Home Blog

Security Solutions Issue 115 Out Now!

In Security Solutions Issue 115, we look at the role of the private security industry in Australia’s national counter-terrorism plans. We also discuss strategies to help identify insider threats, examine whether or not prisons are fertile recruiting grounds for terrorist groups and explore ways to demonstrate the value of an effective cyber security strategy to the company board.

Check out the latest issue today and subscribe!

ExtraHop® Adds CrowdStrike Falcon® Intelligence to Reveal(x)™ Platform

Patrick Dennis, CEO, ExtraHop

Expands partnership with CrowdStrike to give ExtraHop customers integrated world-class threat intelligence, while also empowering CrowdStrike Services to use Reveal(x) as part of Incident Response investigations

ExtraHop, a leader in cloud-native network detection and response (NDR), today announced it is strengthening its partnership with CrowdStrike by offering CrowdStrike Falcon Intelligence embedded within the Reveal(x) platform. The new integration will provide customers access to CrowdStrike’s world-class threat intelligence, giving their security teams full comprehension of attacks to enable faster and better decisions.

According to the CrowdStrike 2023 Global Threat Hunting report, threat actors are becoming faster and more sophisticated in their attacks. In the past year, CrowdStrike’s Counter Adversary Operations team saw the average time for an adversary to move laterally from initial compromise to other hosts in the victim environment reach an all-time low of 79 minutes. As that number continues to decline, the time it takes to respond to an incident is more critical than ever.

To help customers stop cyber threats before it’s too late, ExtraHop will extend CrowdStrike Falcon Intelligence access within the Reveal(x) platform to all customers. By combining CrowdStrike’s industry-leading threat data with high-fidelity network insights from Reveal(x), customers benefit from more timely, reliable, and contextual detections that can help decrease mean time to respond (MTTR). Highlights include:

  • Award-winning threat intelligence: With high-quality research from CrowdStrike’s elite team of threat hunters and intelligence analysts, security teams will be up-to-date on the latest malicious actors, tools, and methods.
  • Enriched detections: Indicators of compromise (IoCs) created and curated by CrowdStrike enrich Reveal(x) detections with additional telemetry and context, like confidence level, attribution, related vulnerabilities, and more.
  • Seamless integration: CrowdStrike Falcon Intelligence will integrate seamlessly within the Reveal(x) platform, in addition to other already-integrated features through Falcon Insight XDR and Falcon LogScale, extending the power of security platform consolidation.

“Without strong context, you can’t have effective detections – they’re otherwise lacking the background needed to truly empower customers to reveal the unknown and stop an attack,” said Patrick Dennis, CEO, ExtraHop. “With CrowdStrike Falcon Intelligence embedded into Reveal(x), customers gain unparalleled insights into the threats traversing their networks. We remain steadfast in our mission to grow our successful and ever-evolving partnership with CrowdStrike to offer customers solutions that they can trust.”

Enterprise-Grade Network Detection and Response for CrowdStrike Services

ExtraHop also announced that CrowdStrike Services can now leverage Reveal(x) in existing ExtraHop customer environments for additional network visibility and context to augment their investigations. Reveal(x) delivers 360-degree network visibility that eliminates blindspots to accelerate investigation and response for joint Services customers.

“The combination of CrowdStrike and ExtraHop gives our customers the intelligence, technology, and expertise they need to better understand and contextualise threats to stay one step ahead of adversaries,” said Daniel Bernard, Chief Business Officer, CrowdStrike. “Continuing to build upon our historic partnership is essential for providing customers with best-in-class security that stops breaches and keeps businesses up and running.”

ExtraHop is a proud partner of the CrowdXDR Alliance.

Additional resources:

New CCO for data protection organisation Commvault

Enterprise data protection leader Commvault has employed industry veteran Sarv Saravanan as its first Chief Customer Officer.

“Sarv joins at a pivotal time,” said Sanjay Mirchandani, Commvault President and CEO. “In today’s hybrid cloud world, customers need proactive and resilient data protection solutions that reduce complexity and deliver truly exceptional experiences. With Sarv’s leadership, we will continue to exceed these expectations.”


Saravanan has extensive experience building and driving global customer-centric development and delivery organisations. Most recently, he led Microsoft’s Global Delivery Center, which engages with the company’s biggest customers and their strategic partners to accelerate cloud transformations. Saravanan, who has a master’s in computer science from Bharathidasan University, was recognized by Zinnov for creating and mentoring industry leaders.


“In an industry facing threats that are more autonomous than ever before, customers are looking for unparalleled cyber resiliency know-how and an aggressive roadmap that harnesses the power of AI with the ease of SaaS,” said Saravanan. “By continuing to redefine data protection, Commvault will widen its competitive advantage while furthering its customers’ advantages.”


ExtraHop® Reveal(x)™ Available for Purchase in the CrowdStrike Marketplace

Phil Shigo, Vice President, Business Development, ExtraHop,

ExtraHop, a leader in cloud-native network detection and response (NDR), today announced that the Reveal(x) platform, the ExtraHop NDR solution, will be available in the new CrowdStrike Marketplace, a one-stop destination and world-class ecosystem of third-party security products.

Together, ExtraHop and CrowdStrike offer organisations a unique approach to extended detection and response (XDR), correlating network and endpoint data faster and with greater visibility into the threat landscape. The Reveal(x) platform unmasks the path an attacker has taken while moving laterally across the network. The CrowdStrike Falcon® platform offers visibility and protection of endpoints with actionable insights into attacker activity. By uniting these two award-winning platforms, customers can generate a comprehensive analysis of their environments, confidently qualify – or disqualify – threats, and identify the scope of any compromise, which data has been transmitted, and if it was encrypted.

Highlights of the partnership include:

  • Improved threat detection and response: Ingest network data from Reveal(x) in CrowdStrike Falcon® LogScale for optimised threat hunting and critical resource allocation.
  • Continuous discovery of unmanaged devices: Continuously discover and monitor communications among unknown and unmanaged devices, mobile devices, IoT, BYOD, remote workforce, and more.
  • Prioritised, contextual alerts: Improve analyst efficiency and help them focus on what matters by enriching security data across endpoints, cloud workloads, identities, and data with network intelligence to quickly surface malicious activity.
  • Push button response: Quickly triage threats and quarantine devices from a single console if and when anomalous activity is detected.

The newly released CrowdStrike Marketplace will connect CrowdStrike customers to ExtraHop, a trusted CrowdStrike partner, simplifying security stacks, reducing operational costs, and helping to manage complexities seamlessly.

“Nearly four years into our partnership with CrowdStrike, the joint customer feedback has been extremely positive, speaking to the transformative effect our integration has had on enterprises’ ability to see more, know more, and stop more cyberattacks,” said Phil Shigo, Vice President, Business Development, ExtraHop. “The CrowdStrike Marketplace will make it easier for customers to find us and experience the benefit of these two synergistic platforms firsthand.”

“With the CrowdStrike Marketplace, companies can supercharge the Falcon platform for their unique needs with the click of a button to stay ahead of the adversaries,” said Daniel Bernard, Chief Business Officer, CrowdStrike. “Companies and partners are building on top of the Falcon platform and the launch of CrowdStrike’s Marketplace makes it clear that future cybersecurity innovation is happening on Falcon.”

 Additional resources:

How Cyber Insurance is Evolving in Today’s Business Environment

It’s a widely held belief among IT security professionals that it’s not a case of ‘if’ an organisation will suffer a cyberattack but ‘when’. With the volume and sophistication of attacks growing by the day, becoming a victim is almost inevitable.

Faced with these circumstances, organisations of all sizes are making significant investments in everything from security tools and platforms to staff awareness training and external support.

However, because the chance of suffering a disruptive and costly attack is never zero, increasing numbers of organisations are also taking our cyber insurance policies. These policies are designed to cover the financial losses caused by an attack and allow an organisation to recover much more quickly.

Cyber insurance can be thought of as the last layer of a defence-in-depth security strategy. If a cybercriminal manages to breach all the layers of protection an organisation has in place, the insurance will be there to assist.

Unfortunately, due to the rapid escalation of cyberattacks around the world, cyber insurance is becoming increasingly difficult to secure. Insurance companies are ramping up their list of measures an organisation must have in place to prevent attacks. They must also demonstrate they have the capability to manage those measures and maintain an effective level of security at all times.

Policy coverage

Since they first appeared on the market more than 20 years ago, cyber insurance policies have evolved to reflect the constantly changing threat landscape. Policies vary between different insurance companies but tend to cover a core range of areas.

Most policies will cover loss of business income as the result of an attack as well as the costs associated with system restoration. Many will also cover the cost of extortion expenses such as ransom demands from attackers.

Some policies will go even further and offer coverage for activities such as digital forensics to determine exactly how the attack occurred and the steps needed to ensure it can’t happen again. Some will also cover the costs associated with communicating details to clients about the impact of the attack and even costs associated with engaging a public relations firm to help restore the firm’s reputation.

Security requirements

To reduce the likelihood that they will need to payout on a cyber insurance policy, insurance companies will have a detailed list of requirements that organisations seeking coverage will need to meet.

These requirements will include everything from disk encryption on all laptops, desktops, and mobile devices to the segmentation of local-area networks. Insurers are also likely to require that multi-factor authentication be put in place as well as end-point detection and response capabilities.

Insurers are also likely to require that firms undertake regular security awareness training for their staff and also conduct annual penetration tests of their IT infrastructure.

It’s also important to remember that insurance companies are likely to refuse to pay out if it can be proven that an attack took place due to unpatched or end-of-life software being used within a company’s infrastructure. This means that undertaking regular software checks is vital.

An opportunity for MSPs

This situation might be frustrating for organisations who find they need to invest additional funds into security measures in order to obtain insurance cover, however it actually represents a significant opportunity for managed service providers (MSPs).

Many organisations will not have the knowledge or skills internally that will be needed to deploy and manage the security measures required by the insurance providers. MSPs are well positioned to act as a trusted advisor and guide their clients through the steps they will need to take. They can also help with the selection of the most appropriate insurer and type of policy.

The need for cyber insurance is going to continue to grow as the extent of threats climbs. By understanding how it works and what they will need to do to qualify, organisations will be able to take advantage of this additional layer of protection.

Anthony Daniel, Regional Director – Australia, New Zealand and Pacific Islands, WatchGuard Technologies

i-PRO introduces industry’s smallest dome cams with AI

New models feature wider viewing angle, IR illumination, tough vandal resistance, built-in microphone, and advanced cybersecurity


i-PRO Co. Ltd. has recently announced 24 new compact dome camera models. The new models offer wider scene coverage, vandal resistance, powerful edge-based AI analytics, and flexible deployment options for every budget.


Available in 2MP and 4MP resolutions, the efficient designs deliver the smallest compact domes and highest cyber security protection available. Small in size but big in capabilities, both X and S series models support up to two AI analytic apps, providing the industry’s widest range of analytics. As with all i-PRO cameras, the new line of compact domes is fully NDAA compliant, with TAA* compliant versions also available.


The new line of compact domes extends the wide-angle lens to enable monitoring of a large area without blind spots, delivering a horizontal and vertical field of view up to 132° — the widest in the industry. Advanced video analysis with access to AI VMD (video motion detection) and i-PRO Active Guard capabilities ensure popular VMSs such as Genetec, Milestone, and i-PRO’s VMS Video Insight receive the AI generated descriptive metadata needed for deep forensic search or real-time alerts. Built-in IR extends low light performance, ensuring detailed image capture even in the dark. A built-in microphone supports sound recording and audio analytics.


Gerard Figols, President, i-PRO EMEA, said, “With powerful wide-angle coverage and strong AI capabilities at an entry-level price, these tough compact domes offer significant value for money, making the advantages of AI technology easily accessible for our partners’ daily security projects. As market leaders in cyber protection across our line-up, and because our products are fully NDAA compliant, we also ensure the generated data is handled in a trustworthy way, giving our customers peace of mind.”


X Series: Rugged, feature-rich design ideal for transit 

Built for use in challenging transit environments like trains or buses, the X Series models are built to withstand vibrations and shock, ensuring the best quality of the video footage for accurate analytics. AI-based anonymous analytics such as occupancy detection and people counting are available for free to help better manage transit environments. The cameras offer high frame rates (60fps) for smooth motion and superior low light performance (.02 LUX at 30IRE), to enable precise monitoring even in sudden light changes, as vehicles move between different lighting environments. They offer rugged M12 connectors along with RJ45, IK10 vandal resistance, and IP66 rating for dust and water ingress protection. The X Series also features IEC standard compliance, with support for EN45545 and EN50155-TX.


S Series: A new standard for compact domes with built-in AI for wide applications

Like the X Series, the new S Series compact domes have the widest range of AI-based analytics available at an entry-level price. They support people and vehicle detection with attributes, scene change detection, sound analytics, occupancy detection, and AI Privacy Guard in addition to classic video motion detection analytics. They also offer IK10 vandal resistance and IP66 rating for dust and water ingress protection.


Providing the highest cybersecurity level in the market, both the X- and S-Series models utilise a secure element and comply with FIPS 140-2 level 3 for robust protection against unintended access.


U Series: High performance and exceptional value

i-PRO’s U Series cameras deliver exceptional value and image performance. For cost sensitive projects that don’t require AI features, expanded angles of view, secure element cyber protection, or enhanced low-light performance, the new entry-level U Series compact dome is the thinnest model available. The outdoor models of the U Series are also IK10 vandal resistant and IP66 dust and water ingress protection certified.


For more information, visit:

Commvault scores high in latest GigaOm report


 Once again named a ‘Leader’ and ‘Outperformer’ for best-in-class BaaS experience, strong integrations, and crucial cyber resiliency features


Enterprise data protection leader Commvault® has announced that GigaOm has named the company a “Leader” and an “Outperformer” in its most recent report, the GigaOm Radar for Hybrid Cloud Data Protection for Large Enterprises.


An assessment of competing solutions, the GigaOm Radar report places Commvault in the Leaders circle of the Innovation/Platform Play quadrant, highlighting its platform-driven approach with strong integration across the portfolio, a best-in-class BaaS (Backup-as-a-Service) experience, exceptional data management capabilities, and cyber resiliency features.


“Commvault’s strong position in GigaOm’s latest Radar report reaffirms our commitment to delivering secure, efficient, and scalable data protection,” said Param Kumarasamy, Vice President of Product Management, Commvault. “With AI-driven anomaly detection, threat mitigation, and risk analysis capabilities, we help customers improve their security posture across any hybrid cloud environment.”


The GigaOm Radar Report is a forward-looking analysis that plots vendor solutions’ relative value and progression  based on strategy and execution. The Radar report includes a breakdown of each vendor’s offering, highlights the key hybrid cloud data protection vendors and, according to GigaOm, equips IT decision-makers with the information to select the best fit for their business and use case requirements. GigaOm defines large enterprises as organizations with 1,000 or more employees.


GigaOm describes Commvault as having “a comprehensive hybrid cloud data protection portfolio with excellent cyber resiliency capabilities and a very broad workload support across clouds,” deeming it “well-suited for organizations with advanced data management requirements.”


“Commvault delivers a best-in-class BaaS experience with Metallic. The solution offers broad services, including excellent cyber resiliency features and regulatory compliance,” said Max Mortillaro, Analyst, Data Analytics and AI, GigaOm. “[Commvault] supports an extensive range of platforms, including multicloud, databases, unstructured data, Kubernetes, and SaaS applications, making it capable of replacing a traditional on-premises data protection solution for most use cases.”


In addition to vast support for distributed cloud workloads, GigaOm also calls attention to Commvault’s robust security capabilities, including insights and posture management tools, malware scanning, threat detection and alerting, immutable data backups, and more.

To find out how Commvault stood out versus the competition, read the full report here: GigaOm Radar for Hybrid Cloud Data Protection for Large Enterprises.


Three ways to overcome cybersecurity staff shortages

Skilled cybersecurity talent is in tight supply. It’s challenging to recruit, hire and retain skilled professionals: trends that are expected to continue into the near future.

According to the (ISC2) 2022 Cybersecurity Workforce Study, the 2022 global cybersecurity workforce gap stood at 3.4 million people, an increase of 26.2% from 2021. In Australia alone there were nearly 40,000 unfilled cybersecurity jobs in 2022, an increase of 57.6% over 2021.

Eyal Arazi, senior security solutions lead for Radware, says couple this gap with the surge in cyberattacks and the result is the perfect storm for organisations doing their best to protect their data and assets, including infrastructure and applications.

The threat is real. According to Radware’s recent First Half 2023 Threat Analysis Report, the number of malicious web application transactions alone skyrocketed by 500% compared to the first half of 2022.

Yet according to the company’s Application Security in a Multi-Cloud World Report, less than half of organisations indicate they trust their security staff to configure and maintain a strong application security posture across the public cloud platforms they currently use for hosting applications.

Given the shrinking cybersecurity talent pool and surge in cyberattacks, organisations must adjust their approach to managing their cybersecurity programs. To help reduce the reliance and load on internal teams that are already overstressed and understaffed without compromising security programs, organisations should consider the following three strategies.

#1 — Consolidate security tools

One of the most effective and efficient ways for organisations to address the cybersecurity staff shortage is to consolidate their security tools. The mathematics are simple: The fewer tools there are to manage and maintain, the less time and energy is spent switching between systems and management consoles.

As part of the consolidation process, organisations should replace individual tools and defences that provide piecemeal protections with one-stop-shop, best-of-suite solutions that cover a wide range of attacks and threat vectors. And it should all be managed with a single tool that includes a comprehensive reporting dashboard.

Consolidation has several important benefits. It enables security teams to maintain the same level of protection while speeding up processes with centralised management and reporting. In addition, it minimises the time spent on integrating separate products.

Nonetheless, it’s important that consolidating tools doesn’t degrade an organisation’s security posture. Selecting a best-of-suite tool that also delivers best-of-breed security will ensure that cybersecurity protections operate at optimal levels.

#2 — Automate! Automate! Automate!

Another way to reduce the workload on cybersecurity staff is to automate as many processes as possible and replace slow and labor-intensive manual configurations. When it comes to cybersecurity, automation falls into two categories:

  • Security: Organisations can automate actual cyber defence activities, such as policy configuration, rule configuration, and signature creation.
  • Deployment: Organisations can automate the deployment of cybersecurity mechanisms that don’t interrupt existing business or technical processes.

To defend successfully against attacks that are bigger, more frequent and more sophisticated, organisations must embrace security automation. Any type of manual security process becomes vulnerable to evolving attack patterns and new zero-day threats.

Because neither an evolving nor zero-day attack has a protection signature, it presents a particularly difficult problem in today’s staff-constrained world. There simply aren’t enough qualified people with the time and skills to quickly and effectively respond to shifting attacks 24X7X365.

By automating cyber defences, including creating new rules, defining security policies, managing deployment activities and more, organisations can reduce both the direct workload on cybersecurity teams and successfully mitigate attacks. In addition, they can reduce the cascading impact and interruption that incidents create for other teams across the organisation, including DevOps, IT, operations, marketing and others.

#3 — Engage managed security service providers to do the heavy lifting

Managed security service providers offer another resource for addressing today’s shortage of cybersecurity professionals. The idea is to outsource cybersecurity functions to service providers and let their tested and fully managed security services do the heavy lifting.

The term cybersecurity encompasses a massive domain that spans many dedicated sub-domains. Examples include network security (i.e. firewalls, VPNs, secure web gateways), application protection (i.e. web application firewalls, bot protection, DDoS protection), endpoint security (i.e. anti-virus, EDR), email security, public cloud security (i.e. workload protection, CSPM, IAM security), and many, many others.

Each subdomain is distinct in its scope of protection, attack vectors, threat surfaces and mitigation tools. As the threat landscape becomes more complex, these domains require more dedicated, specialised experts.

It is virtually impossible to find cybersecurity staff who possess the specialised skill sets and expertise required to address each sub-domain and understand all the tools that support them. So, even if an organisation has enough personnel, it may not have the right skills on staff to adequately cover all the bases.

It simply makes sense to outsource certain security functions to experts who perform these activities daily. It’s their sole focus.

Just remember, it’s critically important to ensure managed security providers have a proven track record and that they are properly staffed and trained. Engaging a managed security service provider can greatly unburden internal cybersecurity teams while simultaneously enhancing an organisation’s level of protection.

To summarise: Cybersecurity staff and skill shortages affect organisations worldwide, and few companies are immune. While recruiting and retaining trained experts will undoubtedly remain a challenge for the future, organisations are not without options.

Consolidation, automation and outsourcing can go a long way in not only alleviating the strain on security teams but also improving the quality of cybersecurity programs and initiatives.

Healthcare organisations at risk as BYOD and mobile devices escalate cybersecurity concerns

The healthcare industry has been transforming radically over the past decade with the common goal of improving the way health care is delivered to patients.

Kern Smith, mobile security expert at Zimperium, reportsthat In recent years, we’ve watched as healthcare organisations have quickly become mobile-powered businesses with the migration to electronic health records, patients increasingly using mobile apps to view test results, schedule appointments, contact their care provider and even control their medical devices.

Although this shift has brought many advantages such as more accurate and up-to-date patient information, quick access to patient records, improved patient outcomes and better communication between patients and their providers, it has come with risks, especially to patient security.

The healthcare sector has always been a prime target for cybercriminals. Healthcare organisations store an extensive archive of personal health information (PHI) and their accompanying financial records that, if stolen, can be incredibly lucrative for the attacker and especially detrimental to the victim.

The stolen data is often used to commit fraud, identity and intellectual theft, espionage, blackmail, extortion and more. Sadly, often it cannot be replaced.

While apps and mobile devices are highly effective, affordable and convenient ways for medical facilities to manage a diverse range of components throughout the patient care continuum, unfortunately, the ease of use on mobile devices and apps, as well as the confidential patient  information they store, make healthcare organisations that much more vulnerable to attackers.

In March 2023, for example, Cerebral, a telehealth platform that provides online therapy and medication management to millions of users, reported a healthcare data breach that impacted more than 3.1 million individuals that stemmed from its use of tracking pixels.

Unfortunately, this is not a standalone incident. According to the HHS Office for Civil Rights (OCR) data breach portal, the healthcare sector has already experienced around 295 breaches in the first half of 2023 alone. Additionally, my company’s Global Mobile Threat Report 2023revealed a 187% year-over-year increase in the number of compromised mobile devices.

The movement to mobile has brought a whole new slue of attack methods that cybercriminals are using against healthcare organisations. Some of these include:

  • Phishing – Malicious links or attachments shared via email, social media or text message to deliver malware or obtain credentials.
  • Mobile Ransomware – Encrypting files on a mobile device and then requiring a ransom payment for decryption.
  • Man-in-the-middle (MITM) attacks – Attackers intercepting network communications or data transfers to steal confidential user information.

It’s not too much to say that the use of mobile devices to store, access and transmit electronic healthcare records is outpacing the privacy and security protections on those devices. The threat of data privacy risk will continue to rise in line with new attack surfaces and more advanced attack methods. Organisations should employ mobile-first strategies that can adapt to these new challenges.

How can organisations protect themselves and their patients from future attacks? As the healthcare industry continues to rely on mobile and BYOD devices as means for storing and accessing confidential patient information, one of the core steps they must take is adopting a mobile-first security strategy. To do this, there are a few key areas organisations should keep their eye on:

  1. Prioritise risk assessment – Assessing risk as close to the user or point of entry as possible is crucial to defending against attackers. A good first step organisations can take is applying mobile-powered business initiatives across all of their mobile devices and apps.
  2. Visibility is your best friend – It’s important to have complete visibility of all mobile assets and their risk levels in order to assess vulnerabilities and address them immediately. Implementing defenses that are quantifiable, auditable, and insurable are key.
  3. Address the most critical gaps first – By embedding security across all devices and applications, applying risk-based response and zero trust assessments of mobile endpoints, organisations can enhance their mobile detection and response strategy overall.
  4. Establish autonomy – Applying systems that can automatically isolate any compromised devices and untrusted environments will lay the foundation for a strong security posture.
  5. Staying ahead – Organisations should keep on top of any regulations, data sovereignty and privacy standards that can put them at risk of compliance failures.

A strong mobile-first approach to security can help you to be proactive and immediately spot suspicious activity, prevent account takeovers, and even stop fraud before it can occur. Organisations need to make the decision to shape their business with mobile users as the priority. This approach is crucial to ensure that their ‘crown jewels’ (i.e. data), and more importantly their patients, remain safe.

Overall, the cyber security challenges faced in healthcare are numerous and complex. Healthcare organisations possess high value data that is highly regulated, and therefore exceedingly valuable for attackers.

Combine this with the use of a variety of complex medical devices and a workforce made up of not just direct employees but a variety of contractors and third party practitioners and it’s easy to see why healthcare organisations have become the main targets of attack. Therefore, providers must remain vigilant, exercising the best security efforts as they embrace mobile devices as part of their operations.

ExtraHop® Open Sources Machine Learning Dataset to Help Security Teams Detect Malware and Botnet Operations Faster

Raja Mukerji, Chief Scientist and Co-Founder, ExtraHop

ExtraHop, a leader in cloud-native network detection and response (NDR), today announced it is open sourcing its expansive 16 million row dataset – one of the most robust available – to help defend against domains generated by algorithm (DGAs). This is in an effort to level the playing field for defenders and empower businesses of all sizes to better secure their organisations by strengthening defenses against malware and botnet operations.

Amid a widening cybersecurity skills gap (up 26% in the last year) and dwindling resources, the cyber landscape is rapidly evolving. As new threats rapidly appear, open sourced research and datasets are a solution to overcoming the challenges security teams face on a daily basis.

“The challenges we face in security are formidable and dynamic, and, with this initiative, we’re democratising the tools needed for threat research detection for security teams of all sizes, backgrounds, and industries,” said Raja Mukerji, Chief Scientist and Co-Founder, ExtraHop. “Collaboration among the cybersecurity community is invaluable – coming together to share our best work is the only way to remain on the offense and put attackers at a disadvantage. Our research will be a gamechanger for the community and we encourage other teams to open source their own insights that will similarly benefit the industry at large.”

Striving for industry collaboration, ExtraHop is releasing its DGA detector dataset, made up of more than 16 million rows of data, on GitHub to help security teams identify malicious activity in their environments before they become a business problem.

DGAs are used by threat actors to maintain control within an organisation’s environment upon making their entrance onto a network, making attacks difficult to detect and stop. Originally built for ExtraHop’s award-winning NDR platform, Reveal(x), this research can now be used by any security researcher to construct their own machine learning (ML) classifier model to more quickly identify DGAs and intervene in attacks with greater speed and precision. Since its implementation in Reveal(x), the ExtraHop DGA model has demonstrated more than 98% accuracy.

“Giving threat actors the ability to operate undetected and an uptick in these types of attacks, DGAs are increasingly considered a major threat to businesses today,” said Todd Kemmerling, Director of Data Science, ExtraHop. “As we began developing a model for detecting DGAs, it became apparent there was a lack of public datasets accessible to security teams with a wide-ranging set of resources. With this dataset, we are filling that gap, giving any security team access to the pivotal data needed to detect DGAs swiftly.”

Access the full dataset on GitHub today. For more details, read our blog on DGAs.

Aqua Security’s new business soars by 65%

Cloud native security pioneer Aqua Security has announced it closed the first half of 2023 with a 65% increase in new business.

The company attributes this growth to increasing demand for its unified cloud native application protection platform (CNAPP) and its proven ability to see and stop cloud native attacks in progress anywhere in the software development lifecycle.

“From day one, our vision has been to deliver a complete full lifecycle security solution in one holistic platform,” said Dror Davidoff, co-founder and CEO of Aqua.

“It is not enough to simply see an attack. You need visibility into what’s happening across the entire software development lifecycle, and you must be able to stop those attacks at any point.”

Aqua leads the cloud native security market as the first integrated CNAPP helping customers see and stop attacks across the entire application lifecycle, from code to cloud, and back.

It was also first to market with software supply chain security capabilities and with Real-Time CSPM — the only solution that combines agentless and in-workload visibility for a complete and prioritised view of cloud security risk in real time.

With the addition of features released in the past quarter, the Aqua Platform is the only CNAPP to offer cloud-to-code tracing capabilities, which transform how cloud risks are discovered, and massively reduce time to remediation. Teams can quickly trace cloud security issues back to individual developers and their code commit to improve efficiency and cut down resolution time.

When combined with Aqua’s workload protection capabilities, Aqua delivers a single source of security truth and enforcement for both dev and cloud.

Over the past six months, Aqua has experienced substantial growth across global markets and industries. Aqua now secures the cloud deployments of 40% of the Fortune 100 companies, and a total of more than 500 enterprise customers across 40 countries, with individual customers scanning up to 10 billion images annually.

In 2023, the company expanded its financial services focus and now serves six of the top 10 banks in North America, and six of the seven top banks in Canada, making it the leading cloud native security provider for the financial services industry.

Aqua sees significant interest from governments around the world in securing their cloud environments. FedRAMP® “in process” designationis the first of many key milestones for Aqua.

In mature cloud markets such as Australia, Aqua’s pursuit of IRAP certification will assist in driving the broad uplift in cloud security from code to the cloud and back.  With significant digitisation of citizen services, the Aqua Platform will be ideally positioned to secure these critical applications.


Channel & partner successes

During 2023, Aqua’s Advantage Ecosystem has continued to see success. Partner transactions now account for 75% of new business revenues as a result of steady growth, both in new partners and deal registrations.

Aqua’s global partners submitting deal registrations surged by 25%, and 50% of Aqua’s pipeline is partner-initiated. Deep strategic partnerships with organisations such as the recently announced Accenture are contributing to the growth.

This year, Aqua has also won several channel industry accolades. Aqua’s senior director, global channel and alliances, Jeannette Lee Heung, was recognised on CRN’s elite 2023 Channel Chiefs and 2023 CRN Women of the Channel lists and the Aqua Advantage Ecosystem was recognised by CRN in its 2023 Partner Program Guide.

Aqua’s industry-leading technology garnered significant third-party recognition in 2023. The company was named Platform Leader in Innovation in the GigaOm Radar for Cloud Security Posture Management (CSPM), Market Champion and an Overall Leader in the 2023 KuppingerCole Software Supply Chain Security (SSCS) Leadership Compass and was recognized as a Representative Vendor in the Gartner® Market Guide for Cloud-Native Application Protection Platforms (CNAPP).


Broad Industry Impact

With a global network of honeypots, the Aqua Nautilus research team analyses more than 80,000 cloud native attacks every month, specifically those unique to containers and microservices that other platforms cannot see.

The team actively publishes findings and recommendations to help bring greater understanding of the threat landscape and strengthen global cloud security efforts. For example, in 2023, Aqua Nautilus uncovered HeadCrab, a novel state-of-the-art redis malware and a new attack method targeting VScode Extensions.

The team also discovered 250 million artifacts and 65,600 container images that were exposed via thousands of misconfigured container images in Red Hat Quay registries, JFrog Artifactory and Sonatype Nexus artifact registries.

Aqua has built one of the largest open source cloud native security communities in the world, with tens of thousands of users and over 40,000 combined GitHub stars. It includes the widely revered Trivy®, an open source vulnerability and risk scanner, which has a thriving community of users and contributors.

It also includes Tracee®, a powerful and innovative runtime security solution that uses eBPF technology to observe system behavior and detect suspicious events. Aqua’s open source projects help drive adoption of cloud native security for every kind of organisation and user, and they leverage the power of community to deliver enterprise product innovation.

How human-tech connection is key to adoption and change management

Sit a modern worker down in front of a new software platform and chances are they’ll be able to figure out how to use it. They’ll noodle around a bit, check out the menus, click buttons, and soon they’ll be up and running with the basics.

BitTitan’s Asia Pacific dales manager Tim O’Neill says this is what many workers do when faced with new technologies adopted in response to organisational changes. And lately, there’s been a lot to figure out.

Demands for efficiency and automation have resulted in a proliferation of specialised software solutions. The rise of remote and distributed work added sophisticated collaboration tools.

Mergers and acquisitions have left many companies with a patchwork of disconnected platforms. Without a cohesive plan for adoption and change management, users are often left to their own devices to make technology work for them.

Intuitive software has a lot of advantages, but it can also have hidden costs if it wasn’t rolled out with a plan. Whether due to rushed deployment or happenstance, users who have to find their own way around a new tool can end up with a superficial understanding of its capabilities.

That can leave many useful features untapped. A tool implemented to streamline processes can instead lower productivity, compound inefficient workflows, and even generate avoidable errors. Frustration can lead to wasted time as users struggle to figure out how to accomplish their tasks. They may even be tempted to bypass security measures in acts of desperation.

Cleaning up the mess

Adoption and change management connects humans to the technology that supports their jobs. It’s a holistic approach that looks across the entire IT environment in order to maximise integration, collaboration, and productivity.

The trend towards individual business units determining their own technology needs and making decentralised purchase decisions has left many IT teams overwhelmed. The focus is often on researching and acquiring tools rather than optimising the environment to maximise user satisfaction and knowledge.

Many organisations are taking the opportunity to implement adoption and change management in conjunction with data migrations. Migrations are being triggered by mergers, acquisitions, cloud consolidation and workplace modernisation.

Any substantial migration includes a discovery and planning phase. This pre-migration phase gives IT a chance to audit and clean up the environment. It’s always been a best practice to delete or archive data that’s past its retention lifespan.

The same can be said for obsolete or redundant applications. A pre-migration audit allows IT to identify best-of-breed systems and determine how they can be deployed company-wide. This is where adoption and change management comes in.

The general framework for adoption and change management starts with identifying roles, structures, processes, projects, leadership competencies and performance measures (KPIs).

Organisations often work with technology services providers like SoftwareONE, Insight, and Unisys to develop a comprehensive plan based on their maturity, objectives and employee needs.

The migration itself is usually the easiest part of the process – especially with my company’s migration app. Proper preparation and implementation can turn a migration into an efficiency and productivity engine that results in a more streamlined IT function as well as a clear picture of how IT can support future growth.

Communication and education are vital to the adoption and change management process. Training will help address any changes users might encounter when familiar software is on a new platform.

It can also help level set people throughout the organisation to assure they’re getting the most out of their technology tools. Another best practice is to designate internal champions or ambassadors who will help their peers. Internal advocates play an important role in identifying specific use cases that require attention for the project to be a success.

Whether it’s patchwork IT that has evolved as a response to a rapidly changing environment, or mergers and acquisitions that result in a collection of disparate systems, a fractured IT infrastructure is a drag on collaboration and productivity. And that’s a drag on ROI when every opportunity for efficiency counts.

Organisations that see employees as their key to success see adoption and change management as the fulfilment of that commitment. It’s an opportunity to support employees with the right tools and the knowledge they need to use them.

Making that human-tech connection is a critical component of what services providers offer. Our own migration application is an important tool in the toolkit, with adoption and change management increasingly being built into migration projects in order to take advantage of opportunities for consolidation, integration and efficiency.

BeyondTrust Named a Leader in 2023 Gartner® Magic Quadrant™ for Privileged Access Management

Janine Seebeck, CEO of BeyondTrust

  • For the fifth consecutive year, BeyondTrust is named a Leader in the Gartner Magic Quadrant for Privileged Access Management (PAM)
  • BeyondTrust’s Ability to Execute and Completeness of Vision are the reasons why it was named a Gartner Magic Quadrant Leader

BeyondTrust, the worldwide leader in intelligent identity and access security, today announced it has been positioned in the Leaders Quadrant in the 2023 Gartner Magic Quadrant for Privileged Access Management, with BeyondTrust positioned as the highest in Ability to Execute. This is the fifth year in a row BeyondTrust has been recognised as a Leader.

Attackers today are relentless, and nearly every cyberattack involves privileged access and identities, either to gain initial access, or to move laterally within an environment. BeyondTrust’s integrated platform and solutions protect all identities, access, and endpoints across the entire environment, enabling security that is monitored, managed, secured, and just-in-time.

Earlier this month, BeyondTrust announced the general availability of its groundbreaking Identity Security Insights solution. With the escalating complexity of cyber threats targeting identities and credentials, this innovative solution sets a new standard in securing both human and non-human identities and privileges, providing organisations with unparalleled visibility and advanced identity-first threat detection capabilities.

“We believe the continued recognition as a PAM Leader validates BeyondTrust’s strengths in this market, focused on platform breadth, solution depth, integrations, and value,” said Janine Seebeck, CEO of BeyondTrust. “We focus on securing the privileges and access that make compromised identities dangerous. By empowering organisations to proactively protect their identities, we’re continuing to spearhead advancements in cybersecurity that safeguard critical assets in today’s evolving threat landscape.”

Customers around the globe have praised BeyondTrust’s solutions through verified ratings and reviews on Gartner® Peer Insights™, including:

  • “We implemented BeyondTrust within the past year and so far, it has done exactly what we needed it to do. The implementation was relatively simple, ability to set up accounts for vendors and users in the platform was easy as well. The interface is intuitive and not too busy and support was quick to respond during the initial setup and any time we’ve needed assistance since then as well.” —IT Manager (Industry: Energy and Utilities)
  • “BeyondTrust is the Cadillac of least privilege. The products and features they offer are top of the game.” —System Administrator (Industry: Miscellaneous)
  • “The purchasing decision was very easy for us. They were very helpful in supplying technical information and showed us what was possible, very helpful. When we engage with partners on deploying the tool, many of them already use BeyondTrust or have used it in the past, so it makes deploying another tool in a customer environment very easy. I love that.”–Sr. Director, Infrastructure and Operations (Industry: IT Services)
  • “Working with BeyondTrust is always a pleasurable experience. The BeyondTrust technical and customer success teams take any challenge thrown their way in strides. We love working with BeyondTrust for their strong focus on ensuring customer success and satisfaction.” —Sr. Manager, Authentication Services(Industry: Manufacturing)

For a complimentary copy of the 2023 Gartner Magic Quadrant for PAM, please visit

Check Point to Acquire Atmosec, an Innovative SaaS Security Vendor, as part of its Strategy to Deliver the Most Secure SASE Solution

Atmosec founders

The technology will allow organisations to prevent cyberattacks on their SaaS ecosystem: discover and disconnect malicious applications, prevent communication with risky 3rd party applications and fix SaaS misconfigurations  

Check Point® Software Technologies Ltd. (NASDAQ: CHKP), a leading provider of cyber security solutions globally, has announced the acquisition of Atmosec. An early-stage start-up, Atmosec specialises in the rapid discovery and disconnection of malicious SaaS applications, preventing risky 3rd party SaaS communications, and rectifying SaaS misconfigurations.  The move reinforces Check Point‘s commitment to enhance its SaaS security offering and address the security gaps and blind spots in SaaS applications. Atmosec was founded in January 2021 and employs 17 employees.

The widespread adoption of SaaS applications has exposed organisations to an increased array of cyber threats. Statista reports an average use of 130 SaaS applications by organisations globally. Yet, Atmosec’s research reveals that there are approximately 700 additional SaaS applications in use without IT’s knowledge. Moreover, within popular enterprises SaaS platforms like O365 and Slack, hundreds of third-party apps are connected. This ever-expanding SaaS landscape not only increases the potential attack surface, but it also introduces many apps that could be harmful or misused to leak sensitive information, often bypassing proper IT authorisation.

“The shift to SaaS applications introduces specific challenges, notably in the realm of malicious SaaS-to-SaaS communications. Atmosec´s capabilities in SaaS discovery, risk assessment, and full visibility are instrumental in addressing these challenges,” says Nataly Kremer, Chief Product Officer and Head of R&D at Check Point Software Technologies. “Integrating Atmosec’s technology into Check Point Infinity sets us to deliver one of the industry’s most secure SASE solutions, enabling organisations to effectively manage SaaS security, prevent data leaks, unauthorised access, and malware dissemination, and ensure a robust, adaptive zero trust environment.”

Key features of Atmosec’s technology include:

  • Quick discovery and disconnection of malicious SaaS applications, completed in under 10 minutes
  • Prevent third-party SaaS applications from communicating with an enterprise’s SaaS environment
  • Provide full visibility into authorized and unauthorised SaaS applications
  • Fix misconfigurations within SaaS applications such as publicly exposed repositories,
  • Enforce multi factor authentication (MFA) to access the application, and many more.

With Atmosec’s technology, Check Point Infinity will offer SaaS security with continuous SaaS posture management, prevention of malicious communications (SSPM), and a full security stack for SaaS apps including threat prevention, data protection, and adaptative zero-trust access controls for both users and devices (CASB).

New capabilities will be incrementally released based on roadmap milestones, enabling organisations to utilize these critical enhancements from the same Check Point Infinity platform they already use today.

The acquisition of Atmosec is expected to close by mid-September 2023.

For more information visit Check Point Software Technologies Ltd. (

Mandiant Reveals mWISE Conference 2023 Keynote Lineup


Mandiant Inc., now part of Google Cloud, today unveiled new information on the lineup of keynote speakers and panels for mWISE™ Conference 2023, which will take place September 18-20, at the Marriott Marquis Hotel in Washington, D.C., along with a digital option.


mWISE––Mandiant Worldwide Information Security Exchange––is a portfolio of vendor-neutral event programming that brings together cybersecurity practitioners, industry leaders and visionaries from around the globe to discuss best practices, identify new and emerging trends and convert knowledge into collective action in the fight against persistent cyber threats. The second annual mWISE Conference will feature an impressive lineup of keynote speakers from both the public and private sectors; more than 80 sessions, over 90 speakers, and a showcase of leading cybersecurity vendor innovations on an expanded expo floor.


mWISE mainstage keynotes


mWISE Conference 2023 will deliver engaging and educational mainstage addresses across three action-packed days, purposefully designed by the security community for the security community. Mainstage speakers include highly regarded cybersecurity experts and industry leaders from both the public and private sectors that were selected by a committee of independent experts. 


Mandiant CEO at Google Cloud, Kevin Mandia, will deliver the opening keynote on the nation-state threat landscape, followed by remarks from Federal Bureau of Investigation Director, Christopher Wray, Author and Alternative Reality Game Designer, Dr. Jane McGonigal, PhD, and New York Times Best Selling Author and Journalist, Malcolm Gladwell.


mWISE mainstage: industry panels


  • Cyber Intelligence in a Rapidly Changing World. CNN Cybersecurity Reporter Sean Lyngaas will moderate a discussion around how major geopolitical events and new technical demands continue to transform the landscape as well as the challenges and the anticipated opportunities with these changes. Participants will include Jackie Burns Koven, Head of Cyber Threat Intelligence at Chainalysis, John Hultquist, Mandiant Intelligence Chief Analyst at Google Cloud, Selena Larson, Senior Threat Intelligence Analyst at Proofpoint, and Maddie Stone, Security Researcher at Google’s Threat Analysis Group (TAG). This panel will feature a thought-provoking introduction by Sandra Joyce, Vice President, Mandiant Intelligence at Google Cloud.


  • Defending Against Advanced Adversaries: Lessons Learned. Charles Carmakal, Mandiant Consulting Chief Technology Officer at Google Cloud, will moderate a discussion with Diane Honda, Chief Administrative Officer of Barracuda Networks, Kelly Bissell, Corporate Vice President for Microsoft, and Jeff Lunglhofer, Chief Information Security Officer at Coinbase, to share the lessons learned from overseeing complex cybersecurity attacks by advanced adversaries from the perspective of business leaders who led their company’s response.


  • AI and Security Standards: Maximizing Innovation while Minimizing Risk. Moderated by POLITICO Cybersecurity Reporter, Maggie Miller, experts will discuss the immense potential of Artificial Intelligence (AI) and the need for governments, industry and academia to ensure that this profoundly helpful technology works for everyone. Panelists will include Dmitri Alperovitch, Executive Chairman at the Silverado Policy Accelerator and member of the US Government’s Cyber Safety Review Board, Chris DeRusha, Federal Chief Information Security Officer at the Office of Management and Budget (OMB) and Deputy National Cyber Director (ONCD), Trisha Kothari, Chief Executive Officer at Unit21, and Phil Venables, Chief Information Security Officer at Google Cloud. 


“In an evolving threat landscape fraught with challenges, the mWISE Conference equips attendees across the cybersecurity industry with the knowledge and tools to harden their networks against the threats of today and tomorrow,” said Sandra Toms, Head of Global Experience Marketing, Mandiant & mWISE. “Our dynamic lineup of keynote speakers and panels has been informed by attendees to ensure the broader community can best come together with new ideas to effect change as we continue to fight back against cyber threats.”


Breakout Tracks


On top of dynamic mainstage presentations, mWISE Conference 2023 will feature more than 80 sessions, available both live and on-demand. Each session falls under one of six key tracks curated by an independent program committee: Cloud Security, Intelligence, Security Engineering, Security Operations, Security Threats and Exploits and Third Party and Cyber Risk Management. Sample industry sessions include: “China and Russia’s Use of AI: Impacts on Cybersecurity and Geopolitical Shifts,” “Intelligence Driven Threat Hunting & Detection,” and “Intelligence-led Cyber Resiliency Strategy.”


For the latest mWISE 2023 Conference updates, visit



Statistics shock as threats to mobile devices escalate

Mobile-powered initiatives are critical to profitability, productivity and competitiveness, as mobile devices and apps are how customers interact with organisations and how employees access resources, collaborate and work.

But J.T. Keating, SVP Corporate Development at Zimperium, cautions that in virtually every sphere of our lives, mobile devices are ubiquitous. This ubiquity has created several key implications for organisations:

He says diverse devices are accessing corporate data, including employee-owned mobile phones and other devices that aren’t managed by corporate IT teams.

Threats to mobile apps and devices continue to rise in both volume and sophistication. My company’s global mobile threat report 2023 (GMTR) highlights that 43% of all compromised devices were fully exploited, an increase of 187% year on year.

The number of mobile apps an organisation offers to employees continues to increase, and at the same time, the number and type of apps that are active on employee and customer devices is exploding.

Sophistication of risks related to mobile devices are increasing, and businesses want to provide more direct access to mobile devices in zero trust environments, creating new challenges for CISOs and security organisations. The GMTR highlighted that 80% of phishing attacks targeted mobile devices.

Regulations and mandates related to device, application and user data continue to be more onerous, and more difficult to adhere to when addressing the global needs of an organisation – Such as the Australian Cyber Security Centre’s (ACSC) 38 mobile security controls.

Security teams face a new set of challenges and need to be aware of the risk:

Devices:  In a BYOD environment, mobile users are the ‘device administrators’. Rather than operating in a relatively protected corporate environment, devices can be used anywhere, may be left anywhere, and are frequently connected to public Wi-Fi. Many organisations allow mobile devices on corporate Wi-Fi without full security assurance.

Apps for business: Traditional enterprise business applications run in a secure data centre on servers’ organisations control, and mobile apps are deployed to app stores, where they are exposed to reverse engineering and tampering by attackers. It’s imperative that organisations assess this potential risk on a continuous basis.


Apps for consumers: Consumer apps are making their way into the corporate world and pose potential security risks to the business. As security professionals, how do we assess the potential risks of such applications, and have processes to assess and respond at scale?

Five key principles for mobile-first security

  1. Prioritise and assess risk as close to the user or point of entry as possible. Organisations need to prioritise securing mobile powered business initiatives across all mobile devices and apps. Such as reviewing the Australian Information Security Manual (ISM), specific to mobile recommendations.

  1. Operate in a known state – visibility and vulnerability assessment for all your entry points.  Gain complete visibility of your mobile ecosystem and risk level. Automatically assess vulnerabilities and address them, without throttling productivity. Establish safeguards that are measurable, auditable, and insurable.

  1. Enhance your detection and response strategy for mobile. Detect anomalies and prioritise remediations based on contextual intelligence, so the most critical gaps are addressed first. Embed security across the device and application lifecycle, provide risk-based response, and enable zero trust assessment of mobile endpoints.
  2. Start the autonomous journey. Dynamically respond to ever-changing threats and mobile ecosystems. Automatically isolate compromised devices and untrusted environments. Establish a proactive, resilient, and scalable security posture.

  1. Minimise risk compliance failures. Stay ahead of regulations, data sovereignty and privacy standards, while respecting employees’ work/life boundaries. Such as the ACSC’s mobile security controls.

When developing applications internally, or if applications are developed for an organisation by third parties, consider the following questions:

#  Often organisations are using external services for application review – typically, security flaws are assessed. Knowing that development teams release versions of apps one to four times a month, consider how to deliver assurance of security at scale without impacting development performance?

#  How are you assessing privacy and compliance issues of the applications you are releasing?

#  Are your apps using code obfuscation or integrity checking? How are you attempting to thwart reverse engineering?

#  How well do your app protection approaches score when compared against Open Worldwide Application Security Project (OWASP), Mobile Application Security Verification Standard (MASVS), National Information Assurance Partnership (NIAP), or Mobile Payments on COTS (MPoC) standards?

There’s no turning back. The mobile-powered business is here to stay. Given that reality, what are practical steps that security teams can take? Here are some key questions to consider.

  • How are you baselining your initial mobile device risk posture for both managed and unmanaged devices and responding dynamically to elevated risk?

  • How many mobile devices are accessing corporate assets that are unmanaged or without visibility?
  • What is the strategy for BYO devices and unmanaged applications?

  • What are the zero trust initiatives, and where does mobile fit?

  • What is the vision for consolidating mobile security telemetry as part of your data lake and extended detection and response (XDR) strategies?

  • Organisations often have a solid strategy for email phishing attacks – How does the organisation reduce risk, measure, and respond to mobile phishing attacks?

  • What is your strategy for mobile ransomware and spyware?

  • How are you assessing the potential risk of publicly available applications on managed and unmanaged devices?

  • How are you addressing local privacy and data laws and compliance needs across your mobile assets (devices and apps)? Such as the Australian Privacy Act.

Ransomware: How to Defend Against a Four-Decade Old Foe

The first documented attack[1] may have occurred back in the late 1980s, yet ransomware is still topping the list of cyberthreats faced by both organisations and individuals today.

An ever-evolving form of malware, ransomware is designed to encrypt data files until the victim pays a fee to the attacker. In some cases, attackers also threaten to release copies of the files publicly unless payment is made.

During the past 40 years, ransomware has been constantly evolving both technically and organisationally. The tactic has now matured to the point where ransomware-as-a-service (RaaS) providers offer access to tools that can allow people with little technical knowledge to launch attacks.

Recently, there has also been a sharp increase in the use of artificial intelligence (AI) tools as part of the ransomware development process. Cybercriminals are using tools such as ChatGPT to create code which is then used to mount attacks.

Detection techniques

Detecting ransomware attacks is challenging because the techniques and code being used is constantly evolving. In many cases threats only come to light when users discover they have lost access to their data because files have become encrypted.

Thankfully, there are a range of detection methods and tools that can assist in overcoming this challenge. For example, signatures and indicators of compromise (IOCs) can be incorporated into intrusion detection systems or network devices.

Threat intelligence sources can also allow a security team to prevent or block anomalies before they can cause harm within an organisation’s IT infrastructure. At the same time rigorous email screening can spot and remove malicious links or attachments before users are tempted to interact with them.

Security teams can also take advantage of the widely used MITRE ATT&CK Matrix. This resource contains details on more than 220 techniques that can be used to ward off ransomware threats.

The matrix is a globally accessible knowledge base of cybercriminal tactics and techniques based on real-world observations. It can be used to enhance, analyse, and test an organisation’s threat hunting and detection capabilities.

Prevention and mitigation strategies

As well as improving threat detection capabilities, security teams should also focus on putting in place a range of other prevention and mitigation techniques that can reduce the impact of an attack should one take place.

One key capability needed is being able to automatically isolate infected systems before the ransomware code can spread more widely throughout an IT infrastructure. This will limit the effect of an attack and reduce the number of files that become inaccessible.

IT teams should also have in place a process of regular data backups. If primary files become encrypted, backups will assist an organisation to get back up and running as quickly as possible.

Tasks such as deploying software patches as soon as they are released are also critical. This will reduce the chances of cybercriminals taking advantage of known vulnerabilities when mounting their attack.

Security teams should also consider deploying a Security Information and Event Management (SIEM) platform. This platform can provide real-time analysis of security alerts generated by applications and network hardware which, in turn, allows attacks to be neutralised as quickly as possible.

It can also be worth making use of a User Entity and Behaviour Analytics (UEBA) tool. These tools can automatically spot anomalous traffic or activity on a network that could be a sign of a ransomware attack.

Examples might include an unusual volume of successful authentications that shows someone appears to be logging in much more frequently than they normally do. The tool could also spot incidents where a user appears to be logging in from multiple locations at the same time, which could also signal a potential attack.

By making use of such tools and developing a comprehensive security strategy, organisations can be well placed to prevent ransomware attacks or quickly bring one under control should it occur. With the threats posed by ransomware showing no sign of easing, taking such steps now can help to prevent significant disruption and loss in the future.


Michael Bovalino, ANZ Country Manager, LogRhythm