With Black Hat USA 2019 now in progress, we wrap up this blog series with our final two session recommendations: Attacking and Defending the Microsoft Cloud and Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale.

Attacking and Defending the Microsoft Cloud, which focuses on protecting Office 365 and Azure Active Directory, explores the most common attacks against the cloud and describes effective defenses and mitigation. While it focuses on Microsoft, some topics apply to other providers. The speakers — Trimarc CTO Sean Metcalf, and Mark Morowczynski, a Principal Program Manager at Microsoft, will cover topics including account compromise and token theft; methods to detect attack activity; and secure cloud administration.

Meanwhile, Practical Approach to Automate the Discovery and Eradication of Open-Source Software Vulnerabilities at Scale, outlines how Netflix identifies and eliminates vulnerabilities in the open source software components it uses in its applications at scale. The speaker, Aladdin Almubayed, is a Senior Application Security Engineer at Netflix who will describe the stages in Netflix’s automation strategy and the tools it uses.

Continue reading …

Black Hat kicks off in a few days, and for Qualys customers still planning their schedule we have our weekly recommendation from among the conference’s many training courses and research briefings: The Enemy Within: Modern Supply Chain Attacks.

Speaker Eric Doerr, General Manager of the Microsoft Security Response Center, promises to provide “practical guidance on how to defend against supply chain attacks and harden your systems.” 

Using examples of undisclosed supply chain attacks, he will cover topics such as attackers’ techniques and objectives, effective defense mechanisms, and the challenges of dealing with developers. 

Continue reading …

Black Hat USA 2019 is just weeks away, and with scores of training courses and research briefings to choose from, planning your schedule can be a challenge. To help you, we’re posting a weekly recommendation on our blog, and explaining why we think Qualys customers could find it useful and relevant. This week’s choice is the presentation Trust and Transformation — The Post Breach Journey. 

In this talk, Jamil Farshchi, Equifax’s Chief Information Security Officer, will share experiences, best practices and insights about responding to a headline-grabbing data breach. In this 25-minute session, he’ll focus on how a business can regain the trust of customers, partners, investors, regulators and other stakeholders after suffering a significant data breach.

Continue reading …

With Black Hat USA 2019 less than a month away, we continue our blog series with weekly recommendations of training courses and research briefings to attend at the conference. Our pick this week: the research briefing Controlled Chaos: The Inevitable Marriage of DevOps & Security.

This 50-minute presentation focuses on the increasingly critical issue of securing DevOps, as this approach to agile and iterative software development and IT operations becomes the “business engine” for organizations.

Kelly Shortridge, Capsule8’s product strategy VP, and Nicole Forsgren, Google Cloud researcher and strategist, will explain the DevOps basics and the resilience and chaos engineering concepts. The speakers will address the importance of marrying DevOps and security, and the necessary shift away from security for its own sake to security as an enabler of business objectives.

Continue reading …

Black Hat USA 2019, which is only one month away, offers scores of training courses and research briefings, so every week we’re picking a session we believe Qualys customers will find valuable. This week’s selection is the training course Adversary Tactics — Detection.

This course focuses on abnormal behaviors and attackers’ “tactics, techniques, and procedures” (TTPs). It teaches participants how to create hypotheses based on TTPs to perform threat hunting operations and detect attacker activity. Students will also learn how to use free and open source data collection and analysis tools to gather and analyze large amounts of host information to detect malicious activity. 

Key takeaways from the course will include learning how to conduct effective, continuous hunt operations; run an end-to-end hunt operation; and develop metrics that measure the effectiveness of detection capabilities. Designed for defenders wanting to learn how to hunt in enterprise networks, this four-day course will be taught by experts from SpecterOps, a security firm that provides adversary-focused services.

Continue reading …

With Black Hat USA 2019 fast approaching, we continue our blog series highlighting training sessions and research briefings that we think Qualys customers will find relevant and valuable. Our pick this week is the training session An Introduction To IoT Pentesting With Linux.

The course offers “a hands-on, example-driven introduction to IoT hacking” and focuses on tactics for assessing and exploiting devices. Participants will learn why perimeter security falls short for securing private LANs from Internet attackers, and how vulnerability assessment techniques can be implemented using the Bash Unix shell and command language. Such skills are critical today due to the booming popularity and weak security of Internet of Things systems.

The two-day course is aimed at anyone wanting a hands-on introduction on using Linux to perform software-based security analysis of embedded Linux devices. The instructor, Craig Young, is a Tripwire computer security researcher who has used the course’s techniques to identify over 100 CVEs on embedded IoT devices. He has discovered dozens of vulnerabilities in products from Google, Amazon, Apple and others.

Continue reading …

We’re getting closer to Black Hat USA 2019, whose program is loaded with scores of research briefings and training courses. For attendees, it’s always a challenge to decide which ones to put on their schedule — and which ones to leave out.

To help with this task, we’re recommending a Black Hat USA 2019 session every week. Adding to our top recommended sessions, here’s our third choice: Windows Enterprise Incident Response.

This course teaches how to do triage on a potentially compromised system, uncover attack evidence, recognize persistence mechanisms, and more. Key takeaways include learning incident response principles, and scaling analysis to an enterprise environment.

The instructors are Mandiant consultants Austin Baker and Julian Pileggi, who have expertise in digital forensics, incident response, proactive security and threat hunting. The course is intended for people with backgrounds in forensic analysis, pen testing, security architecture, sysadmin, incident response and related areas.

Continue reading …

Black Hat USA 2019 is still two months away, but it’s never too early for attendees to start planning their schedule. That’s why each week we’re recommending one session from the scores of research briefings and training courses that will be offered at the conference. Following our first pick last week, here’s our second recommendation: Attacking and Securing APIs.

This hands-on, two-day course will teach participants how to build secure web and cloud APIs, which is increasingly important as their usage skyrockets. The instructor is Mohammed Aldoub, a security consultant and trainer with 10 years of experience who worked on Kuwait’s national cyber security infrastructure and focuses on APIs, secure DevOps, cloud security and cryptography.

The course is designed for software developers, security engineers, bug bounty hunters and others. Key takeaways include creating secure web APIs and microservices infrastructure; assessing the security of API implementation and configuration; and using cloud-native tools and infrastructure to deliver secure APIs.

Continue reading …

Black Hat USA 2019 offers a packed and impressive lineup of research briefings and hands-on training courses for the 19,000-plus security pros expected to attend this year’s event.

The training sessions provide both offensive and defensive skills that security pros can use to tackle critical threats affecting applications, IoT systems, cloud services, and more. Meanwhile, the briefing sessions feature cutting-edge research on the latest infosec risks and trends. All sessions are led by expert trainers and researchers.

To help attendees decide which sessions to choose, we’ve selected ten that we think will be particularly relevant and valuable for Qualys customers, and we’ll highlight one each week here on our blog. Here’s our first recommendation: Advanced Cloud Security And Applied Devsecops.

This highly technical course delves deep into practical cloud security and applied DevSecOps for enterprise-scale cloud deployments, and focuses on IaaS and PaaS.

“Real-world cloud security is most definitely not business as usual. The fundamental abstraction and automation used to build cloud platforms upends much of how we implement security. The same principles may apply, but how they apply is dramatically different, especially at enterprise scale,” reads the course abstract.

Continue reading …

Is your security team struggling to decide which projects will slash risk the most without breaking the bank? If so, we believe your security leaders can end analysis paralysis by perusing Gartner’s “Top 10 Security Projects for 2019” report. As its title states, the report recommends ten security projects for 2019, and the projects selected are supported by technologies available today, address the changing needs of cybersecurity and support what Gartner calls a CARTA (Continuous Adaptive Risk and Trust Assessment) strategic approach through risk prioritization.

Below we highlight five of the projects, provide Gartner’s take, offer our opinion, and explain how Qualys can help you implement them.

Continue reading …