Threat hunting, an often misunderstood but powerful security practice, is gaining traction, as more organizations reap benefits from it and get better at it. However, there is still a lot of room for adoption to increase and for practices to improve.

Those were key findings from the SANS Institute’s 2018 threat hunting study, which experts from SANS, Qualys and other companies discussed recently in the two-part webcast “Threat Hunting Is a Process, Not a Thing.”

“Over the past two to three years, threat hunting has been moving from a ‘What is it?’ discussion into a more formal mentality of: ‘This is what it is. Am I doing it right?’,” said Rob Lee, a SANS instructor. “But we’re still in a transition.”

For starters, there’s still considerable confusion about what threat hunting is. For example, it’s very common for many to equate it with reactive practices such as incident response. Rather, threat hunting is by definition proactive. It assumes that the organization’s prevention defenses have been bypassed, and the IT environment breached, without any alerts being triggered.

Using threat intelligence analysis and other tactics, hunters formulate and act on a hypothesis about where the intruders are likely to be lurking in silence while pursuing their nefarious goals.

Continue reading …

In our latest security news digest, we delve into the brouhaha over Chinese spy chips, check out the latest in Facebook’s investigation of its recent hack, and look at Google’s controversial decision to delay disclosing a potential data breach.

Bloomberg’s spy chip report stuns tech industry, then draws skepticism

The hyperactive cyber security news cycle reached another intensity level when Bloomberg reported the presence of Chinese spy chips in servers used by Apple, Amazon and other major U.S. companies. But did the global news agency get the story right?

Citing numerous anonymous sources, Bloomberg stated that China surreptitiously modified server hardware and embedded tiny chips in motherboards to snoop on about 30 large American businesses.

The Chinese government reportedly did this by tampering with parts built in China by suppliers of Supermicro, a U.S.-based Fortune 1000 designer and maker of servers.

“In Supermicro, China’s spies appear to have found a perfect conduit for what U.S. officials now describe as the most significant supply chain attack known to have been carried out against American companies,” Bloomberg’s article reads.

But Bloomberg, which doubled-down on the original article with a follow-up, has become part of the story, as more and more parties question the accuracy of its bombshell reports.

Continue reading …

Qualys is expanding its security and compliance capabilities for Microsoft Azure, by adding protection for the on-premises Azure Stack and extending capabilities for public cloud deployments.

By using Qualys’ platform to defend hybrid IT environments, organizations get a unified view of their security posture, and can apply the same standards and processes on premises and in clouds.

“The advantages of doing so all within a single pane of glass is to reduce your total cost of ownership, and to have all the data in one place,” Hari Srinivasan, a Qualys Director of Product Management, said during a presentation at Microsoft’s Ignite 2018 conference.

That way, when a major attack like WannaCry is unleashed, organizations can quickly assess their risk and take action from a single console, instead of scrambling to assemble fragmented information from siloed tools.

Read on to learn more about Qualys’ comprehensive offerings for Azure.

Continue reading …

QID 38598 “Deprecated Public Key Length” will be marked as PCI Fail as of November 1, 2018 in accordance with its CVSS score.

Under PCI DSS merchants and financial institutions are required to protect their clients’ sensitive data with strong cryptography. Strong cryptography is defined in the Glossary of Terms, Abbreviations and Acronyms for PCI DSS as cryptography based on industry-tested and accepted algorithms.

NIST Special Publication 800-131A announced that RSA public keys shorter than 2048 bits are disallowed, so QID 38598 detected in ASV scans will result a PCI failure. ASV scan customers will need to obtain a 2048-bit or larger public key length certificate from their Certificate Authority.

In this month’s Patch Tuesday release there are 49 vulnerabilities patched with 12 Criticals. Out of the criticals, over half are browser-related, with the rest including Hyper-V and MSXML Parser.  Microsoft Exchange covers CVE-2010-3190 which was not identified as in-scope product when originally published, per Microsoft. Microsoft Office covers 9 Important CVEs including Sharepoint and Graphics component.

Continue reading …

On a Friday afternoon before a long holiday weekend, a company’s security operations center receives a potentially serious alert: It appears that a domain controller has been tampered with. After examining event logs and overlaying network traffic, a SOC analyst confirms that a suspicious system did in fact connect to the controller, extracted credentials, and performed other actions. 

Worried this could be a hacker, the SOC team spends hours doing network analysis. Eventually they determine it’s a false alarm: An administrator had logged into the network to check his email with his personal laptop, whose use the company had authorized a month before.

Why did it take the SOC team so long to solve this mystery? They lacked a comprehensive IT asset inventory that would have allowed them to either quickly find that laptop on a list of devices owned by employees and approved for work use, or else determine it was a rogue device.

This hypothetical incident shows the importance of a continuously updated IT asset inventory, which would have slashed the SOC’s investigation time, and made a big difference if instead there had been an attack, according to security experts from SANS Institute and from Qualys.

Continue reading …

In our latest security news digest, we check out the Facebook hack heard ’round the world, a Twitter bug that rattled users but may not amount to much, and a pair of serious Linux kernel vulnerabilities.

Facebook scrambles to investigate major breach affecting tens of millions of users

The cyber security world shook on Friday upon learning that attackers exploited a software flaw on Facebook that allowed them to obtain access tokens for 50 million accounts, with another 40 million accounts possibly also affected.

Equally or even more concerning: The purloined tokens could have been used to access accounts in other websites into which their users log in with their Facebook credentials, such as Spotify and AirBnB.

Facebook inadvertently introduced the bug in July of last year. After investigating unusual activity detected in mid-September of this year, Facebook discovered the attack last week.

The attack has made global headlines since its disclosure on Sept. 28, and has naturally drawn scrutiny from security experts, government regulators, Facebook users, and industry observers.

“It’s surprising to me that as popular as Facebook is, no white hat hacker ever discovered and reported this flaw in the past, neither an external pen tester nor Facebook’s internal IT security team,” Paul Bischoff, privacy advocate with Comparitech, told Dark Reading.

Continue reading …

This release of the Qualys Cloud Platform version 2.34.1 includes updates and new features for Cloud Agent & AWS EC2 Connector, AssetView, CloudView, and Security Assessment Questionnaire, highlights as follows.

Continue reading …

Patch release of Qualys Cloud Platform, version 8.15.2, includes new support for Apache instance auto-discovery in Qualys Policy Compliance.

Policy Compliance

• Apache Instance Auto-Discovery – This new feature in Qualys PC enables automatic discovery of Apache during compliance scans.  Once one or more apache instances are discovered, the required authentication records are automatically created. We’ve also simplified authentication records for Apache allowing multiple instances to share a single authentication record.  In cases where multiple Apache instances are found, users no longer need to provide separate authentication records for each instance.

Continue reading …

With the newly available Qualys Consulting Edition, consultants and MSPs can now individually manage their mid-market client networks, keeping data separate and organized. This lets them offer their clients tailored, personalized services, with valuable insights and recommendations for threat prevention, detection, and response.

The solution’s flexibility allows consultants to customize the deployment and setup for each client’s unique environment. It’s all based on the highly-scalable Qualys Cloud Platform, which is trusted by many of the world’s largest businesses and service providers.

Continue reading …