On March 22, the hacking group Lapsus$ published a Twitter post with a number of screenshots taken from a computer showing “superuser/admin” access to various systems at authentication firm Okta that took place in January this year. Okta is a platform in the #1 platform in Identity-as-a-Service (IDaaS) category, which means that it manages access to internal and external systems with one login.
VPN tunnels are like shipping containers in that they are widely used (especially as the pandemic has moved more of the workforce to remote work), and they can be used to carry traffic for legitimate as well as malicious purposes. Establishing a tunnel between corporate offices, remote workers, or partners to transfer data is a legitimate and common use for VPNs.
The cybersecurity community uses the term Advanced Persistent Threats to refer to threats that have extremely long persistence on a particular target—often lurking inside a target system for years. Their targets can include government agencies (at all levels), including contractors and suppliers far down the supply chain. Due to their passive nature, you may not even realize that your organization is a target for an APT. In fact, your infrastructure may already be infiltrated.
The cybersecurity landscape is shifting because it has to. The breadth of challenges facing defenders is vast and we are constantly reminded about how unpredictable security can be with zero-days such as the recent Log4Shell vulnerability. New tools and a community-based approach offer a way forward in the face of overwhelming complexity.
Machine learning (ML) detections are a powerful tool for detecting emerging threats when we don’t yet know what we’re looking for. The power of anomaly detection is the ability to detect and provide early warning on new threat activity for which rules, indicators, or signatures are not yet available.
One of the major causes of alert fatigue for SOCs is a class of alerts that fall in between false positives and useful detections: when an actual attack has been launched, and the detection is working correctly, but the host on the receiving end is not vulnerable, guaranteeing that the attack will fail.
Organizations have moved business-critical apps to the cloud and attackers have followed. 2020 was a tipping point; the first year where we saw more cloud asset breaches and incidents than on-premises ones. We know bad actors are out there; if you’re operating in the cloud, how are you detecting threats? Cloud is different. Services are no longer confined in a single place with one way in or one way out.
The idea behind the SIEM (and now XDR!) technologies was to provide a single engine at the heart of the SOC, aggregating data, enabling analytics and powering workflow automation. The SIEM would act as one place to train analysts and integrate a range of complementary technologies and processes. Given the efficiency that comes from centralization, I was surprised to hear that a growing number of defenders are actually using two SIEMs. Why is that?
Many modern applications are regularly accessed by countless users from all over the world, which makes it difficult to identify anomalous patterns in login activity indicative of a security breach. This challenge is compounded by the fact that people travel often and regularly access their accounts from new locations. To detect this common attack vector, the Datadog Cloud SIEM now provides the impossible travel detection rule type which helps you spot suspicious logins with confidence.
The modern threat landscape continues to evolve with an increase in attacks leveraging compromised credentials. An attacker with compromised credentials too frequently has free reign to move about an organization and carefully plan their attack before they strike. This week Falcon Complete™, CrowdStrike’s leading managed detection and response (MDR) service, announced a new managed service capability that once again sets the standard for MDR.
