categories. Each of the categories had subcriteria with its own weighting, which factored into the total score. Each product received an overall score out of five.

Evaluation Criteria

To create the scoring rubric, I first considered the most important vulnerability management features that businesses need. Then I looked at ease of use and administrative features, like documentation and managed services. I then evaluated nice-to-have features, like asset groups, and pricing, including per-asset pricing and free trials. Lastly, I scored the solutions based on their customer support offerings, relevant integrations, and customization features.

• Core features (30%): I looked at the most important features of vulnerability management tools, including asset discovery, risk scoring, patching, and reporting capabilities.
  • Criterion winner: Multiple winners
• Ease of use and administration (20%): I considered availability of knowledge bases, documentation, training videos, and whether the product is available as a managed service.
  • Criterion winner: Microsoft
• Pricing (15%): This category evaluated the vendor’s pricing availability, its relative value, and any free product trials.
  • Criterion winner: Multiple winners
• Additional features (15%): I scored less common features like RBAC and risk exceptions.
  • Criterion winner: Holm Security
• Customer support (10%): I evaluated chat, email, and phone technical support as well as hours of availability.
  • Criterion winner: Multiple winners
• Integrations and customization (10%): This category included capabilities like integrations with continuous integration and deployment (CI/CD) tools and custom reports.
  • Criterion winner: Tenable

Frequently Asked Questions (FAQs)

What Is the Difference Between Vulnerability Scanning & Vulnerability Management?

Vulnerability management is broader than vulnerability scanning. It’s not just scanning assets and networks but also helping security teams remediate vulnerabilities and improve their overall security posture. Vulnerability management should help your business create a map of sorts to locate common weaknesses in your security infrastructure and make lasting improvements.

What Is the Difference Between Risk Management & Vulnerability Management?

Risk management is a broader enterprise category because it covers all aspects of business risk, including security vulnerabilities but also financial risks and events like natural disasters. A risk management plan should include planning for cybersecurity risks, which may include a vulnerability management strategy.

What Is an Example of a Vulnerability Management KPI?

Vulnerability management key performance indicators (KPI) should be easily measurable metrics that your team aims to hit, such as a specific length of time between a vulnerability being observed and being remediated. The more detailed your KPIs are, the more easily your security team can decide whether your vulnerability management strategy is working and whether it needs to be changed.

Read about creating a vulnerability management policy, including policy best practices, required sections for a policy, and a free policy template.

Bottom Line: Vulnerability Management Is Critical for Security

There are roughly 20,000 new vulnerabilities discovered each year — and many of them are zero-day vulnerabilities that aren’t discovered until they’ve been used in a cyberattack. Plugging those holes takes a lot of time and dedication, even for the most secure companies and networks. For everyone else, they need all the help they can get from vulnerability management tools and services.

To find the right vulnerability management tool for your organization, take advantage of any demos or free trials that vendors offer and choose a product that suits your security and IT teams’ expertise. The right VM tool’s ability to prioritize fixes should help your team focus on the vulnerabilities that are most likely to impact your organization.

If your business is considering a managed VM service, read Vulnerability Management as a Service: Ultimate Guide next. This guide covers the top managed VM providers and major steps of the VMaaS process.

The post 6 Best Vulnerability Management Software & Systems in 2024 appeared first on eSecurity Planet.

Career Paths in Cybersecurity

The security industry has a number of career paths, with slightly different focuses and levels of leadership. A few highlights include analysts, engineering roles in networking, IT system administration, pentesting, and leadership roles.

Information Security Analyst

Analysts play a largely strategic role. While they might find themselves in the trenches, hunting and eradicating threats, their main responsibility is monitoring information systems, researching threats, and developing cohesive strategies to eradicate those threats. This includes:

• Watching event logs: Security analysts examine event logs for normal trends that indicate a stable environment and anomalies that could indicate a threat or vulnerability.
• Monitoring alerts: Analysts might be responsible for checking security alerts, along with other members of a department, to identify which are truly an issue.
• Examining reports: An analyst needs to be comfortable looking at reports and dashboards, drawing conclusions from those reports, noticing overall trends, and suggesting valid prevention methods.

An information security analyst could expect to earn between $90,000 and $240,000, considering prior work experience and the location of the role. Eventually, analysts may be expected to carry a lot of strategic weight within a security team or IT department.

Network Engineer

Network engineers and software engineers focused mainly on networking are responsible for the operations of a business network, as well as securing them. This role includes:

• Setting firewall rules: Network engineers, usually administrative ones, configure rules for accepting and rejecting traffic on the network to protect its resources.
• Helping to configure ports and routers: This network hardware needs to be properly set up to transmit data packets between the network.
• Testing networks and connected systems: Engineers should test the security of their networks, including completing regular audits.

Senior network engineers will have similar tasks, but with more responsibilities and potential leadership opportunities.

Salaries for network engineer roles range from around $87,000 to $183,000 annually, depending on the employee and the company location. Senior network engineers can expect to make more than entry network engineer roles for a particular location, potentially between $120,000 and $245,000 per year.

System Administrator

System administrator roles often appear in IT departments, but often system admins play a major part in a business’s cybersecurity strategy, particularly if the business doesn’t have a dedicated security team. Sysadmin roles can involve:

• Setting up networks and IT systems: These leaders manage setup processes for hardware, software, network connections, and user permissions.
• Managing team members: System admins are often responsible for leading IT and security teams.
• Overseeing security controls: System administrators typically set security rules or delegate those jobs to their direct reports.

System admins can expect to make between $69,000 and $177,000 annually, depending on location, company, and experience in the field.

Penetration Tester

Penetration testers and other types of ethical hackers improve organizations’ security infrastructures by acting like threat actors to attack systems, move laterally, and access data. Pen testers give their clients actionable information about their networks and IT systems so those users can further secure their systems.

Penetration testers and ethical hackers’ tasks can include:

• Finding testing assignments: Pentesters, either internal or external, are given a specific network, system, or entire infrastructure to hack and may have a specific area to target.
• Identifying weaknesses: These professionals are responsible for finding vulnerabilities and exploiting them as much as possible.
• Making mitigation recommendations: Some pentesters may also provide a list of suggestions for clients to patch and mitigate the vulnerabilities they found in their work.

Penetration testers can expect to make between $90,000 and $190,000, depending on experience and role location. Some freelance or contract pentesters might make closer to $50,000-$60,000 when starting their career, but a couple years of experience will give them more financial opportunities.

Security Director

A director of cybersecurity, or potentially a director of IT who oversees security, manages all security initiatives within their organization. These initiatives are often strategic but can include basic tasks like setting firewall restrictions.

A cybersecurity director’s job includes:

• Managing team members: Directors delegate tasks and the overall security posture of the team. Depending on the size of the company and team, a director’s direct reports may also have direct reports.
• Handling budgets: A director is responsible overall for managing the financial expenses of a security team and coordinating that with the business’s overall budget.
• Spearheading compliance efforts: A cybersecurity director leads regulatory compliance within the organization, ensuring that data processing and storage meet global, regional, and industry expectations.

The range of a security director’s salary is significant, starting around $59,000 annually and increasing up to $430,000. As always, location and experience affect these ranges. Job titles to look for include cybersecurity director and information security director.

To see what experts in the industry work on and live with day-to-day, look at our suggestions for the best cybersecurity Twitter accounts to follow.

6 Tips to Get Started in Cybersecurity

If you’re considering a career in security, I recommend earning certifications, taking available community courses, and using vendor resources. Additionally, look at opportunities within your own organization and consider the skills you already have that lend themselves to security.

Earn an Online Security Certification

The internet makes it easy to kickstart your learning without traveling to a physical classroom. However, the vast amount of content online also opens the door to training programs that potential employers may not view as legitimate. Steer clear of that unwanted outcome by researching courses from companies and organizations with well-known name value. Examples of legitimate and respected courses include:

• IBM Cybersecurity Analyst Professional Certificate: This is an entry-level option for people without previous experience in the industry, offered through the online learning platform Coursera.
• SANS Undergraduate Certificate in Applied Cybersecurity: This program, which offers a fully online option, is for undergrads or any student who already has at least two years of college credits.
• CompTIA Security+ Certificate: Earned through a course and exam process, this famous certification tests people on the foundational skills needed to begin their cybersecurity careers.
• Certified Information Systems Security Professional (CISSP) course: This free CISSP course from freecodecamp.org can help you prepare for a certification exam without having to pay for the preparatory work.

Also check out courses that teach skills to improve cybersecurity at enterprises. FutureLearn is geared toward people without experience or those looking for a refresher course.

Learn more about the best cybersecurity certifications for potential security employees.

Enroll in Community College Classes

A growing number of community colleges are offering cybersecurity classes to address the severe shortage of skills in the industry. Some community college programs even have accompanying apprenticeship and internship programs.

• Washington, DC: The George Washington University’s Cybersecurity Boot Camp is a 24-week program for learning security online that gives students networking opportunities and has a partnership with CompTIA.
• Arizona: Mesa Community College offers multiple certificates, including cloud and network administration, that students can earn aside from associate degrees.
• Virginia: The Virginia Community College System offers students short-term training that can lead to third-party industry credentials or up to two years to earn an associate’s degree.
• Colorado: Years ago, the Community College of Denver received a $250,000 federal grant and used it to create 1,600 IT and cybersecurity apprenticeships from March 2020 through March 2024.

These are just a few examples, so look for similar opportunities in your own area and see what’s available. Although it’s sometimes possible to get real-world experience outside of a community college, finding prospects independently is harder. Community college coordinators and other education professionals can use their existing networks to help you.

Programs like this have helped existing security professionals get their start, including Lynn Dohm, executive director of non-profit organization Women in Cybersecurity (WiCyS). “My journey into cybersecurity began with an NSF-funded grant at Moraine Valley Community College,” she said. “Look for programs, internships, or entry-level positions that provide a solid foundation and introduce you to various aspects of cybersecurity.”

The more you can learn about different facets of the industry, the more you’ll understand about security, and the more options you’ll have when deciding the best roles for you.

If you want to immerse yourself in the security world to see if you really want to work in the industry, check out our list of the top cybersecurity podcasts. These range from serious to lighthearted and will give you a real-world idea of what happens in security.

Check Out Vendor-Provided Content

Well-known vendors in the cybersecurity space often provide free training to people without previous experience. Keep in mind that learning company-specific content could cause a steeper learning curve if you end up working for an employer that uses a different brand. In many cases, companies base the material around the products they sell.

That said, vendor-provided courses can be an excellent way to get a foothold in the industry:

• Cisco Networking Academy: This program provides complimentary, mobile-first content on numerous tech topics, and the cybersecurity pathway prepares learners for jobs through vendor-agnostic material.
• Varonis beginner security courses: These give students CPE credit and include PowerShell and Active Directory essentials and incident response.
• Palo Alto Networks courses: PA provides courses like Fundamentals in Cloud Security and Fundamentals of Security Operations Centers.

A number of tech giants have pledged money and support for cybersecurity training as part of a Biden Administration push after the Colonial Pipeline ransomware attack in 2021. It’s possible the number of free or affordable courses will continue to increase in the next five years.

Pay Close Attention to Unique Practical Opportunities

Certifications and college courses are great, but they’re not the only way to gain experience in cybersecurity. If you’re looking for strategies to learn more, consider getting more hands-on and practice useful practical skills.

This is what Ilan Mindel, chief product and technology officer at ThriveDX, recommended for potential job hunters. “Engaging in activities such as setting up and managing a home lab environment, participating in capture-the-flag (CTF) competitions, and contributing to open-source security projects can provide invaluable experience,” he said.

Mindel also mentioned the importance of getting involved in security communities to learn more from professionals around you. “Networking with industry professionals and joining cybersecurity communities, both online and offline, can open doors to mentorship opportunities and job prospects,” he said.

“Attending conferences, webinars, and local meetups can help you stay informed about the latest trends and technologies while building a robust professional network.”

You might be surprised at the opportunities that arise if you connect with others, ask to attend meetings, and speak in-person with those who are already in the industry. They’ll have valuable insights to provide.

Consider Moving Laterally Within Your Current Workplace

Perhaps you already have a tech-based role at your current employer and have previously shown interest in cybersecurity. In such cases, it’s worth checking to see if you could move to a different role or department in your current company. If you already have a somewhat technical background, your employer may even pay for a continuing education opportunity, such as a cybersecurity boot camp program that gives fast-paced coverage of the foundational skills.

If your company has an existing cybersecurity department or team you want to join, consider asking your supervisor for cross-training or mentorship programs. For example, Women in Cybersecurity has a mentorship program for people at all levels of their careers. It’s a 12-month commitment, with mentors and mentees meeting in a virtual setting at least once a month.

Chris Campbell, chief information officer at DeVry University, highlights upskilling as a way to differentiate yourself from other potential candidates. “Companies are upskilling existing employees with core skill sets because cybersecurity, in general, is quickly becoming everyone’s responsibility,” Campbell said. “The weakest link in most cybersecurity situations is people. Therefore, everyone must be upskilled in understanding cybersecurity at some level.

“Not everyone needs to know how to be a cybersecurity engineer or a forensic analyst, but everybody can leverage a stronger understanding of cybersecurity, common attacks, and things they can do to protect themselves, their company, family, and friends.”

Employers often like it when workforce members look for existing gaps and put themselves forward to fill them, including problem-solving current security issues within the company. Maybe you have an upcoming supervisor check-in meeting and want to talk about your career goals. If so, it could be the perfect time to bring up your cybersecurity interest and explore ways to start your career in the field.

To familiarize yourself with current patterns in the industry, read our guide to the top cybersecurity trends, including growth in AI and advanced cybercrime.

Maximize Your Existing Skills

It’s important to understand basic security concepts and how IT environments work, but don’t overlook the other abilities that could make you a standout candidate or a promising security professional. Individuals with other abilities can succeed in security too, according to Campbell.

“Many of the core skills required are things like logical thinking, learning agility and pattern recognition,” Campbell said. “For instance, years ago people talked about how trained musicians would make pretty good cybersecurity analysts due mainly to pattern recognition.”

You have to be able to first recognize those abilities in yourself and utilize them well. But Cambell holds that security pros are open to individuals from other fields, as long as they can bring new and creative insights to the position.

“Cybersecurity is a technical field, and it can seem a little complicated for some people. But the reality is, we all have everyday skills, things we do in our job, that translate well to cybersecurity,” Campbell insisted. “Businesses and organizations are not just looking for computer science majors. We are having to think about other ways to fill these types of roles and think outside the box.”

Tools & Resources for Beginning Your Career

If you’re considering launching a career in security, first evaluate all the resources you currently have. These include free courses, potential certifications, and connections with professionals within the industry. The following list is a set of resources, some mentioned above, that you can consider when starting or changing your career:

• Free EC-Council courses for beginners
• Courses and certificates gathered by edX 
• Compiled courses from Udemy 
• IBM Cybersecurity Analyst Professional Certificate
• CompTIA Security+ Certificate
• ISC2 Certified Cloud Security Professional certificate

If you’re considering using multiple resources, choose the ones that will best support your career goals. For example, if you’re interested in cloud security, check out ISC2’s cloud security professional certification. It’s also valuable to take courses on a couple different security topics so your knowledge is more well-rounded.

Frequently Asked Questions (FAQs)

What Are Some Reasons to Start a Cybersecurity Career?

The security industry is an incredibly important one because of the role it plays in defending IT environments. A security job requires quick thinking, analytical and predictive skills, and the desire to protect critical data and systems. A huge part of overall global operations, from corporations to individual homes, depends on safe networking, endpoint connections, and telecommunications. The entire industry is in high demand, and so are skilled employees.

Aside from high demand and a potentially lucrative career, security is an easy world to become passionate about because it involves protecting important assets. Sometimes that just means IT systems; but in certain cases, it can extend much further, like working in the healthcare field and protecting patient data and medical devices. If you’re looking for a meaningful career path, this is a great place to start.

Where Should Beginners Start in Cybersecurity?

If you’re a complete beginner with no technical experience, I recommend doing some reading and watching demos to make sure you understand the basic reasons security is so important. Gain a general understanding of attackers’ methods and preventative tactics. Understand the differences between network, endpoint, and application security, as well as the ways they connect to each other.

Reading will only take you so far, however. If you can apprentice with an IT or security expert or find an internship with a vendor, you’ll get more practical experience. Then you’ll better be able to visualize preventative and detective processes.

Is It Hard to Enter the Cybersecurity Industry?

It doesn’t have to be difficult to learn about security technologies, especially if you already have a somewhat technical background. But getting the role you want, especially a high-paying or management role, could be more challenging. This also depends on your skill sets, the companies you’re looking at, what they’re looking for in employees, and the area you live in.

In general, gaining experience, interning with experts, and learning technologies and tricks can be a matter of reaching out to people and taking advantage of free opportunities.

Bottom Line: Starting a Cybersecurity Career Requires Identifying Your Strengths

To begin a career in a new field, you must understand the basics of the industry and why it’s so important, but you also need to identify how your own abilities can best help the industry. Then you market yourself to companies based on those strengths. In cybersecurity, finances, data, and occasionally people’s health are affected by how successful cyberattacks and protective measures are. If you’re passionate about protecting those, you can succeed in the industry.

Next, read about protecting business networks and what that task involves, including network security controls and different network layers.

The post How to Get Started in Cybersecurity: Steps, Skills & Resources appeared first on eSecurity Planet.

If you’re part of an IT or security team responsible for handling vulnerabilities, make sure your team has a way to be immediately updated when new issues arise. Having a clearly defined process for mitigating vulnerabilities decreases the opportunity threat actors have to exploit them.

July 23, 2024

CISA Adds Two Vulnerabilities to Catalog

Type of vulnerability: Use-after-free and information disclosure.

The problem: The Cybersecurity and Infrastructure Security Agency (CISA) just added two vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog. The first is a use-after-free vulnerability from 2012, tracked as CVE-2012-4792, that affects Microsoft’s Internet Explorer, a browser that’s now rarely used.

According to the catalog listing, the vulnerability “allows a remote attacker to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object.”

The second vulnerability is an information disclosure vulnerability within Twilio Authy’s API. It’s tracked as CVE-2024-39891 and allows an unauthenticated endpoint to accept requests with a phone number and respond with data about the phone number’s registration status with Authy.

The fix: The CISA recommends disabling Internet Explorer since it’s an end-of-life product.

Twilio recommends that Authy users update their versions of the Android and iOS Authy apps to the most recent version, which has fixed the bug.

If your business needs a more consistent method of identifying vulnerabilities, consider a scanning product for your full IT infrastructure. Check out our list of the best vulnerability scanners to see which one would be a good fit for your team.

Fortinet Identifies Windows SmartScreen Security Bypass Issue

Type of vulnerability: Security bypass.

The problem: A Fortinet-discovered Windows vulnerability could allow a remote threat actor to bypass Microsoft Windows SmartScreen security warnings and deliver maliciously crafted files. Threat actors like Lumma Stealer have actively exploited this vulnerability over the past year, according to Fortinet. Researchers have observed a campaign that uses the vulnerability to download malicious executables.

The vulnerability is tracked as CVE-2024-21412 and has an 8.1 CVSS score.

The fix: Mitigation strategies are more broad for this vulnerability — carefully scanning and verifying any sources before downloading files is at the top of the list. While I briefly mentioned this CVE in a February vulnerability recap, as part of a Microsoft Patch Tuesday effort, it looks like it’s still being exploited despite the patch, given the new Fortinet research.

Docker Vulnerability First Originated in 2018

Type of vulnerability: Authorization bypass.

The problem: Some versions of Docker Engine have a critical authorization vulnerability. Docker Engine has a standard all-or-nothing authorization method by default, according to the vendor’s security notice, but plugins like AuthZ are available to improve authorization security. However, attackers can bypass the plugin.

According to Docker, “An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly if not set to deny by default.”

This vulnerability was actually discovered in 2018 and fixed in 2019. However, the fix was excluded from Docker v19.03, a flaw that researchers recently discovered. Docker released patches for the vulnerability on July 23. It’s tracked as CVE-2024-41110 and has a CVSS score of 10.

The fix: Docker provided the following table to show affected versions and the versions you should upgrade to if you currently have one that’s vulnerable.

BIND Database Vulnerability Could Lead to DoS Attacks

Type of vulnerability: Multiple, including assertion failure and CPU overload.

The problem: Documented by the CISA, the Internet Systems Consortium (ISC) has released security bulletins for four different vulnerabilities that affect ISC’s Berkeley Internet Name Domain (BIND) 9. If exploited, the flaws could lead to a denial-of-service type of attack. All vulnerabilities have a CVSS score of 7.5.

The vulnerabilities are as follows:

• CVE-2024-4076: Client queries that trigger serving stale data and require lookups in local authoritative zone data could lead to assertion failure.
• CVE-2024-1975: A stream of SIG(0) signed requests could overrun the computer system’s available CPU resources.
• CVE-2024-1737: Resolver caches and authoritative zone databases with large numbers of RRs could slow the BIND database’s performance significantly.
• CVE-2024-0760: Excessive DNS requests via TCP to the BIND server could overwhelm it and make it unstable.

The fix: Look at each vulnerability’s notice to determine if your version of BIND is vulnerable and upgrade it to the recommended version if needed.

July 24, 2024

Tenable Uncovers Google Cloud Vulnerability

Type of vulnerability: Privilege escalation.

The problem: Researchers at Tenable discovered a vulnerability within the Cloud Functions and Cloud Build services in Google Cloud Platform. In these serverless compute and continuous integration and deployment services, a user who creates a new Cloud Function also triggers a backend process by default, Tenable said.

“This process, among other things, attaches a default Cloud Build service account to the Cloud Build instance that is created as part of the function’s deployment,” the security notice explained. “This process happens in the background and isn’t something that ordinary users would be aware of.”

The service account allows the user to have permissions that they shouldn’t have by default. A threat actor could use this access to escalate their privileges to the default account, and in some cases, this could affect other cloud services like Cloud Storage and Container Registry.

After Tenable notified Google Cloud Platform, GCP performed some level of remediation for Cloud Build accounts that were created after mid-June 2024. However, Cloud Build service accounts created prior to the fix have the same privileges as before, so the vulnerability still exists in older instances.

The fix: Tenable recommends replacing each cloud function’s Cloud Build service account with a least privilege service account.

July 26, 2024

Telerik Support Servers Open to Remote Code Execution

Type of vulnerability: Deserialization flaw.

The problem: Progress Software has released a notice warning Telerik Support Server users of a deserialization vulnerability within certain versions of the software. When exploited, the vulnerability allows a threat actor to execute code remotely. Versions prior to 2024 Q2 (10.1.24.709) are affected.

The fix: Upgrade your instance of Telerik Support Server to 2024 Q2 (10.1.24.709); according to Progress, this is the only way to mitigate the issue.

Read next:

• Vulnerability Recap 7/22/24 – CrowdStrike Issue Is One of Many
• Best Vulnerability Management Software & Systems in 2024

The post Vulnerability Recap 7/29/24 – Multiple Old Security Flaws Reappear appeared first on eSecurity Planet.

• Sophos Firewall: Better for cost, support, and small-team needs (smallest appliances start around $400-$1,000)
• Fortinet FortiGate: Better for features, usability, and administration (smallest appliances start around $300-$1,000)

Sophos vs Fortinet at a Glance

The following table covers some similarities and differences between Sophos Firewall and FortiGate, including key features, pricing, and deployment options.

Average Starting Prices for SMB Firewalls	$400-$1,500	$200-$1,600
Average Starting Prices for Mid-Sized Firewalls	$2,300-$13,000	$2,000-$20,000
Average Starting Prices for Enterprise Firewalls	$19,000-$99,000	$40,000-$300,000
Deployment Methods	Hardware, virtual, cloud, software image deployed on servers	Hardware, virtual, cloud
Key Features	URL filtering, deep packet inspection, dynamic routing, log management, advanced threat protection	URL filtering, deep packet inspection, dynamic routing, log management, anti-malware, privilege access management
	Visit Sophos	Visit Fortinet

Based on my evaluation, FortiGate is the better overall firewall solution because of its strong enterprise features and administrative capabilities. However, Sophos is also a great product and is very popular with customers, particularly in the small business realm. Continue reading for my analysis of Sophos Firewall’s and FortiGate’s features, pricing, and ideal use cases, or jump down to see my methods of scoring both.

Sophos Firewall Overview

Better for Cost, Support & Small-Team Needs

Overall Rating: 4/5

• Core features: 4.3/5
• Pricing: 4.8/5
• Ease of use: 3.9/5
• Administration: 3.3/5
• Customer support: 3.8/5
• Advanced features: 2.9/5

Network and endpoint security vendor Sophos offers both hardware and software-based firewalls. It provides cloud and virtual machine deployments, as well as the choice to deploy Sophos as a software image on your business’s own servers. Sophos’ features include URL filtering and log management. It’s ideal for small and mid-sized organizations because of its easy-to-use management console and prices, but it’s a strong choice for larger teams as well.

Pros & Cons

Key Features

• Log management: Admins can view reports generated using Sophos log files and view device events and audit logs, depending on their company’s license.
• Threat intelligence add-on: Intelix, a threat intel product integrated into Sophos’ other products, helps protect customers from zero-day attacks.
• Deep packet inspection: Sophos Firewall uses a DPI engine to examine and block bad traffic without significantly slowing overall traffic rates.
• Firewall groups: Admins can assign multiple firewalls to specific groups and then apply changes to the entire group rather than each individual firewall.
• Advanced threat protection: More detailed criteria, like IP- and host-based threat scanning exemptions, help you specify which traffic to accept or drop.

To learn more, read our in-depth review of Sophos Firewall and its features and pricing.

Fortinet FortiGate Overview

Better for Features, Usability, Administration & Enterprise Needs

Overall Rating: 4.3/5

• Core features: 4.3/5
• Pricing: 4.5/5
• Ease of use: 4.5/5
• Administration: 5/5
• Customer support: 3.4/5
• Advanced features: 3/5

FortiGate is network security vendor Fortinet’s firewall product, with multiple deployment options — including virtual machines — and multi-firewall management through FortiManager. It provides one year of log retention and redundancy options, like clustering and life support protocols. Admins can view charts and dashboards of their firewall environment in the FortiManager portal, their main management console for all their FortiGate products.

Pros & Cons

Key Features

• Reports: Fortinet admins are able to generate reports both locally and through FortiGate Cloud and schedule them as well.
• Routing options: Dynamic and policy-based routing helps businesses optimize their network performance and direct traffic more efficiently.
• URL filtering: Through a FortiGuard service, you’re able to filter web URLs for potential malware, phishing, or credential theft.
• Sandboxing: With FortiSandbox, customers can analyze traffic samples, URLs, and computer files for suspicious activity or active threats.
• Anti-malware: FortiGuard Labs’ anti-malware service helps customers find threats like viruses.

Better for Pricing: Sophos

Desktop & SMB Firewalls	Models start between $400-$1,500	Models start between $200-$1,600
Mid-Sized Firewalls	Models start between $2,300-$13,000	Models start between $2,000-$20,000
Enterprise & Data Center Firewalls	Models start between $19,000-$99,000	Models start between $40,000-$300,000
	Visit Sophos	Visit Fortinet

Winner: Both Sophos and Fortinet are generally considered good firewall solutions for SMBs, but Sophos takes the lead here for having more affordable enterprise models.

Fortinet offers entry-level branch firewalls, mid-range or campus models, and data center appliances, as well as FortiGate-as-a-Service deployments. Its least expensive model, the 40F, starts around $360. Midrange FortiGate models range from the 100F, starting around $2,000, to the 900G, which starts around $20,000. Prices for the enterprise models start at around $40,000 and run into the hundreds of thousands.

Sophos’ firewalls are similarly priced, with desktop models, the midsized XGS 1U, and the larger-scale XGS 2U. The smallest units’ base prices start between $400 and $600, while mid-sized appliances range from $2,000 to $20,000. Enterprise customers can expect to pay a starting price of $19,000-$99,000 for 2U models. Keep in mind that starting prices typically don’t include the additional protection modules, like Xstream, but only the appliance.

Better for Core Features: Tie

Reporting Tools	Yes	Yes
Support for SD-WAN	Yes	Yes
Zero Trust Network Access	Available through another Sophos product	Available through another Fortinet product
Deep Packet Inspection	Yes	Yes
URL Filtering	Yes	Yes
Dynamic or Policy-Based Routing	Both	Both
	Visit Sophos	Visit Fortinet

Winner: Both Sophos and Fortinet stand out for their wide range of network protection and management features.

Sophos offers standard next-generation firewall features like filtering URLs for malicious addresses and closely inspecting traffic packets. It allows admins to base traffic routing on dynamic situations, for improved flexibility, and also on predefined policies. Through Sophos Central, the management console for all Sophos products, admins can use prepackaged report templates or customize their own.

FortiGate has plenty of basic firewall features, including SD-WAN connectivity and IPSec virtual private network (VPN) tunneling. With a FortiGuard Labs security subscription, you can turn on intrusion prevention features for your network infrastructure. Fortinet customers also benefit from dynamic and policy-based routing. Fortinet also offers threat intelligence functionality through FortiGuard Labs, which can send threat alerts to your email if you so choose.

Better for Advanced Features: Fortinet

Built-In RAID	Yes	Yes
Sandboxing	Through XStream bundle	Through FortiSandbox
Advanced Threat Protection	Yes	Part of another Fortinet solution
Operational Technology Security	No	Through FortiGuard Labs
Privilege Access Management	No	Available as separate product
Anti-Malware	No	Through FortiGuard Labs
	Visit Sophos	Visit Fortinet

Winner: Fortinet’s range of advanced features make it a great choice for large enterprises, though Sophos has plenty to offer, too.

Sophos’ enterprise firewalls, the 2U series, have built-in RAID for improved performance after potential hardware or network failures. This redundancy decreases the chances that you’ll lose data in an outage. Other advanced capabilities include advanced threat protection, which allows teams to significantly customize the traffic they want to block or permit, and sandboxing, which is available through the Sophos Xstream bundle.

Fortinet receives the edge here for having more features for large enterprise needs. Its FortiGuard Labs services are available to FortiGate users, whether free or through a subscription, so customers benefit from features like DNS security and zero-day prevention. FortiGuard Labs also performs virtual patching for operational technology (OT) devices. Fortinet offers sandboxing through its FortiSandbox product.

Better for Ease of Use: Fortinet

Knowledge Base / Documentation Portal	Yes	Yes
Single Pane of Glass Management Console	Yes	Yes
Available as Managed Service	No	Yes
Deployment Options	Cloud, hardware, virtual, software installed on business servers	Cloud, hardware, virtual
	Visit Sophos	Visit Fortinet

Winner: Fortinet has the edge here for its managed service option, though both firewalls are known for their usability.

Sophos is widely considered an easy-to-use firewall product and is extremely popular with smaller teams. While customers ran into some snags with earlier iterations of the XG firewall series, it looks like the XGS has become much more successful and stable. Admins can manage all Sophos firewalls from a single console, Sophos Central, which has plenty of administrative options like dashboards and analytics.

Fortinet gives customers the option to have FortiGate vendor-managed, which is helpful for teams with a limited network infrastructure. But customers can also deploy FortiGate as a physical appliance, in the cloud, or on virtual machines. FortiGate’s documentation includes admin guides, release notes, and reference manuals. Fortinet’s network security products are generally considered easy to use in the overall firewall market.

Read more about different types of network security solutions aside from firewalls, including cloud security and virtual private networks.

Better for Administration: Fortinet

Multi-Firewall Management	Yes — Sophos Central	Yes — FortiManager
Role-Based Access Controls	Unclear	Through identity and access management features
Dashboards	Yes	Yes
High Availability / RAID	Yes	Yes
One Year Log Retention	No	Yes
	Visit Sophos	Visit Fortinet

Winner: Fortinet has the advantage here for its year of log retention, plus security features like role-based access controls.

Sophos users have the ability to set high availability by synchronizing two grouped firewalls’ configuration so the firewall fails over in case of an outage or attack. This helps maintain performance for overall security and traffic processing. Sophos’ main portal, Sophos Central, allows customers to manage all firewalls from one location. Log retention is limited compared to Fortinet’s, with actual numbers not clearly specified.

FortiGate’s advanced capabilities make it one of the top enterprise firewalls in the world, and its administrative features are no different. Through FortiManager, network and security admins can set security policies, facilitate tech integrations with any of Fortinet’s relevant partners, and use REST APIs and scripts. Fortinet allows customers to retain firewall-related logs for a year, and they also have high availability options like clustering.

Better for Customer Support: Sophos

Support Team Hours	24/7	24/7
Phone	Yes	Yes
Email	No	No
Live Chat	Yes	No
Scheduled Demo and YouTube Demo Options	Scheduled only	Scheduled only
Technical Account Manager Available	Yes	Yes
	Visit Sophos	Visit Fortinet

Winner: Both have standard support options for the industry, but Sophos offers a bit more channel flexibility.

Sophos has multiple support plans, including a plan designed specifically for teams that want a technical account manager. Support channel options include phone and live chat. Sophos requires all critical or high severity incidents to be submitted via telephone for adequate prioritization. Scheduled demos are available to all potential customers; however, Sophos doesn’t have great options for self-service demos, like YouTube walkthroughs.

Like Sophos, Fortinet offers phone support, with multiple phone numbers cited for the vendor online. There’s no email or live chat options mentioned, but customers have access to 24/7 service as needed. Customers also have the option to work with a technical account manager if they wish through FortiCare services. These services are per-device, and support for those devices is also offered 24/7. Fortinet also doesn’t have self-service demo options like YouTube.

Who Shouldn’t Use Sophos Firewall or Fortinet FortiGate

Sophos and Fortinet have outstanding next-gen firewall products, but they won’t be the best fit for every business’s or security team’s needs.

Who Shouldn’t Use Sophos Firewall

You may want to look elsewhere if your business is one of the following:

• Businesses looking for fully managed firewall services: Sophos doesn’t have a managed service option strictly for its firewalls.
• Larger teams that want lots of enterprise features: While Sophos offers next-gen firewall capabilities, it has fewer than some competitors, including Fortinet.
• Admins that want extensive log retention: Sophos isn’t clear on how long it stores firewall logs, and admins may run into trouble if they want a year’s worth.

Who Shouldn’t Use Fortinet FortiGate

I recommend considering other firewalls if you fit any of these categories:

• Startups looking for the most affordable firewall: Fortinet offers plenty of low-cost firewall options, but it may be too expensive for some startups and SMBs.
• Teams that need tag or attribute-based policies: Fortinet doesn’t provide much information on policy enforcement based on specific tags or attributes.
• Admins that want email or live chat support: Fortinet does offer phone support, but if you’d like email or live chat, you’ll need to look elsewhere.

3 Best Alternatives to Sophos Firewall & Fortinet FortiGate

While Sophos Firewall and Fortinet FortiGate are some of the best enterprise firewall options in the industry, they won’t be a perfect fit for every team. If your business would benefit better from another product, check out Palo Alto NGFW, Check Point Quantum, and Juniper Networks’ SRX Series.

Palo Alto NGFW

Network security giant Palo Alto offers multiple next-gen firewall models for branch, campus, data center, cloud, and mobile 5G environments. Firewall deployment options include cloud, container, virtual, and hardware. The hardware firewalls are Palo Alto’s PA Series, with features like traffic decryption, user-based access policies, and machine-learning-based threat detection.

Palo Alto is generally on the more expensive side and is a great option for large enterprises that can afford its excellent security and advanced features. Contact Palo Alto’s sales team for specific prices for the PA-Series, VM-Series, and CN-Series.

Check Point Quantum

Check Point Software Technologies offers the Quantum Gateway series of firewalls to businesses in all types of environments, including rugged ones like power plants and construction zones. Key capabilities include threat prevention tools, APIs for third-party SOC integrations, and the option to cluster firewalls and hyperscale.

If your business wants to sandbox malware, you can add Check Point SandBlast, a sandboxing and zero-day protection product, to your Quantum Gateway. Contact Check Point for pricing information specific to your organization. Reseller pricing for the Check Point Quantum 16200 starts around $117,000, including a SandBlast subscription.

Juniper Networks SRX Series

Juniper Networks’ SRX Series of firewalls offers features like WAN connectivity, intrusion prevention, antivirus, and role-based firewall controls. Juniper also has its own operating system, Junos, which powers all the firewalls. Admins can create and deploy security policies using Juniper Security Director Cloud, a single-UI product that also helps teams stop network threats and attacks.

The SRX Series is ideal for virtualized and containerized environments, offering the vSRX virtual firewall. You can purchase the vSRX through cloud providers like AWS, which prices the vSRX software at $0.65 per hour. Pricing for the SRX300 appliance starts between $600-$800.

If none of these solutions sound like a good choice for your business, check out our guide to the best NGFWs next. This list also includes Forcepoint and Cisco.

How I Compared Sophos Firewall & Fortinet FortiGate

I developed a rubric to score both firewalls, which included six major categories that firewall buyers should take into consideration. Each category received its own weighting based on importance, and each had multiple subcriteria. I evaluated how well Sophos and Fortinet met the subcriteria. The six categories included the most important firewall features, appliance pricing, usability, administrative features, support options, and nice-to-have advanced features.

Core Features – 25%

I considered whether Sophos and Fortinet offered a wide variety of core features, including deep packet inspection, URL filtering, and support for SD-WAN. Additionally, I evaluated whether the vendors offered a dedicated operating system for the firewalls.

Pricing – 20%

I compared pricing of hardware appliances, including desktop units, mid-sized firewalls, and enterprise-grade appliances. I also looked at free trial availability and length.

Ease of Use – 20%

I evaluated Sophos Firewall and FortiGate’s general usability, including availability of documentation, firewall rules and policies, and number and type of deployment options. I looked at whether the firewalls were available as a managed service.

Administration – 15%

To analyze administrative capabilities, I looked at tools like log retention, role-based access controls, and high availability options. Then I considered whether the firewall management system allowed teams to view all vendor firewall instances from one console.

Customer Support – 10%

I evaluated customer support team availability and channels like phone, email, and live chat. I analyzed demo options and whether each vendor offered the option of a technical account manager.

Advanced Features – 10%

I considered advanced firewall capabilities like built-in RAID, access to sandboxes, and advanced threat protection. Additionally, I evaluated types of policy enforcement and privilege access management features.

Bottom Line: Sophos Firewall vs Fortinet FortiGate

Both Sophos and Fortinet offer outstanding firewall products that are popular within the network security industry. Each is famous for being a good choice for smaller businesses, but I’d recommend Sophos overall for the smallest and least experienced teams. Likewise, while each has plenty of features to offer large enterprises, I’d suggest FortiGate for the most advanced business needs.

Firewalls, particularly next-gen solutions, are a great start to protecting your network, but they are only one component. Check out our guide to securing your business network for more tips, including regularly auditing your network.

The post Sophos XG vs Fortinet Fortigate: 2024 Firewall Comparison appeared first on eSecurity Planet.