Threat hunting, an often misunderstood but powerful security practice, is gaining traction, as more organizations reap benefits from it and get better at it. However, there is still a lot of room for adoption to increase and for practices to improve.

Those were key findings from the SANS Institute’s 2018 threat hunting study, which experts from SANS, Qualys and other companies discussed recently in the two-part webcast “Threat Hunting Is a Process, Not a Thing.”

“Over the past two to three years, threat hunting has been moving from a ‘What is it?’ discussion into a more formal mentality of: ‘This is what it is. Am I doing it right?’,” said Rob Lee, a SANS instructor. “But we’re still in a transition.”

For starters, there’s still considerable confusion about what threat hunting is. For example, it’s very common for many to equate it with reactive practices such as incident response. Rather, threat hunting is by definition proactive. It assumes that the organization’s prevention defenses have been bypassed, and the IT environment breached, without any alerts being triggered.

Using threat intelligence analysis and other tactics, hunters formulate and act on a hypothesis about where the intruders are likely to be lurking in silence while pursuing their nefarious goals.

Continue reading …

On a Friday afternoon before a long holiday weekend, a company’s security operations center receives a potentially serious alert: It appears that a domain controller has been tampered with. After examining event logs and overlaying network traffic, a SOC analyst confirms that a suspicious system did in fact connect to the controller, extracted credentials, and performed other actions. 

Worried this could be a hacker, the SOC team spends hours doing network analysis. Eventually they determine it’s a false alarm: An administrator had logged into the network to check his email with his personal laptop, whose use the company had authorized a month before.

Why did it take the SOC team so long to solve this mystery? They lacked a comprehensive IT asset inventory that would have allowed them to either quickly find that laptop on a list of devices owned by employees and approved for work use, or else determine it was a rogue device.

This hypothetical incident shows the importance of a continuously updated IT asset inventory, which would have slashed the SOC’s investigation time, and made a big difference if instead there had been an attack, according to security experts from SANS Institute and from Qualys.

Continue reading …

Black Hat attendees got a peek at Qualys Passive Network Sensor (PNS), a product that amplifies the already comprehensive IT asset visibility Qualys provides to its customers. By adding real-time network analysis to Qualys’ versatile set of sensors, PNS eliminates blind spots across IT environments through continuous traffic monitoring.

“Now you have instant visibility into every single asset that’s communicating on your network,” said Qualys’ Chief Product Officer Sumedh Thakar during a presentation on Passive Network Sensor at the conference.

The sensor extends the Qualys Cloud Platform’s broad spectrum of integrated security and compliance capabilities, further reducing Qualys customers’ needs for multi-vendor point products that are costly to manage and integrate.

Continue reading …

When vulnerability risk management is proactive, organizations don’t have to hurriedly react to attacks that exploit bugs for which patches are available, as happened with WannaCry. 

“The vast majority of WannaCry remediation took place as an emergency type process,” Jimmy Graham, a Qualys Director of Product Management, said during QSC18 Virtual Edition.

It’s key to have an integrated breach prevention program with asset inventory, vulnerability management, threat prioritization and patch management, he said. 

Graham also outlined how Qualys can help customers comprehensively and proactively manage their vulnerability risk.

Read on to learn more.

Continue reading …

Maintaining an IT asset inventory is essential for a strong security posture, but digital transformation has further complicated this already challenging task.

“The volume and variety of assets, including cloud, virtualization, mobility and IoT, is disrupting IT, and security takes center stage,” Pablo Quiroga, a Qualys Director of Product Management, said during QSC18 Virtual Edition.

Consequently, many security teams can’t definitively answer questions like: What are your IT assets? Where are they located? Who are their owners and users? How are assets related?

Having asset-inventory blind spots heightens security risks, which is why most regulations and standards highlight this practice. For instance, the Center for Internet Security’s Top 20 controls begin with inventory and control of hardware and software, because attackers constantly look to exploit vulnerable assets.

In his presentation, titled “Global IT Asset Discovery, Inventory, and Management,” Quiroga explained the importance of a complete and accurate inventory, and how Qualys can help. Read on to learn more.

Continue reading …

Turned into law in 2016, the EU’s General Data Protection Regulation (GDPR) finally goes into effect this week, slapping strict requirements on millions of businesses and subjecting violators to severe penalties. The complex regulation applies to any organization worldwide — not just in Europe — that controls and processes personal data of EU residents, whose security and privacy GDPR fiercely protects.

GDPR calls this data’s protection a “fundamental right” essential for “freedom, security and justice” and for creating the “trust” needed for the “digital economy” to flourish. Its requirements amount to what some have called zero-tolerance on mishandling EU residents’ personal data.

A PwC survey found that more than half of U.S. multinationals say GDPR is their main data-protection priority, with 77% planning to spend $1 million or more on GDPR readiness. “Data protection has been a thing organizations know about, but GDPR has brought it all to the forefront,” Richard Sisson, Senior Policy Officer at the U.K.’s Information Commissioner’s Office (ICO) said during a recent GDPR roundtable.

Continue reading …

With the General Data Protection Regulation (GDPR) going into effect in under three months, the countdown clock is fast approaching zero for organizations worldwide that handle personal data of EU residents.

GDPR is a very broad and wide-ranging regulation that requires organizations to obtain a lot of legal advice, and to implement business controls. Although these controls exceed the scope of information security, IT security and compliance are a significant subset of the regulation.

A special challenge for InfoSec teams is GDPR’s lack of details about specific security measures and requirements for protecting EU residents’ data.

“The GDPR regulation is extremely vague and doesn’t give any detailed prescriptive requirements of what the expectations are for data protection, but they’re very far-reaching,” Tim White, a Qualys Product Management Director, said during a recent webcast.

GDPR puts a heavier burden of accountability on organizations, forcing them, among other things, to accommodate significant new rights for individuals. For example, EU residents can request that organizations delete, disclose, correct and transfer their personal information.

To comply with these GDPR “subject access requests,” organizations must know what data they have, where it’s stored, with whom they’re sharing it, how they’re protecting it, and what they’re using it for.

Unfortunately, many organizations are far from ready to comply with GDPR.

Continue reading …

In a perfect world, organizations would patch vulnerabilities immediately after they’re disclosed, preemptively blocking exploits and dodging most cyber attacks.

Of course, reality is far from that hypothetically ideal state. Organizations often leave critical vulnerabilities unpatched for months, even years. Hackers routinely feast on all that low-hanging fruit to hijack systems, steal data, deface websites and disrupt operations.

We all know it’s impossible to patch every single vulnerability. Thousands are disclosed every year, and patching systems can be complicated, time-consuming and inconvenient. But InfoSec teams agree that fixing the most dangerous bugs on a timely basis is not only doable but also necessary.

The problem is that prioritizing remediation and pinpointing those critical vulnerabilities is difficult when — as is often the case — organizations lack continuous and automated vulnerability management, asset inventorying and threat analysis.

Unsurprisingly, recent Qualys data on patching behavior shows that remediation activity is directly related to the level of risk attached to specific vulnerabilities. And in some cases, specifically when it comes to the realm of IoT devices, patching is always slow, and often non-existent.

Continue reading …

Corden Pharma needed a standardized security program to meet customer requirements. Link3 Technologies wanted to prioritize its network security improvements. Telenet was looking for a road map to implement its ISO-27000 compliance program.

These three companies — a German pharmaceutical contract manufacturer, an IT services provider in Bangladesh and a large telecom in Belgium — all found the InfoSec clarity and guidance they needed in the Center for Internet Security’s Critical Security Controls (CSCs).

They are among the thousands of organizations that over the years have successfully adopted the CSCs, a set of 20 security best practices that map effectively to most security control frameworks, as well as regulatory and industry mandates.

Continue reading …

If a CISO needed to cut cyber attack risk by 85%, how would this security chief go about accomplishing that? Would the CISO even know where to begin? It’s safe to say that such a mandate would be considered daunting, and maybe even overwhelming.

CISOs are scrambling to protect IT infrastructures whose boundaries are increasingly fluid due to the adoption of mobility, cloud computing, IoT, and other new technologies. They get bombarded daily with information — research studies, threat warnings, vendor announcements, regulatory requirements, industry recommendations. Making sense out of it all is a challenge.

And yet, that dramatic cyber-attack risk reduction is an attainable goal for organizations that apply the first five of the Center for Internet Security’s 20 Critical Security Controls.

Continue reading …