New infosec products of the week: March 20, 2020

HYAS Insight: A threat intelligence solution for investigation and attribution

HYAS Insight is a threat intelligence and attribution solution that improves visibility and productivity for analysts, researchers and investigators while vastly increasing the accuracy of their findings. HYAS Insight lets analysts connect specific attack instances and campaigns to billions of historical and real-time indicators of compromise faster than ever before, bringing invaluable new intelligence and visibility to security efforts.

infosec products March 2020

Contrast Security simplifies DevSecOps with Route Intelligence

Contrast Security announced Route Intelligence, a major new capability for application security. Legacy application security testing solutions simply point out potential vulnerabilities in application code and are plagued with false positives. When compared to traditional application security approaches, Route Intelligence saves security teams and application development teams massive amounts of time while reducing costs.

infosec products March 2020

Security Compass adds content to SD Elements, enables companies to meet CCPA compliance

Tracking regulatory standards and ensuring compliance with complex requirements is a challenge to even the most mature organizations. Security Compass has added content to SD Elements that enables organizations operating in California to maintain or achieve compliance under the California Consumer Privacy Act (CCPA).

infosec products March 2020

Box builds interoperability within Microsoft 365 environments to transform the way users work

Box announced new integrations with Microsoft 365, building on Box’s interoperability within Microsoft environments. Admins can use Box Shield to restrict printing and downloads of files in Box from Office 365 web editors (Word, PowerPoint, Excel) based on Box security classifications. Later this year, a new Azure AD integration will provide one-click single-sign-on (SSO), enabling customers to set up the configuration with minimal effort.

infosec products March 2020

Contrast Security simplifies DevSecOps with Route Intelligence

Contrast Security, the next-generation software security platform, announced Route Intelligence, a major new capability for application security. Legacy application security testing solutions simply point out potential vulnerabilities in application code and are plagued with false positives.

This antiquated approach to application security also squanders valuable time associated with manual vulnerability verification. Route Intelligence from Contrast, which is now available as part of Contrast Assess, is a revolutionary and industry-leading solution that combines continuous and accurate assessment with instrumentation-based vulnerability assessment capabilities.

When compared to traditional application security approaches, Route Intelligence saves security teams and application development teams massive amounts of time while reducing costs—namely, development teams know exactly what parts of each application have been tested for critical security flaws.

Routes in software are like roads in cities, enabling data to reach the correct destination and powering business logic in the application. Using traditional approaches to application security testing, development teams are unable to determine how much of their application attack surface—that is, how many routes—have been assessed for vulnerabilities.

With Route Intelligence, development teams know the full extent of their entire application security posture. Route Intelligence also automates vulnerability remediation verification, obviating a time-consuming, manual process whereby development teams had to engage with multiple teams to verify vulnerability remediation. This saves development teams significant time and resources.

“Security and development leaders want high speed and secure DevOps and digital transformation. A core principle of going fast is finding and fixing important functionality and security flaws early,” said Alan P. Naumann, Chairman of the Board, President, and CEO of Contrast Security.

“With Route Intelligence, which is now part of Contrast Assess, our customers can immediately see a comprehensive picture of the entire application attack surface, allowing overstretched development teams to save time and focus their valuable resources.

“In addition, development and security teams can work from a shared and accurate view, saving hundreds of hours required for vulnerability remediation verification. Route Intelligence is one more game-changer in the application security revolution that Contrast Security is spearheading.”

Because development teams do not have full visibility of the application attack surface when they employ traditional static application security testing (SAST) and dynamic application security testing (DAST) tools, inherent risks reside within the application development and testing environments.

Leveraging Route Intelligence, Contrast Assess displaces legacy SAST and DAST tools with a modern platform that combines SAST, DAST, and interactive application security testing (IAST) into one solution. This delivers comprehensive visibility over the entire application attack surface.

In addition, traditional approaches to application security testing incur hundreds of development staff hours on manual vulnerability verification. This slows continuous integration/continuous deployment (CI/CD) life cycles.

Contrast Assess, powered by Route Intelligence, completely changes the application security testing model in three ways:

Unwavering confidence. Unlike traditional application security testing approaches that build and scan hypothetical models of source code repositories and result in incomplete attack surface and vulnerability models, Contrast Assess uses patented instrumentation to directly interrogate application frameworks to determine all possible application routes to provide full visibility of the entire application attack surface.

In addition, alerts in Contrast eliminate false positives that can hide real problems and hinder remediation activities. Security and development teams, as a result, have full assurances of the thoroughness of the security assessment powered by Contrast Assess.

Better visibility. Because of the discovery approach employed by Contrast Assess, developers have a full and complete picture of their entire application attack surface, how much of it has been tested, and what areas require remediation based on identified vulnerabilities. This virtually eliminates vulnerability risk associated with the deployment of compromised application code.

Additional automation. Traditional SAST and DAST tools try to solve the problem of coverage and verification of remediation using different techniques but are highly ineffective. Their findings are also extremely inaccurate and peppered with false positives, turning vulnerability verification into a game of Whack-A-Mole.

Static scans no longer reflect the true nature of an application’s security posture, as more and more of the application is being loaded dynamically at runtime.

By utilising the application’s runtime behaviour, Route Intelligence enables users of Contrast Assess to compare successive security assessment results for each application route to ensure that the vulnerability originally discovered on a route is no longer present.

This automated vulnerability remediation verification approach dramatically improves application risk posture while giving back hundreds of hours to development and security teams.

“Our research shows growing interest on the part of security teams to automate application vulnerability discovery and verification of remediation at development speed,” said Doug Cahill, VP and Group Director of Cybersecurity at ESG.

“Transparent visibility across the entire application development and runtime attack surface is a critical linchpin for organisations seeking to manage risk effectively.”

Malware and ransomware attack volume down due to more targeted attacks

Cybercriminals are leveraging more evasive methods to target businesses and consumers, a SonicWall report reveals.

ransomware attack volume down

“Cybercriminals are honing their ability to design, author and deploy stealth-like attacks with increasing precision, while growing their capabilities to evade detection by sandbox technology,” said SonicWall President and CEO Bill Conner.

“Now more than ever, it’s imperative that organizations detect and respond quickly, or run the risk of having to negotiate what’s being held at ransom from criminals so embolden they’re now negotiating the terms.”

The 2020 SonicWall Cyber Threat Report is the result of threat intelligence collected over the course of 2019 by over 1.1 million sensors placed in over 215 countries and territories.

Cybercriminals change approach to malware

Spray-and-pray tactics that once had malware attack numbers soaring have since been abandoned for more targeted and evasive methods aimed at weaker victims. SonicWall recorded 9.9 billion malware attacks, a slight 6% year-over-year decrease.

Targeted ransomware attacks cripple victims

While total ransomware volume (187.9 million) dipped 9% for the year, highly targeted attacks left many state, provincial and local governments paralyzed and took down email communications, websites, telephone lines and even dispatch services.

The IoT is a treasure trove for cybercriminals

Bad actors continue to deploy ransomware on ordinary devices, such as smart TVs, electric scooters and smart speakers, to daily necessities like toothbrushes, refrigerators and doorbells.

Researchers discovered a moderate 5% increase in IoT malware, with a total volume of 34.3 million attacks in 2019.

Cryptojacking continues to crumble

The volatile shifts and swings of the cryptocurrency market had a direct impact on threat actors’ interest to author cryptojacking malware. The dissolution of Coinhive in March 2019 played a major role in the threat vector’s decline, plunging the volume of cryptojacking hits to 78% in the second half of the year.

Fileless malware targets Microsoft Office/Office 365, PDF documents

Cybercriminals used new code obfuscation, sandbox detection and bypass techniques, resulting in a multitude of variants and the development of newer and more sophisticated exploit kits using fileless attacks instead of traditional payloads to a disk.

While malware decreased 6% globally, most new threats masked their exploits within today’s most trusted files. In fact, Office (20.3%) and PDFs (17.4%) represent 38% of new threats detected by Capture ATP.

Encrypted threats are still everywhere

Cybercriminals have become reliant upon encrypted threats that evade traditional security control standards, such as firewall appliances that do not have the capability or processing power to detect, inspect and mitigate attacks sent via HTTPs traffic.

Researchers recorded 3.7 million malware attacks sent over TLS/SSL traffic, a 27% year-over-year increase that is trending up and expected to climb through the year.

ransomware attack volume down

Side-channel attacks are evolving

These vulnerabilities could impact unpatched devices in the future, including everything from security appliances to end-user laptops. Threat actors could potentially issue digital signatures to bypass authentication or digitally sign malicious software.

The recent introduction of TPM-FAIL, the next variation of Meltdown/Spectre, Foreshadow, PortSmash, MDS and more, signals criminals’ intent to weaponize this method of attack.

Attacks over non-standard ports cannot be ignored

This year’s research indicated that more than 19% of malware attacks leveraged non-standard ports, but found the volume dropping to 15% by year’s end with a total of 64 million detected threats. This type of tactic is utilized to deliver payloads undetected against targeted businesses.

“The application layer is the biggest target right now. The average commercial web application, like the one that we all use for our shopping or banking, has 26.7 vulnerabilities. That’s a shocking number. Imagine if your airline averaged 26.7 safety problems! Fortunately, it is now possible to give software a sort of digital immune system. Web applications and APIs can be provided with defences that enable them to identify their own vulnerabilities and prevent them from being exploited. Once teams see exactly where they are weak and how attackers are targeting them, they can quickly clean up their house. Ensuring that they (and those using their software) are protected,” Jeff Williams, at Contrast Security, told Help Net Security.

Embedding security, the right way

As organizations proceed to move their processes from the physical world into the digital, their risk profile changes, too – and this is not a time to take risks. By not including security into DevOps processes, organizations are exposing their business in new and surprising ways.

embedding security

DevOps

DevOps has accelerated software development dramatically, but it has also created a great deal of pain for traditional security teams raised up on performing relatively slow testing. Moving from annual security testing to an almost daily security cadence has put a huge strain on legacy approaches to automated testing, with the need for a centralized team of experts to run tools that undertake static analysis and dynamic scans.

Shift left

To help combat this, DevOps has spawned the “shift left” movement which focuses on including security in the software development lifecycle at an earlier stage than before. New technologies such as interactive application security testing (IAST) and runtime application self-protection (RASP) empower developers to do their own security. Automated software pipelines that provide an optimum testing infrastructure has allowed organizations to become much more effective in securing their apps. Certainly, this makes them far more effective and efficient than the old “tool soup” approach.

Done right, security can be more efficient in modern DevOps than it ever was in traditional waterfall processes. You can “shift left” to empower developers to commit secure code themselves. But don’t forget to also “extend right” to get accurate security telemetry and protection into production.

The goal of DevSecOps is to automate the process of verifying security before code goes into production, so that it runs continuously as part of your pipeline. The “Sec” is important: by closing the barn door before the horse has bolted, you improve your security posture and have better inbuilt protection against new and emerging risks.

DevSecOps principles

The first principle of DevSecOps is to create a security workflow. This means breaking security work up into small pieces and carrying them to completion, rather than splitting security work across a series of gigantic phases and never connecting the dots.

Take SQL injection (SQLi) for example. Most traditional approaches would have a threat model identifying SQLi, a security architecture with defenses for SQLi, security requirements, secure coder training, security libraries to use, scanning tools, penetration testing, security code review and web application firewall rules. Yet, as they were all done independently, there was little cohesion. Security should be about traceability and that should be one of the biggest benefits of DevSecOps.

The second principle is to create tight security feedback loops. For that, read instant security feedback – the timelier the feedback the better. Anything else skyrockets the cost and demolishes the success rate. Organizations need to use technologies that provide instant and accurate feedback. Anything else is virtually useless.

The third principle of DevSecOps is to create a culture of security innovation and learning – and for good reason. Security moves fast: to stay ahead, organizations need to be agile. Yet, most organizations today simply react to their auditors, adhering to standards written years ago about problems from years before that. We need to get to a place where organizations are thinking about the risks that might exist in ten years’ time and start planning their defenses now. Future-proofing them makes sound business sense.

Embedding security: Capitalize on DevSecOps

The idea of turning security requirements, security policy, security architecture, and security coding guidelines into software is very powerful. However, imagine a simple security rule like “Applications must use the X-FRAME-OPTIONS header to prevent clickjacking”. You could put that in all the documents above and nobody would ever read it. Mistakes would continue to happen. However, if it is turned into an embedded test that checks every HTTP response within the application to ensure that the header is set properly, it would be instantly reported to developers and could be fixed swiftly and correctly.

As the list of rules to be tested is added to over time, it will ensure greater accuracy and reduce the need for already time-sapped human expert intervention. This will, in turn, accelerate software development processes, ensuring an organization’s ability to compete. It will also produce an assurance that the applications are trusted and secure.

In the past couple of years, DevSecOps has quickly gained mindshare among developers and security teams alike. But it is still very early days. Many vendors are trying to capitalize on DevSecOps by slapping some DevOps lipstick on their tool and saying that it’s the best for DevSecOps. Organizations that want to make progress in DevSecOps should ask themselves:

1. Do we have continuous inventory of our applications, APIs, components, and other code everywhere in our enterprise? (You can’t secure what you don’t know.)
2. For each application, what real evidence do we have that our applications have the right defenses and that they are effective?
3. For each application, how good is our visibility into who is attacking, what techniques are they using, and do we have runtime exploit prevention in place?

Only then can organizations fully embrace the DevSecOps revolution to keep them and their customers safe.