Category Archives: Emerging Threats

5 Critical Lessons for IoT Vendors from the CrowdStrike/Microsoft Global Outage

Posted on by
Reply

Hey there,infosec aficionados! The recent CrowdStrike/Microsoft global outage sent shockwaves through the tech world, and if you’re in the IoT game, you’d better be taking notes. Let’s dive into the top 5 lessons that every IoT vendor should be etching into their playbooks right now.

 1. Resilience Isn’t Just a Buzzword, It’s Your Lifeline

Listen up, folks. If this outage taught us anything, it’s that our interconnected systems are about as fragile as a house of cards in a hurricane. One domino falls, and suddenly we’re all scrambling. For IoT vendors, resilience isn’t just nice to have – it’s do or die.

You need to be building systems that can take a punch and keep on ticking. Think redundancy, failover mechanisms, and spreading your infrastructure across the globe like you’re planning for the apocalypse. Because in our world, every day could be doomsday for your devices.

 2. Data Recovery: Your Get-Out-of-Jail-Free Card

When the data center lights (and flights) went out, a lot of folks found themselves up the creek without a paddle – or their data. IoT vendors, take heed: your backup and recovery game needs to be top-notch. We’re talking bulletproof backups and recovery processes that you could run in your sleep.

And don’t just set it and forget it. Test those recovery processes like you’re prepping for the Olympics. Because when the big one hits, you don’t want to be caught with your data flows down.

 3. Updates: Handle with Extreme Caution

Here’s a plot twist for you: the very thing meant to protect us – a security update – was what kicked off this whole mess. It’s like locking your door and realizing you’ve handed the key to a burglar.

IoT vendors, you need to treat every update like it’s potentially toxic. Rigorous testing, staged rollouts, and the ability to hit the “undo” button faster than you can say “oops” – these aren’t just good practices, they’re your survival kit.

 4. Know Thy Dependencies (and Their Dependencies)

In this tangled web we weave, you might think you’re an island, but surprise! You’re probably more connected than Kevin Bacon. The CrowdStrike/Microsoft fiasco showed us that even if you weren’t directly using their services, you might still end up as collateral damage.

So, IoT vendors, it’s time to play detective. Map out every single dependency in your tech stack, and then map their dependencies. And for the love of all things cyber, diversify! A multi-vendor approach might give you a headache now, but it’ll be a lifesaver when the next big outage hits.

 5. Incident Response: Time to Get Real

If your incident response plan is collecting dust on a shelf (or worse, is just a figment of your imagination), wake up and smell the coffee! This outage caught a lot of folks with their guards down, and it wasn’t pretty.

You need to be running drills like it’s the end of the world. Simulate failures, practice your response, and then do it all over again. Because when the real deal hits, you want your team moving like a well-oiled machine, not like headless chickens.

 The Bottom Line

Look, in our hyper-connected IoT world, massive outages aren’t a matter of if, but when. It’s time to stop crossing our fingers and hoping for the best. Resilience, recovery, and rock-solid response capabilities – these are the tools that will separate the IoT winners from the losers in the long run.

So, IoT vendors, consider this your wake-up call. Are you ready to step up your game, or are you going to be the next cautionary tale? The choice is yours.

Need help building an industry-leading IoT information security program? Our vCISOs have the knowledge, experience, and wisdom to help you, no matter your starting poing. Drop us a line at info@microsolved.com for a no hassle discussion and use cases. 

 

 

* AI tools were used as a research assistant for this content.

Preparing Your Infosec Program for Quantum Computing

Posted on by
Reply

 

Imagine a world where encryption, the bedrock of our current cybersecurity measures, can be unraveled in mere moments. This reality is not just conceivable; it’s on the horizon with the advent of quantum computing. A groundbreaking leap from traditional binary computing, quantum computing has the potential to redefine what we deem secure.

Delving into the peculiar realm of quantum mechanics unleashes power that eclipses the might of our current supercomputers. To truly grasp how this will reshape information security, one must understand qubits and the unfathomable processing capabilities they present. The security protocols we depend on today are poised for a seismic shift as quantum computers become more prevalent.

In this article, we embark on a journey through the landscape of quantum computing and its impending collision with the world of cybersecurity. From exploring quantum-resistant cryptography to pondering the role of agencies in securing data in a post-quantum Era, we will prepare your infosec program to stand firm in the face of this computational tidal wave.

Understanding the Basics of Quantum Computing

Quantum computing signifies a revolutionary leap from classical computers, fundamentally altering the landscape of data processing. The core of this transformation lies in the utilization of quantum bits or qubits. Unlike standard bits, which are confined to a binary state of either 0 or 1, qubits harness the peculiar properties of quantum mechanics. These particles can exist in a state of superposition, being both 0 and 1 simultaneously, which greatly expands their computational capacity.

To maintain their complex states, qubits require an environment that isolates them from any external interference. Achieving this usually involves extreme measures such as cooling systems that approach absolute zero temperatures. This delicate balance is essential to prevent the decoherence and degradation of the qubit’s information.

Another hallmark of quantum computing is entanglement, a phenomenon where qubits become so deeply linked that the state of one will instantaneously influence its entangled partner, regardless of the distance separating them. This interconnection paves the way for unprecedented speed and efficiency in computing processes.

Given the immense computing power quantum machines are expected to yield, they pose a critical concern for information security. Current cryptographic protocols, which rely on the computational difficulty of certain mathematical problems, might become easily solvable in a fraction of the time currently required. Therefore, in anticipation of this quantum threat, governments and institutions like the National Institute of Standards and Technology (NIST) are proactively working on developing and standardizing quantum-resistant cryptographic mechanisms. These intensified efforts aim to buttress our cybersecurity infrastructure against the potential onslaught of quantum attacks that could exploit the vulnerabilities of classical cryptographic systems.

Explaining Quantum Computers

Quantum Computers

Feature

Description

Qubits

Utilize qubits instead of bits, allowing for simultaneous representation of 0 and 1 through superposition.

Entanglement

A property where qubits are interconnected so that the state of one can instantaneously impact another.

Encryption Threat

Pose danger to current encryption methods due to their ability to solve complex cryptographic problems rapidly.

Quantum computers diverge entirely from the operational framework of classical computers. While traditional machines process data linearly, quantum computers leverage the dual state capability of qubits through superposition, allowing them to perform multiple calculations concurrently.

The intrinsic feature of entanglement in quantum computers enables a linked state among qubits, enabling immediate and correlated changes across them. This feature dramatically accelerates complex problem-solving and data analysis processes.

The exponential speed and power of quantum machines offer promising advancements but simultaneously challenge the integrity of cryptographic algorithms, including those protecting internet infrastructure. As quantum computers excel at calculating large numbers efficiently, they could potentially decipher encryption swiftly, rendering many of the security protocols we currently rely on ineffective. This quantum leap requires a reevaluation and reinforcement of encryption to secure data against the potential intrusion by these powerful computing entities.

Discussing Quantum Bits (Qubits)

Quantum bits – or qubits – are the quintessential building blocks of quantum computers. By being able to embody multiple states at once through superposition, they bypass the limitations of classical bits. This property permits an exponential increase in computing power, as each qubit added to the system essentially doubles its capacity.

Entanglement compounds this capability, fostering a network of qubits that synchronize changes over any distance. This drastically enhances efficiency, enabling rapid complex calculations and high-level problem-solving far beyond the scope of traditional computing.

The manipulation of qubits through quantum algorithms, exploiting both superposition and entanglement, allows quantum computers to perform functions in mere moments that would take classical computers years. However, it’s key to note that this power to swiftly navigate through vast computational possibilities not only offers solutions but also necessitates the evolution of cybersecurity measures.

Exploring Quantum Mechanics and Its Relation to Computing

Quantum Mechanics Principles in Computing

  • Superposition: Facilitates qubits to be both 0 and 1 concurrently, enabling parallel calculation capabilities.
  • Entanglement: Connects qubits, allowing information sharing instantaneously regardless of distance.
  • Acceleration: Propels computing processes at an unprecedented pace, opening new possibilities for industries.

Quantum mechanics and computing are intertwined, with the former offering an analytical lens for the latter. By viewing computing through the principles of quantum physics, a vast new computational paradigm emerges. The spoils of quantum mechanics, such as superposition and entanglement, permit the functionality of quantum bits, or qubits, fundamentally differentiating quantum computers from their classical counterparts.

These quantum properties allow for parallel calculations to be conducted simultaneously, something utterly impossible for classical computing architecture. With the formidable capability to expedite solutions and answer monumental questions across varied industries, quantum computing is expected to drive significant progress in the next decade.

However, the same properties that endow quantum computers with their power also render current encryption models, like RSA, profoundly vulnerable. Quantum computers can decipher complex numerical problems in a fraction of the time expected by traditional systems, therefore outpacing and potentially compromising existing cybersecurity measures. Consequently, acknowledging and preparing for quantum impacts on encryption is paramount, ensuring a secure transition into the impending post-quantum world.

The Implications of Quantum Computing on Cybersecurity

Quantum computing heralds a double-edged sword for the digital world; on one side, it promises unprecedented computational breakthroughs, and on the other, it poses a seismic threat to cybersecurity. The very nature of quantum computing, with its ability to solve complex problems that are intractable for classical computers, could undermine encryption methods that protect everything from daily financial transactions to state secrets. Data meant to be safeguarded for an extended period is at risk, as current encryption could eventually be rendered obsolete by quantum techniques.

Recognizing this, efforts to create quantum-resistant encryption are gaining momentum. NIST, among other institutions, is actively seeking post-quantum solutions, having sifted through 69 potential cryptographic methods. The road ahead is a paradigm shift in cybersecurity strategy: to adopt a multi-layered, quantum-safe defense and build an infrastructure resilient to the quantum age. Such a transition demands identifying and protecting critical data assets with diversified cryptographic solutions and contemplating novel, quantum-robust algorithms for enduring security.

As quantum technology advances, organizations must remain vigilant, continuously adapting to new cybersecurity regulations and principles like zero-trust architecture to fortify themselves against future quantum exploits.

Identifying the Quantum Threat to Cryptographic Algorithms

The Cloud Security Alliance forecasts a worrisome horizon for cryptographic algorithms such as RSA, Diffie-Hellman, and Elliptic-Curve Cryptography, indicating their susceptibility to quantum attacks possibly by April 2030. Such a development exposes organizations to ‘harvest now, decrypt later’ scenarios, where adversaries collect encrypted information, waiting to unlock it with mature quantum capabilities.

Notably, over half of the participants in a Deloitte Poll acknowledged this risk, attesting to the widespread concern regarding quantum computing’s impact on cryptography. The crux of this threat is the superior ability of qubits, the core units of quantum computing, to tackle multifaceted problems rapidly. Hence, the urgency to innovate quantum security measures is fundamental, demanding a robust cybersecurity edifice that can withstand advanced future threats.

Assessing the Impact of Powerful Quantum Computers on Current Security Measures

Contemporary cybersecurity rests on encryption algorithms like RSA, which powerful quantum computers could nullify. Post-quantum cryptography (PQC) seeks to mitigate this threat, ensuring our safety protocols are compatible with a quantum future.

The U.S. National Institute of Standards and Technology (NIST) is at the Knowledge cutoff: forefront, assessing 69 methods for such cryptography. Moreover, the ‘harvest now, decrypt later’ dynamic looms as a direct consequence of powerful quantum computing, prompting the necessity for quantum-safe countermeasures, without which industries face considerable security risks.

Recognizing the Challenges of Key Distribution in a Post-Quantum World

With the prospect of quantum computing, the secure distribution of cryptographic keys becomes ever more crucial, yet challenging. The landscape beyond the coming decade needs to account for quantum threats; organizations must ensure continued data safety while raising awareness among leaders and stakeholders.

Strategies like crypto agility are crucial, providing the flexibility necessary to transition between algorithms in response to emerging vulnerabilities or quantum threats. Additionally, the integration of traditional and quantum-driven security methods or technologies like Quantum Key Distribution could bolster our cryptographic defenses in this new computational era.

Analyzing the Implications for Crypto Agility in the Face of Quantum Attacks

The ascent of quantum computing casts a foreboding shadow over established encryption methods such as RSA and ECC. Algorithms conceived for quantum machines, like Shor’s and Grover’s, are primed to factorize large numbers expeditiously, undermining the foundations of conventional cryptographic security.

Post-quantum cryptography is the beacon of hope, looking at alternatives like lattice-based cryptography founded on the intricacies of lattice mathematics for quantum-resistant encryption methods. With 50.2% of respondents in a Deloitte Poll voicing concern over ‘harvest now, decrypt later’ threats, the imperative for crypto agility has never been clearer. Making a preemptive pivot towards quantum-resistant solutions is both a strategic and necessary stance to counter the coming quantum onslaught.

Quantum Technologies and their Potential Impact on Infosec Programs

Quantum computing represents a transformative force across sectors, boasting the ability to accelerate problem-solving capabilities to levels unattainable by classical systems. Within the sphere of cybersecurity, this computing paradigm foreshadows profound repercussions. Existing security protocols could falter as advanced computational techniques emerge, rendering them inadequate against quantum-powered attacks.

To hedge against this prospective quantum revolution, organizations are hastily directing focus toward post-quantum cryptography (PQC). This advanced subset of cryptographic algorithms is designed to be quantum-resistant, ensuring the protection of sensitive data even against adversaries wielding quantum tools. In a proactive move, NIST has earmarked four quantum-resistant encryption methods, setting the stage for a fortified cybersecurity infrastructure in the impending era of quantum computing.

Another trailblazing quantum technology is Quantum Key Distribution (QKD). QKD exemplifies a formidable approach to escalated security, exploiting the quirks of quantum physics to enable impenetrable key distribution, safeguarding against even the most sophisticated eavesdropping endeavors. As such, the confluence of PQC and QKD marks a pivotal junction in the roadmap for future infosec programs that need to anticipate the universal challenges posed by quantum technologies.

Examining the Role of Quantum Computing in Artificial Intelligence and Machine Learning

The symbiosis of quantum computing and artificial intelligence (AI) promises an era where data is dissected with unparalleled precision. Quantum machine-learning could significantly enhance AI algorithms, sharpening the detection of evolving cyber threats. Thanks to the deftness of quantum computers in sifting through extensive datasets, quantum advantage could lead to more astute and efficient pattern recognition, empowering real-time threat detection, and proactive response systems.

Furthermore, the nascent realm of quantum computing stands to revolutionize network security through its prowess in dissecting complex networks, uncovering latent vulnerabilities, and buttressing cybersecurity frameworks against imminent threats. The precipitous growth of quantum-informed algorithms suggests a future where AI and machine learning not only accelerate but also achieve greater energy efficiency in warding off novel cyber risks.

One cannot ignore, however, the demands such developments place on human capital. Quantum computing necessitates a cadre of skilled professionals, ushering in an educational imperative to train and cultivate expertise in this avant-garde technology.

Exploring the Integration of Quantum Technologies into Traditional Computers

In the advent of a hybridized technology ecosystem, quantum computers are poised to take on the mantle of specialized co-processors, alongside their classical counterparts. Such arrangements would enable classical systems to offload computationally intense tasks, particularly those well-suited to quantum’s nuanced problem-solving capabilities. Yet, this marriage of digital methodologies is not without its pitfalls.

Integrating quantum and classical systems may inadvertently create conduits for established cybersecurity threats to infiltrate quantum realms. The anticipated arrival of standardized quantum algorithms within the next several years provides some assurance, although the perpetual evolution of quantum computing techniques may challenge such uniformity.

Taking center stage in the convergence of quantum and traditional computing is the Quantum Key Distribution (QKD), an encryption method that leverages quantum physics to deliver keys with guaranteed secrecy. Despite these innovative strides, vulnerabilities highlighted by quantum factorization methods, like Peter Shor’s notorious algorithm, forecast potential threats, especially to cornerstone encryption protocols such as RSA.

Evaluating the Processing Power of Quantum Computers and its Effect on Cybersecurity

Quantum computing’s extraordinary processing power is derived from quantum bits, or qubits, which operate in a rich tapestry of states beyond the binary confines of classical bits. This quantum capability enables the performance of calculations at a pace and complexity that is exponential compared to traditional computing power. The crux of the matter for cybersecurity is the implications this has on encryption, as quantum computers can potentially break encryptions that classical computers would never feasibly solve.

The burgeoning presence of quantum computing introduces a myriad of challenges, not least the financial and accessibility barriers for smaller organizations. As advancements in quantum computing gain momentum, the cybersecurity landscape will need to adapt to an ever-evolving set of challenges, requiring vigilant monitoring and nimble responses.

To keep apace with the dynamic growth of quantum computing, a collaborative trinity of industry, academia, and government is imperative. Together, these stakeholders are the keystone in the archway leading to new cryptographic defenses, ensuring the enduring confidentiality and integrity of private information amidst the quantum computing revolution.

Strategies for Adapting Infosec Programs to the Quantum Computing Era

As quantum computing continues to develop, its potential impact on cybersecurity grows exponentially. Infosec programs, therefore, must evolve with the emerging quantum threat. Here are key strategies for ensuring that security frameworks remain robust and agile in the face of quantum advancements:

  • Evaluating Post-Quantum Cryptography (PQC): Proactively assess and integrate NIST-approved PQC algorithms into existing security protocols to ensure data remains secure against quantum computers.
  • Employing Quantum Key Distribution (QKD): Consider the practicality and benefits of QKD for safeguarding critical communications against quantum spying techniques.
  • Practicing Quantum-Secure Governance: Develop and instill governance principles that specifically address the unique considerations of quantum technologies to establish trust and mitigate risks.
  • Prioritizing Data Protection: Identify and categorize the sensitivity of organizational data to strategize encryption overlays and safeguard valuable assets.
  • Implementing Crypto Agility: Embrace a comprehensive risk assessment approach that prioritizes the swift adoption of quantum-resistant mechanisms and allows for quick adaptation to new cryptographic standards.

Developing Quantum-Resistant Cryptographic Algorithms

In anticipation of quantum computing’s potential to disrupt current cryptographic models, the development of quantum-resistant algorithms is critical. Lattice-based, code-based, multivariate, hash-based, and isogeny-based cryptography exemplify such pioneering approaches. These algorithms aim to withstand the computational supremacy of quantum mechanics. However, this futuristic cryptography frontier presents unique challenges, including the steep curve in development, adoption, and the required coordination among global stakeholders to achieve homogeneity in protection measures.

Implementing Quantum-Safe Key Distribution Mechanisms

The secure exchange of encryption keys is fundamental to confidential communication. Quantum key distribution (QKD) emerges as a cutting-edge mechanism, utilizing quantum states to thwart eavesdropping attempts detectably. Integrating QKD entails specialized infrastructure, such as high-quality fiber optics, and embodies the principle of forward secrecy. By leveraging the peculiar characteristics of photons during transmission, QKD introduces an inherently secure method of key exchange, bolstering defenses against both current and potential future quantum interceptions.

Enhancing Post-Quantum Crypto Agility

Crypto agility is paramount for organizations navigating the transition to post-quantum cryptography (PQC). Forward-thinking entities are recognizing the necessity of adopting NIST’s identified PQC algorithms as part of their cyber-defense arsenal. With an estimated 5 to 10-year window for full implementation, the race is on to redesign infrastructure with quantum-resistant measures. Achieving this elastic state of post-quantum crypto agility will ensure that organizations can seamlessly evolve alongside emerging cryptographic standards, mitigating quantum-related threats.

Leveraging Quantum Technologies for Enhanced Security Measures

The integration of quantum technologies offers a vanguard in security measures. Utilizing quantum random number generators lays the foundation for constructing encryption keys grounded in the incontrovertibility of physical laws, delivering unprecedented guarantees. Innovations such as the Quantum Origin platform are fostering stronger cryptographic resilience. Major tech players—eyeing the transformative trajectory of quantum computing—are already providing quantum capabilities through cloud services, underscoring the urgency for organizations to harness these emerging technologies to fortify their cybersecurity posture against quantum-scale threats.

Summary

  • Quantum Mechanics Leap: Quantum computers leverage quantum mechanics, outperforming traditional computers in certain tasks.
  • Superior Processing: They offer unprecedented computational power, solving complex problems efficiently.
  • Cryptographic Algorithms Crisis: Current cryptographic algorithms may become vulnerable to quantum attacks.
  • Quantify the Quantum Threat: Assessing the quantum threat is essential for future-proof cybersecurity strategies.
  • Post-Quantum Cryptography Need: Development of quantum-resistant encryption methods is crucial.
  • Quantum Bits Revolution: Utilizing quantum bits (qubits) fundamentally changes data processing and security.
  • Crypto Agility is Paramount: Organizations must adapt to crypto agility to respond to quantum threats swiftly.
  • Key Distribution Redefined: Quantum key distribution promises enhanced security in the quantum era.
  • National Security Implications: Government agencies are deeply invested due to implications for national security.
  • Global Race for Quantum Supremacy: Powers vie for control over quantum computing’s immense potential.

Implication Aspect

Traditional computing

Quantum Computing

Computational Speed

Limited processing power

Exponential capabilities

Encryption

Currently secure

Potentially vulnerable

Security Focus

Crypto stability

Crypto agility

National Security

Important concern

Top priority

In summary, the rise of quantum computing presents both an opportunity and a formidable challenge for cybersecurity, necessitating the development of robust post-quantum cryptography and strategic adaptation across global industries.

 

 

* AI tools were used as a research assistant for this content.

 

 

Ensuring Cybersecurity: Blocking Discord Access with Firewall Rules

Posted on by
Reply

 

I. Introduction

Purpose of Blocking Discord Access

Social media and communication platforms like Discord are everywhere in today’s digital landscape. However, their widespread use also introduces significant cybersecurity risks. Discord, known for its extensive user base and real-time communication features, can be a vector for malicious actors’ malware distribution and command and control (C2) operations. Blocking access to Discord within a corporate environment is a proactive measure to mitigate these risks.

Importance of Controlled Access to Prevent Malware Command and Control

Controlling access to external platforms is crucial in preventing unauthorized use of corporate resources for malicious purposes. By restricting access to platforms like Discord, organizations can reduce the risk of malware infections, data breaches, and unauthorized communications. This measure helps keep network integrity and security intact, safeguarding sensitive business information from cyber threats.

II. Assessing Business Needs

Identifying Users with Legitimate Business Needs

Before implementing a blanket ban on Discord, it’s essential to identify any legitimate business needs for accessing the platform. This could include marketing teams monitoring brand presence, developers collaborating with external partners, or customer support teams engaging with clients through Discord channels.

Documenting and Justifying Business Needs

Once legitimate needs are identified, they should be documented comprehensively. This documentation should include the specific reasons for access, the potential benefits to the business, and any risks associated with allowing such access. This step ensures that decisions are transparent and justifiable.

Approval Process for Access

Establish a formal approval process for users requesting access to Discord. This process should involve a thorough IT and security team review, considering the documented business needs and potential security risks. Approved users should be granted access through secure, monitored channels to ensure compliance with corporate policies.

III. Technical Controls

A. Network Segmentation

Isolating Critical Systems

One of the fundamental strategies in cybersecurity is network segmentation. Organizations can limit the potential impact of a security breach by isolating critical systems from the rest of the network. Critical systems should be placed in separate VLANs (Virtual Local Area Networks) with strict access controls.

Implementing VLANs

Creating VLANs for different departments or user groups can help manage and monitor network traffic more effectively. For instance, placing high-risk users (those needing access to external platforms like Discord) in a separate VLAN allows for focused monitoring and control without impacting the broader network.

B. Firewall Rules

Blocking Discord-Related IPs and Domains

To block Discord access, configure firewall rules to block known Discord IP addresses and domain names. For example:

! Block Discord IP addresses
access-list 101 deny ip any host 162.159.129.233
access-list 101 deny ip any host 162.159.128.233

! Block Discord domain names
ip domain list discord.com
ip domain list discord.gg
access-list 101 deny ip any host discord.com
access-list 101 deny ip any host discord.gg

! Apply the access list to the appropriate interface
interface GigabitEthernet0/1
 ip access-group 101 in

For comprehensive lists of Discord servers and IPs to block, refer to resources such as:

Creating Whitelists for Approved Users

For users with approved access, create specific firewall rules to allow traffic. This can be done by setting up a whitelist:

! Allow approved users to access Discord
access-list 102 permit ip host approved_user_ip any

! Apply the whitelist access list to the appropriate interface
interface GigabitEthernet0/1
 ip access-group 102 in

C. Proxy Servers

Filtering Traffic

Utilize proxy servers to filter and control web traffic. Proxy servers can block access to Discord by filtering requests to known Discord domains. This ensures that only approved traffic passes through the network.

Monitoring and Logging Access

Proxy servers should also be configured to monitor and log all access attempts. These logs should be reviewed regularly to detect unauthorized access attempts and potential security threats.

D. Application Control

Blocking Discord Application

Application control can prevent the installation and execution of the Discord application on corporate devices. Use endpoint security solutions to enforce policies that block unauthorized software.

Allowing Access Only to Approved Instances

For users who need Discord for legitimate reasons, ensure they use only approved instances. This can be managed by allowing access only through specific devices or within certain network segments, with continuous monitoring for compliance.

Conclusion

Blocking Discord access in a corporate environment involves a multi-layered approach combining policy enforcement, network segmentation, firewall rules, proxy filtering, and application control. Organizations can mitigate the risks associated with Discord by thoroughly assessing business needs, documenting justifications, and implementing robust technical controls while allowing necessary business functions to continue securely.

For assistance or additional insights on implementing these controls, contact MicroSolved. Our team of experts is here to help you navigate the complexities of cybersecurity and ensure your organization remains protected against emerging threats.

 

 

* AI tools were used as a research assistant for this content.

 

How to Craft Effective Prompts for Threat Detection and Log Analysis

Posted on by
Reply

 

Introduction

As cybersecurity professionals, log analysis is one of our most powerful tools in the fight against threats. By sifting through the vast troves of data generated by our systems, we can uncover the telltale signs of malicious activity. But with so much information to process, where do we even begin?

The key is to arm ourselves with well-crafted prompts that guide our investigations and help us zero in on the threats that matter most. In this post, we’ll explore three sample prompts you can use to supercharge your threat detection and log analysis efforts. So grab your magnifying glass, and let’s dive in!

Prompt 1: Detecting Unusual Login Activity

One common indicator of potential compromise is unusual login activity. Attackers frequently attempt to brute force their way into accounts or use stolen credentials. To spot this, try a prompt like:

Show me all failed login attempts from IP addresses that have not previously authenticated successfully to this system within the past 30 days. Include the source IP, account name, and timestamp.

This will bubble up login attempts coming from new and unfamiliar locations, which could represent an attacker trying to gain a foothold. You can further refine this by looking for excessive failed attempts to a single account or many failed attempts across numerous accounts from the same IP.

Prompt 2: Identifying Suspicious Process Execution

Attackers will often attempt to run malicious tools or scripts after compromising a system. You can find evidence of this by analyzing process execution logs with a prompt such as:

Show me all processes launched from temporary directories or user profile AppData directories. Include the process name, associated username, full command line, and timestamp.

Legitimate programs rarely run from these locations, so this can quickly spotlight suspicious activity. Pay special attention to scripting engines like PowerShell or command line utilities like PsExec being launched from unusual paths. Examine the full command line to understand what the process was attempting to do.

Prompt 3: Spotting Anomalous Network Traffic

Compromised systems frequently communicate with external command and control (C2) servers to receive instructions or exfiltrate data. To detect this, try running the following prompt against network connection logs:

Show me all outbound network connections to IP addresses outside of our organization’s controlled address space. Exclude known good IPs like software update servers. Include source and destination IPs, destination port, connection duration, and total bytes transferred.

Look for long-duration connections or large data transfers to previously unseen IP addresses, especially on non-standard ports. Correlating this with the associated process can help determine if the traffic is malicious or benign.

Conclusion

Effective prompts like these are the key to unlocking the full potential of your log data for threat detection. You can quickly identify the needle in the haystack by thoughtfully constructing queries that target common attack behaviors.

But this is just the beginning. As you dig into your findings, let each answer guide you to the next question. Pivot from one data point to the next to paint a complete picture and scope the full extent of any potential compromise.

Mastering the art of prompt crafting takes practice, but the effort pays dividends. Over time, you’ll develop a robust library of questions that can be reused and adapted to fit evolving needs. So stay curious, keep honing your skills, and happy hunting!

More Help?

Ready to take your threat detection and log analysis skills to the next level? The experts at MicroSolved are here to help. With decades of experience on the front lines of cybersecurity, we can work with you to develop custom prompts tailored to your unique environment and risk profile. We’ll also show you how to integrate these prompts into a comprehensive threat-hunting program that proactively identifies and mitigates risks before they impact your business. Be sure to start asking the right questions before an attack succeeds. Contact us today at info@microsolved.com to schedule a consultation and build your defenses for tomorrow’s threats.

 

* AI tools were used as a research assistant for this content.

 

Keeping Track of Your Attack Surfaces

Posted on by
Reply

In the modern, digitally connected realm, the phrase “out of sight, out of mind” could have calamitous implications for organizations. As cyber adversaries incessantly evolve in their nefarious techniques, staying ahead in the cybersecurity arms race is imperative. One robust strategy that has emerged on the horizon is Continuous Threat Exposure Management (CTEM) programs. These programs are pivotal in enabling organizations to meticulously understand and manage their attack surface, thus forming a resilient shield against malicious onslaughts such as ransomware attacks.

A deeper dive into CTEM unveils its essence: it’s an ongoing vigilance protocol rather than a one-off checklist. CTEM programs provide a lucid view of the potential vulnerabilities and exposures that adversaries could exploit by continuously scanning, analyzing, and evaluating the organization’s digital footprint. This proactive approach transcends the conventional reactive models, paving the way for a fortified cybersecurity posture.

Linking the dots between CTEM and ransomware mitigation reveals a compelling narrative. Ransomware attacks have metamorphosed into a menace that spares no industry. The grim repercussions of these attacks underscore the urgency for proactive threat management. As elucidated in our previous blog post on preventing and mitigating ransomware attacks, a proactive stance is worth its weight in digital gold. Continuous Threat Exposure Management acts as a linchpin in this endeavor by offering a dynamic, real-time insight into the organization’s attack surface, enabling timely identification and remediation of vulnerabilities.

MicroSolved (MSI) stands at the forefront in championing the cause of proactive cybersecurity through its avant-garde CTEM solutions. Our offerings are meticulously crafted to provide a panoramic view of your attack surface, ensuring no stone is left unturned in identifying and mitigating potential threats. The amalgamation of cutting-edge technology with seasoned expertise empowers organizations to stay several strides ahead of cyber adversaries.

As cyber threats loom larger, embracing Continuous Threat Exposure Management is not just an option but a quintessential necessity. The journey towards a robust cybersecurity posture begins with a single step: understanding your attack surface through a lens of continuous vigilance.

We invite you to contact MicroSolved (MSI) to explore how our CTEM solutions can be the cornerstone in your quest for cyber resilience. Our adept team is poised to guide you through a tailored roadmap that aligns with your unique organizational needs and objectives. The digital realm is fraught with peril, but with MicroSolved by your side, you can navigate through it with confidence and assurance.

Contact us today and embark on a journey towards transcending the conventional boundaries of cybersecurity, ensuring a safe and secure digital sojourn for your organization.

* Just to let you know, we used some AI tools to gather the information for this article, and we polished it up with Grammarly to make sure it reads just right!

3 Tips for Locating and Identifying IoT Devices On Your Enterprise Networks

Posted on by
Reply

Are you confident that your enterprise networks are secure? If so, can you be certain all approved IoT devices are accounted for and properly configured? It’s essential to identify every device connected to your network if only to ensure that it is not a malicious actor.

But identifying unauthorized network intruders is not the only reason for carefully inspecting your enterprise networks.

In this article, I’ll provide 3 tips for locating and identifying any Internet of Things (IoT) Devices on your enterprise networks. These tips will help you reduce vulnerability across your entire organization and ensure maximum data security.

Scan The Network

One of the best ways to locate and identify IoT devices on your enterprise networks is to scan the network for any active connections. This can be done using various tools such as nmap or a vulnerability scanning product. By scanning the network, you can see which devices are connecting to your network and get some idea of what they might be. Some tools, including nmap can guess the type of device it might be based on stack fingerprinting or services identified.

Scan For BlueTooth Devices

Many IoT devices use Bluetooth to connect to other devices or interact with users, and scanning for such devices can help you locate them. You can use a tool such as BLE Scanner to detect any active Bluetooth devices connected to your network. This will help you identify unapproved or unauthorized Bluetooth-enabled IoT devices on your networks.

Inventory MAC Addresses And ARP Data

Every IoT device connected to your network has a unique MAC address. By keeping an inventory of all the active MAC addresses, you can quickly identify any new or unauthorized devices connecting to your networks. Additionally, you should monitor ARP data for changes or anomalies. Detecting any suspicious activity could indicate that a malicious actor or unexpected device is attempting to connect to your network.

To look up the MAC address and identify the vendor of an IoT device, you can search using the MAC address on websites such as macvendors.com, which will show you who manufactured the device. Some network security and monitoring systems may also provide a way to look up MAC addresses, allowing you to identify any unauthorized devices on your enterprise networks quickly.

In conclusion, ensuring that all IoT devices connected to your enterprise networks are identified and adequately configured is essential. To do this, you should scan the network for active connections, scan for Bluetooth devices, and inventory MAC addresses and ARP data.

Beware of Increasing Attacker Automation

Posted on by
Reply

Attacker tools and workflows are getting more and more automated. They are able to quickly integrate a variety of attack techniques and targets to automate wider-scale compromises and exploitation. This increase in automated capabilities applies to all phases of the attacker methodologies.

For example, modern attacker and bot-net tools can integrate stolen credentials use (“credential stuffing”) into a wider variety of approaches. They can automate the work of the attackers when they find a successful login. They can also try those credentials against a wider set of targets, including various e-commerce and popular social media sites. Essentially, this makes exploitation of stolen credentials significantly easier for an attacker, and potentially, more damaging to the victims whose credentials have leaked.

Stolen credentials and the tools to use them are evolving rapidly, and a significant amount of innovation and evolution are expected in these tool sets over the next year to 18 months. Entire platforms given to user emulation and capable of doing en masse correlation of stolen user data across breach sets are what I expect to see in the next year or so. When these tools emerge, new economies of scale for online identity theft will quickly emerge, raising both awareness and criticality of the problem.

Folks at various security organizations, including Akamai, are also tracking the problem. (https://portswigger.net/daily-swig/behind-the-botnet-akamais-tony-lauro-on-tackling-real-world-credential-stuffing-attacks) Robust defenses against these automated platforms are going to be needed, and it will place significant stress on organizations who lack mature security programs with advanced visibility and analytics capabilities.

If you’d like some assistance preparing for these types of automated attacks or would like to discuss the potential impacts they may have on your organization, feel free to get in touch (https://microsolved.com/contact) or give us a call at 614-351-1237.

All About Credit Union Credential Stuffing Attacks

Posted on by
Reply

Credential stuffing attacks continue to be a grave concern for all organizations worldwide. However, for many Credit Unions and other financial institutions, they represent one of the most significant threats. They are a common cause of data breaches and are involved in some 76% of all security incidents. On average, our honey nets pretending to be Credit Union and other financial services experience targeted credential stuffing attacks several times per week. 

What Is Credential Stuffing?

“Credential stuffing occurs when hackers use stolen information, such as usernames and passwords from database breaches or phishing software from one account, and attempt to gain access to another. The hackers prey on people’s habit of using the same usernames and passwords for multiple sites. Using automated tools, they run large amounts of stolen information across multiple sites looking to find the same usernames and passwords being used elsewhere. Once they find a match, they can monetize the personal and financial information they gather.” (ardentcu.org)

How Common is Credential Stuffing?

Beyond our honey nets, which are completely fake environments used to study attackers, credential stuffing and the damage it causes is quite starteling. Here are some quick facts:

  • It is estimated that automated credential-stuffing attempts makes up 90% of enterprise login traffic in the US. (securityboulevard.com)

  • It’s estimated that credential stuffing costs companies more than $5 billion a year and creates havoc with consumers. (ardentcu.org)

  • According to Akamai’s latest State of the Internet report on credential stuffing, its customers alone were deluged by 30 billion malicious login attempts between November 2017 and June this year, an average of 3.75 billion per month. (theregister.com)

  • Significant credential stuffing attacks are a favorite of professional hacking groups from Russia, India, Asia and Africa. They often gather extensive lists of stolen and leaked credentials through advanced Google hacking techniques, by combing social media for password dumps (so called “credential spills”) and by purchasing lists of exposed credentials from other criminals on the dark web. Lists of member information from compromised online banking, online retailers and business association sites are common. This information often includes names, addresses, bank account numbers/credit card numbers, social security numbers, phone numbers and other sensitive data – enabling credential stuffing and social engineering attacks against victims around the world.

What Can Credit Unions Do About Credential Stuffing?

The key to handling this threat is to be able to prevent, or at the very least, identify illicit login attempts and automate actions in response to failed logins. Cybercriminals use a variety of tools, rented botnets (including specifically built credential stuffing bots) and brute force attacks to pick off less than strong passwords all around the Internet. Then, as we discussed above, they use that stolen information to probe your credit union for the same login credentials. 

The first, and easiest step, in reducing these cybercriminals’ success rate is to teach all of your legitimate users not to use the same password across multiple systems, and NEVER use passwords from public sites like Facebook, LinkedIn, Instagram, Pinterest or Twitter for example, as account credentials at work or on other important sites. Instead, suggest that they use a password manager application to make it simple to have different passwords for every site. Not only does this help make their passwords stronger, but it can even reduce support costs by reducing password reset requests. Ongoing security awareness is the key to helping them understand this issue and the significance their password choices have on the security of their own personal information and that of the company.

Next, the Credit Union should have a complete inventory of every remote login service, across their Internet presence. Every web application, email service, VPN or remote access portal and every single place that a cybercriminal could try or use their stolen credentials to gain an account takeover. Once, the Credit Union knows where login credentials can be used, they should go about preventing abuse and cyberattacks against those attack surfaces. 

The key to prevention should start with eliminating any Internet login capability that is not required. It should then progress to reducing the scope of each login surface by restricting the source IP addresses that can access that service, if possible. Often Credit Unions are able to restrict this access down to specific countries or geographic areas. While this is not an absolute defense, it does help to reduce the impacts of brute force attacks and botnet scans on the login surfaces. 

The single best control for any authentication mechanism, however, is multi factor authentication (MFA) (basically a form of secure access code provided to the user). Wheverever possible, this control should be used. While multi factor authentication can be difficult to implement on some services, it is widely available and a variety of products exist to support nearly every application and platform. Financial services should already be aware of MFA, since it has been widely regulated by FFIEC, NCUA and FDIC guidance for some time.

More and more, however, credential stuffing is being used against web mail, Office 365 and other email systems. This has become so common, that a subset of data breaches called Business Email Compromise now exists and is tracked separately by law enforcement. This form of unauthorized access has been wildly popular across the world and especially against the financial services of the United States. Compromised email addresses and the resulting wire transfer fraud and ACH fraud that stems from this form of credential theft/identity theft are among some of the highest financial impacts today. Additionally, they commonly lead to malware spread and ransomware infections, if the attacker can’t find a way to steal money or has already managed to do so.

No matter what login mechanism is being abused, even when MFA is in place, logging of both legitimate access and unauthorized access attempts is needed. In the event that a security breach does occur, this data is nearly invaluable to the forensics and investigation processes. Do keep in mind, that many default configurations of web services and cloud-based environments (like Office 365) have much of this logging disabled by default. 

While Credit Unions remain prime targets, having good prevention and detection are a key part of strong risk management against credential stuffing. Practicing incident response skills and business recovery via tabletop exercises and the like also go a long way to stengthening your security team’s capabilities.

How Can MicroSolved Help?

Our team (the oldest security firm in the midwest) has extensive experience with a variety of risk management and security controls, including helping Credit Unions inventory their attack surfaces, identify the best multi factor authentication system for their environment, create policies and processes for ensuring safe operations and performing assessments, configuration audits of devices/applications/cloud environments. 

We also scope and run custom tabletop exercises and help Credit Unions build better information security programs. Our team has extensive experience with business email compromise, wire/ACH/credit card fraud prevention, cybercriminal tactics and incident response, in the event that you discover that credential theft has occurred. 

Lastly, our ClawBack data leak detection platform, can help you watch for leaked credentials, find source code and scripts that might contain reuseable account credentials and even hunt down device configurations that can expose the entire network to easy compromise. 

You can learn more about all of our services, and our 28 years of information security thought leadership here.

Lastly, just reach out to us and get in touch here. We’d love to talk with your Credit Union and help you with any and all of these controls for protecting against credential stuffing attacks or any other cybersecurity issue.

Car Dealership Threat Scenario – Wireless Printer Hacking AP Fraud

Posted on by
Reply

Today, I wanted to talk about a threat scenario that we have modeled recently. In the scenario, the victim was a car dealership, and the target was to commit accounts payable fraud. The testing scenario is a penetration test against a large group of car dealerships, but our research shows the threat to be valid against any number of organizations. 

Here’s the basics of the scenario:

  • The team found a car dealership with an extensive wireless network. Though the network was encrypted and not available to the public, the team was able to compromise the wireless credentials using a wifi pineapple in a backpack, while pretending to shop for a new car.
  • The team used the credentials to return later, appearing to wait for a service visit and working from the customer lounge. (The coffee and snacks were great! )
  • The team logged into the wireless network and quickly identified many devices, workstations and such available. Rather than focus on the workstations or attempt an attack on the users – the team instead focused on the shared printers.
  • One printer was identified with the name “BackOffice”, and access to the print spool was easily obtained through known default passwords which hadn’t been changed on the device.
  • Our team made notes of attack their recon attack path, and left the dealership.
  • Once away from the dealership a couple of simple social engineering calls were made to the accounts payable folks, pretending to be a vendor that we had observed at work at the facility. Without any real information, the accounts payable team member explained when we could expect payment, because accounts payable checks were processed every Thursday morning. The social engineer thanked them and completed the call.
  • On Thursday morning, the team showed up at the dealership again, pretending to wait for a service appointment. While in the lounge, they accessed the compromised network and printer. This time, taking deeper control of the printer’s file buffer.
  • The team waited for the accounts payable staff to submit their weekly check printing to the printer. Indeed, around 10:45, the printer file showed up in the printer spool, where our penetration testing team intercepted it. 
  • The team quickly edited the file, changing one of the checks in amount (increasing the amount by several thousand dollars) and the payee (making the check payable to a fictional company of our choosing). They also edited the mailing address to come to our office instead of the original vendor. (PS – we alerted the manager to this issue, so that the bill could be paid later — never harm a client while doing testing!!!)
  • The file was then re-sent to the printer and released. The whole process occurred in under 3 minutes, so the AP person never even noticed the issue.
  • One expected control was that perhaps the AP staff would manually reconcile the checks against their expected checks, but this control was not in place and the fake check was mailed to us (we returned it, of course!).

This is a pretty simple attack, against a very commonly exploitable platform. Poor wireless network security and default installs of printer systems are common issues, and often not given much thought in most dealerships. Even when organizations have firewalls and ongoing vulnerability scanning, desktop controls, Anti-Virus, etc. – this type of attack is likely to work. Most organizations ignore their printers – and this is an example of how that can bite you.

These types of threat scenarios are great examples of our services and the threat modeling, fraud testing and penetration testing available. If you’d like to learn more about these kinds of activities, or discuss how to have them performed for your organization – get in touch. You can contact us via web form or give us a call at (614) 351-1237. You can also learn more about our role and services specific to car dealerships here.

Thanks for reading and let me know if you have any questions – @lbhuston on Twitter.

ClawBack Insights :: A Conversation with MicroSolved, CEO, Brent Huston

Posted on by
Reply

I recently got interviewed over email by one of my mentees. I thought their questions were pretty interesting and worth sharing with the community. This session focused on ClawBack™ and was done for a college media class assignment. I hope you enjoy the interview as much as I did giving it. 

Q: What is ClawBack?

ClawBack is a platform for helping organizations detect data leaks. It’s a cloud-based engine focused on three specific kinds of leaked data – source code, device and application configurations and credentials. It systematizes many of the manual efforts which mature organizations had been doing either partially, or in an ad hoc fashion, and makes them ongoing, dependable and available to organizations of any size and technical capability.

The engine lets the customer pick monitoring terms, and yes, we have a very nice guide available in the online help to guide them. Once the terms are chosen, the engine goes to work and begins to scour the sites most commonly associated with these types of leaks. At first, it does historical searches to catch the client up to the moment, and then, periodically, it provides ongoing searching for signs of leaked data.

Once a leaked dataset is found, the user is alerted and can view the findings in the web portal. They can take immediate action from the takedown advice we provide in online help, or they can choose to archive the alert or mark it as a false positive to be ignored in the future. Email alerts, team accounts and alert exports for SEIM/SOAR integration are also available to customers at the advanced levels.

Basically, ClawBack is a tool to help developers find code that accidentally slipped to the Internet, network admins and security teams find configurations and credentials that have escaped into the wild. We wanted to make this easy, and raise the maturity level of data leak detection for all organizations. We think we hit the mark with ClawBack, and we hope you do too.

Q: Why did your team create ClawBack and why now?

This is a great question! For many years now, we have been working a variety of security incidents that all tie back to attackers exploiting leaked data. They routinely comb the Internet looking in these common repositories and posting locations for code, configs and credentials. Once they find them, they are pretty quick to take advantage.

Take for example, a leaked device configuration from a router. The global paste bins, code repositories and forums are full of these kinds of leaks. In many cases, these leaked files contain not just the insights the attacker can gain from the configuration, but often, logins and passwords that they can use to compromise the device. Many also give up cryptographic secrets, network management credentials and other significantly dangerous information. The attackers just harvest it, use it and then spread into other parts of the network – stealing as they go.

At MSI, we just got tired of seeing organizations compromised the same way, over and over again. Time after time, the clients would say they had no idea the data had been exposed. Some had ad hoc processes they ran to search for them, and others had tools that just weren’t getting the job done. We knew we had to make something that could help everyone solve this problem and it had to be easy to use, flexible and affordable. Nothing like that was on the market, so we built it instead.

Q: How does ClawBack address the issues of leaked critical data?

As you read above, we wanted to focus on the things that hurt the most – leaked code, configs and credentials. These three types of leaks are at the core of more than 90% of the leak-related incidents we’ve worked over the last several years. We didn’t try to solve every problem with this new tool – or make it a swiss army knife. We focused only on those 3 kinds of leaks.

Today, ClawBack monitors the most common sites where these leaks often occur. It monitors many of the global pastebins associated with leaks, forums and support sites where folks often accidentally expose data while getting or giving help and work repositories where many of these items often end up from inadvertent user errors or via misconfigured tools.

ClawBack provides the dependable process and ongoing vigilance that the most mature firms have access to – and it brings that capability to everyone for less than a fancy cup of coffee a day.

Q: How is it different than DLP solutions?

For starters, there’s no hardware, software or agents to deploy and manage. The cloud-based platform is so simple to use that most customers are up and monitoring in less than 5 minutes. You simply register, select your subscription, input monitoring terms and ClawBack is off and running. It’s literally that easy!

Now, DLP is a great tool. When it’s properly configured and managed, it’s very capable. Most of our ClawBack clients have DLP solutions of some sort in place. The problem is, most of these data leaks occur in ways that render the DLP unable to assist. In most cases, the data leaks in the incidents we have worked have occurred outside of the corporate network that the DLP is monitoring. When we traced back the root of the incident, most of them came from workers who were not using the corporate network when they made their grave mistake.

Additionally, of those that did use the corporate network, often the DLP was either misconfigured, the alert was missed or the transaction was protected by cryptography that circumvented the DLP solution. A few of the incidents came from users who routinely handle code and configuration files, so the anomaly-based DLP tools assumed the leak was normal, usual traffic.

Sadly, the last group of incidents that had DLP in place went undetected, simply because the DLP solution was configured to meet some regulatory baseline like HIPAA, PCI or the like and was only searching for leaked PII that matched those specific kinds of patterns. In those cases, source code, configurations and even dumped credentials were far outside of the protection provided by the DLP.

ClawBack takes a different approach. It lets users know when this type of data turns up and lets them respond. It’s easy, plain language monitoring term management makes it trivial to define proper terms to tackle the 3 critical types of leaks. We provide a very detailed set of suggested terms for customers in our online help, which most folks master in moments.

Q: If an organization doesn’t have any in-house development or code, what can ClawBack do for them? Same question for organizations that outsource their device management – how can they get help from ClawBack?

Organizations that don’t do any development or have any source code are few and far between, but they still gain immense capability from ClawBack. Nearly every organization has device and application configurations and credentials that they need to monitor for exposure. Even if you outsource network management, you should still use ClawBack as a sanity check to watch for data leaks. We’ve seen significant numbers of leak-related security breaches from networks managed by third parties.

Requesting the key device configurations from your vendor and inputting identifying data into ClawBack is easy and makes sure that those configurations don’t end up somewhere they shouldn’t – causing you pain. Identifying unique account names and such, and using those as ClawBack monitoring terms can give you early warning when attackers dump credentials, hashes or other secrets that could cause you harm. Being able to change those passwords, kill accounts, increase monitoring and claw back those files through takedown efforts can mean the difference between a simple security incident and a complete data breach with full legal, regulatory and reputational impacts.

Q: Several people have said you are leaving money on the table with your pricing model – why is the pricing so affordable?

The main reason that the product costs under $200 per month at the highest level, currently, is that I wanted not-for-profit firms to be able to afford to protect themselves. Credit unions, charities, co-op utilities and the like have been huge supporters of MicroSolved for the last 30 years, and I wanted to build a solution that didn’t leave them out – simply because they have limited funds. Sure, we could charge larger fees and only target the Fortune 500 or the like, and make a lot of money doing it. The problem is, the security incidents we built this to help eliminate happen to small, mid-size and less than Fortune 500 companies too and there are a LOT MORE of those firms than 500. They need help, and they need to be able to afford the help they require.

Secondly, we were able to get to such an affordable price point by really focusing on the specific problem. We didn’t build a bunch of unneeded features or spend years coding capabilities to address other security problems. ClawBack detects leaks of critical data. That’s it. It provides basic alerting and reporting. We based the monitoring technology off our existing machine learning platform and re-used much of the know how we have developing past products and services like TigerTrax™ and SilentTiger™. What saves us money and resources, saves our clients money and resources.

Lastly, at MSI, we believe in making more value than we harvest. We want to provide significant levels of value to our clients that way over scales what they pay for it. We can do that using technology, our expertise and by building solutions that focus on significant problems that many feel are untenable. We’ve been doing it for almost 30 years now, so we must be getting something right…

Q: What’s next for ClawBack? Is there a road map?

We are talking about adding some forms of risk determination to the findings. We are currently in discussion with clients and experts about how best to do that and communicate it. We are discussing using some additional machine learning techniques that we developed for our social media monitoring and threat intelligence platforms. That’s the next step for us, that we can see.

We’re also looking at user feedback and curating what folks are asking about and thinking about when using the product. That feedback is being ranked and added to the road map as we create it. We’ve got some ideas of where we want to go with ClawBack, but honestly, the tool addresses the problem we built it to help with. That’s the core mission, and anything outside of that is likely to fall out of the mix.

Q: You have a history of designing interesting products – what is on the horizon or what are you playing with in the lab these days?

I wish I could tell you about the things we are playing with, because it is fascinating. We are exploring a lot of new capabilities in TigerTrax with different machine learning models and predictive techniques. We’re working on updates to HoneyPoint™ and SilentTiger that will bring some very cool new features to those capabilities.

We’re also continuing to gather, analyze and deliver specific types of threat intelligence and data analytics of hostile data sets. We’re studying adversarial use of machine learning techniques, attacks against different AI, IoT and cloud platforms and we’re diving deep into cyber-economics and other factors related to breaches. I’m also working on a pretty interesting project with some of my mentees, where we are studying the evolution, use and capability growth of various phishing kits in use today. The mentees are learning a lot and I’m getting to apply significant amounts of machine learning techniques to new data and in new ways that I haven’t explored before. All in all, pretty cool stuff!

I’ll let you know what we come up with. Thanks for interviewing me, and thanks to the readers for checking this out. Give me a shout out on Twitter – @lbhuston and let me know if you have questions or feedback on ClawBack. I’d love to hear your thoughts!