Source: Varonis Blog
Author: Nolan Necoechea
URL: https://www.varonis.com/blog/automated-data-labeling
Labeling files can be an effective way to protect data. Enterprises rely heavily on sensitivity labels to enforce DLP policies, apply encryption, and broadly prevent data leaks.
Source: Dark Reading
Author: Roy Akerman
URL: https://www.darkreading.com/endpoint-security/how-to-protect-your-environment-from-the-ntlm-vulnerability
This Tech Tip outlines what enterprise defenders need to do to protect their enterprise environment from the new NTLM vulnerability.
Source: The Red Canary Blog: Information Security Insights
Author: The Red Canary Team
URL: https://redcanary.com/blog/threat-intelligence/intelligence-insights-december-2024/
Paste and run persists and HijackLoader cuts the line to drop LummaC2 in this month’s edition of Intelligence Insights
Source: Dark Reading
Author: Joan Goodchild
URL: https://www.darkreading.com/cybersecurity-operations/managing-threats-when-security-on-vacation
During holidays and slow weeks, teams thin out and attackers move in. Here are strategies to bridge gaps, stay vigilant, and keep systems secure during those lulls.
Source: Dark Reading
Author: Nate Nelson, Contributing Writer
URL: https://www.darkreading.com/application-security/actively-exploited-bug-struts-2
A newly discovered vulnerability, CVE-2024-53677, in the aging Apache framework is going to cause major headaches for IT teams, since patching isn’t enough to fix it.
Source: Varonis Blog
Author: Nathan Coppinger
URL: https://www.varonis.com/blog/data-masking
Databases and data warehouses store vast amounts of sensitive information, making them prime targets for attackers. One of the most effective strategies to mitigate exposure risks and lock down data is data masking, which enables organizations to protect their data by obfuscating it or replacing it with dummy data, rendering it useless to unauthorized users.
Audit logs provide a rich source of data critical to preventing, detecting, understanding, and minimizing the impact of network or data compromise in a timely manner. Collection logs and regular reviews are useful for identifying baselines, establishing operational trends, and detecting abnormalities. In some cases, logging may be the only evidence of a successful attack. CIS Control 8 emphasizes the need for centralized collection and storage and standardization to better coordinate audit log reviews. Some industries have regulatory bodies that require the collection, retention, and review of…
URL: https://www.sans.org/blog/a-prescription-for-windows-prefetch-analysis/
A blog about the latest update to Siftgrab, including a new function that generates several preformatted Excel workbooks.
URL: https://redcanary.com/blog/security-operations/best-of-2024/
As Red Canary wraps up our first decade, take a look back at our best blogs, videos, guides, and webinars of the year.
URL: https://www.tripwire.com/state-of-security/whats-difference-between-dspm-cspm-and-ciem
DSPM, CSPM, and CIEM are more than just a mouthful of acronyms. They are some of today’s most sophisticated tools for managing data security in the cloud. While they are all distinct entities and go about protecting data in different ways, the fact that they all seem to do very much the same thing can lead to a lot of confusion. This, in turn, can sell each of these unique solutions short – after all, they were all created in response to a specific problem. And the cloud is full of complex issues, warranting layered solutions in response. Just like antivirus tools, firewalls, and email…
URL: https://cyberscoop.com/arctic-wolf-cylance-blackberry-acquisition/
The once-prominent technology firm bought Cylance for $1.4 billion in 2018.
The post Arctic Wolf acquires Cylance from BlackBerry for $160 million appeared first on CyberScoop.
URL: https://www.microsoft.com/en-us/security/blog/2024/12/10/new-microsoft-purview-features-help-protect-and-govern-your-data-in-the-era-of-ai/
Microsoft Purview delivers unified data security, governance, and compliance for the era of AI. Read about the new features.
The post New Microsoft Purview features help protect and govern your data in the era of AI appeared first on Microsoft Security Blog.
URL: https://www.microsoft.com/en-us/security/blog/2024/12/11/microsoft-defender-xdr-demonstrates-100-detection-coverage-across-all-cyberattack-stages-in-the-2024-mitre-attck-evaluations-enterprise/
For the sixth year in a row, Microsoft Defender XDR demonstrated industry-leading extended detection and response (XDR) capabilities in the independent MITRE ATT&CK® Evaluations: Enterprise. The cyberattack used during the detection test highlights the importance of a unified XDR platform and showcases Defender XDR as a leading solution for securing your multi-operating system estate.
The post Microsoft Defender XDR demonstrates 100% detection coverage across all cyberattack stages in the 2024 MITRE ATT&CK® Evaluations: Enterprise appeared first on Microsoft Security Blog.
URL: https://www.varonis.com/blog/servicenow
We’re excited to announce that Varonis’ industry-leading Data Security Platform now protects ServiceNow. This expansion enables ServiceNow customers to secure their sensitive data, prevent data breaches, and comply with data regulations.
URL: https://www.rivialsecurity.com/blog/best-vciso-services
For security leaders responsible for safeguarding critical business data, choosing the right vCISO (Virtual Chief Information Security Officer) service is crucial. These vCISO solutions drive technological innovation and operational efficiency, delivering top-tier cybersecurity services that include advanced threat detection and robust incident response strategies.
In this article, we highlight the leading vCISO firms known for their proactive methodologies and dedication to protecting data integrity and maintaining operational resilience. Whether addressing industry-specific risks or implementing scalable security solutions, these vCISO experts represent the highest level of cybersecurity proficiency, helping organizations navigate governance, risk, and compliance management with confidence.
Here is an overview of the CIS Benchmarks that the Center for Internet Security updated or released for December 2024.
A critical flaw in the company’s rate limit for failed sign-in attempts allowed unauthorized access to a user account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more.
Ivanti released security updates to address vulnerabilities in Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Police Secure, Ivanti Sentry, and Ivanti Patch SDK.
CISA encourages users and administrators to review the following Ivanti security advisories and apply the necessary guidance and updates:
Cortex XDR achieves 100% technique-level detection in the 2024 MITRE ATT&CK evaluation.
The post Cortex XDR Delivers Unmatched 100% Detection in MITRE ATT&CK Round 6 appeared first on Palo Alto Networks Blog.
Ivanti released security updates to address vulnerabilities in Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Police Secure, Ivanti Sentry, and Ivanti Patch SDK.
CISA encourages users and administrators to review the following Ivanti security advisories and apply the necessary guidance and updates:
The zero-day (CVE-2024-49138), plus a worryingly critical unauthenticated RCE security vulnerability (CVE-2024-49112), are unwanted gifts for security admins this season.
Microsoft released security updates to address vulnerabilities in multiple Microsoft products. A cyber threat actor could exploit some of these vulnerabilities to take control of an affected system.
CISA encourages users and administrators to review the following and apply necessary updates:
Vanir automates the process of scanning source code to identify what security patches are missing.
The second zero-day vulnerability found in Windows NTLM in the past two months paves the way for relay attacks and credential theft. Microsoft has no patch, but released updated NTLM cyberattack mitigation advice.
How NIST is working with Tenable and other private sector stakeholders to better enable zero trust implementation.
Trust no one. Verify everything. All the time. When it comes to cybersecurity and protecting your expanding attack surface, that’s more than a catchphrase. It’s the way you must approach access to your network, systems and assets. Ultimately, this is an approach the federal government must use, expand upon and intertwine into its cybersecurity standards.
When thinking about zero trust, it’s important to understand this is an evolving practice that goes beyond traditional “trust but verify” approaches to cybersecurity. According to a Tenable blog by John Kindervag, who created the Zero Trust Model of Cybersecurity when he was a principal analyst at Forrester Research, “While the zero trust model represents a significant divergence from the legacy, moat-and-castle approach to network security, it can be implemented by practitioners using commercial off-the-shelf technology. And it’s built upon current cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring, already implemented in most organizations today.”
The principles of zero trust require rethinking the trust-but-verify model upon which so much IT infrastructure has been built. It calls for viewing trust as a vulnerability instead and calls for removing the notion of trust from digital systems.
Zero trust is a proactive cybersecurity approach. However, with anything proactive, it’s important to remember there is a constant need for adaptation and new protocols that can withstand the changing threat landscape.
On Dec. 4, NIST released the draft Guidance for Implementing Zero Trust Architecture for public comment. Tenable has been proud to work alongside the NIST National Cybersecurity Center of Excellence (NCCoE) to launch the Zero Trust Architecture Demonstration Project. This collaborative project has brought together multiple industry participants to launch end-to-end zero trust architecture implementations to help industry and government reduce the risk of cyberattacks. As part of this collaborative project, Tenable has participated in a lab demonstration of how to deploy examples of zero trust architecture in hybrid enterprise environments using commercially available technology contributions.
“The […] demonstration project, ‘Implementing a Zero Trust Architecture,’ stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations.”
—Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST
“The NCCoE ZTA demonstration project, ‘Implementing a Zero Trust Architecture,’ stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations,” explained Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST. “Each implementation combines a strategic mix of commercially available products and services, contributed by partner organizations such as Tenable. Their invaluable role in providing enhanced visibility and insights has been essential in strengthening our defenses, ensuring we can safeguard our networks against the ever-evolving landscape of cyberthreats.”
As a main collaborator, Tenable contributed exposure management technology and capabilities for the ZTA Demonstration Protect. As a leader in cybersecurity, Tenable was able to harness its expertise to best use security analytics, building out a program that had orchestration and enforcement capabilities through scanning and assessment, endpoint monitoring, traffic inspection and network discovery.
When implementing a zero trust architecture, it is a foundational imperative for organizations and enterprises to inventory, enumerate and assess every asset on the network. This allows for a better understanding of assets in context and how they are interconnected. Analyzing data from operational technology (OT), internet of things (IoT), IT, cloud and network plays a critical role in helping organizations gain visibility into how assets are interconnected, evaluate exposure based on real-world threats and context, and prioritize remediation and mitigation efforts. Ultimately, it’s important for an organization to completely understand the entire attack surface in order to evaluate which assets are most vulnerable. Zero trust architecture is a way to programmatically collect risk telemetry and make informed decisions that can help reduce exposure. By adopting zero trust architecture approaches, it is possible to make significant progress toward this objective.
At Tenable, we are proud to partner with our government’s leading agencies to develop strategic ways to approach cybersecurity practices. Our technology solutions help the NCCoE develop a use case that exemplifies the ZTA motto — Trust no one. Verify everything. All the time. Organizations, enterprises and federal agencies need a security model that adapts to today’s modern network, embraces remote work and protects users, applications and data wherever they’re located. The NCCoE ZTA practice guide and reference architecture can serve as an outstanding model to help them achieve their cybersecurity objectives.
Learned helplessness and lack of prioritization are two vulnerability management pitfalls cybersecurity teams face. Here’s how an exposure response program can help.
In today’s complex cybersecurity landscape, effective vulnerability management is crucial. Organizations are bombarded with a staggering volume of vulnerabilities every month, and traditional methods often fall short. They tend to just identify issues without offering a sustainable way to tackle them.
Enter exposure response. This approach transforms how teams prioritize, remediate and manage vulnerabilities. Instead of overwhelming teams, exposure response workflows empower them to focus on the most critical threats to their cybersecurity posture.
Why should you care? Here are some common pitfalls organizations face:
Exposure response workflows address these challenges head-on. By leveraging Service Level Agreements (SLAs), teams can maintain focus and drive measurable progress. This shift enhances security outcomes and fosters a resilient, sustainable cybersecurity strategy that adapts to evolving threats.
Exposure response programs are essential for creating a sustainable cybersecurity strategy. By implementing exposure response workflows, teams can avoid being overwhelmed by vulnerabilities.
Teams can become paralyzed by the sheer number of vulnerabilities, leading to inaction.
Instead of trying to fix every issue, they can work within SLAs to prioritize and tackle what matters most, using tools like the Tenable Vulnerability Priority Rating (VPR) and the Common Vulnerability Scoring System (CVSS). This structured approach mitigates risk and empowers leaders to make data-driven decisions, enhancing their cybersecurity posture.
SLAs are tailored deadlines reflecting organizational priorities. SLA-based workflows outperform traditional methods by enabling measurement at the campaign level, providing clearer accountability. This unique approach allows organizations to compare progress internally and against industry peers, driving continuous improvement.
When every vulnerability feels urgent, it becomes impossible to prioritize effectively.
Setting practical SLAs helps teams focus on achievable goals, such as reducing past-due vulnerabilities rather than addressing everything at once. This targeted approach not only supports compliance but also enhances the team’s ability to manage workloads sustainably.
Tracking key metrics provides an accurate assessment of exposure response effectiveness. Three “golden metrics” serve as essential indicators:
When all three metrics are favorable, the exposure response program is performing well. Detailed tracking and reporting offer clear accountability and visibility into remediation efforts, reinforcing the importance of consistent progress.
Incorporating exposure response into vulnerability management gives organizations a structured way to handle cybersecurity risks proactively. By focusing on SLAs and tracking critical metrics, organizations can maintain resilience against threats while fostering a sustainable, impactful security posture. For more insights, check out the accompanying video and other posts in this series.
Keeping vulnerability management efforts focused on achievable goals is key to avoiding cybersecurity team burnout. Here’s how exposure response workflows and SLAs can help.
As organizations grow in the digital age, vulnerability management has become a vital cybersecurity practice. But managing vulnerabilities effectively means more than just identifying potential issues; it’s about setting priorities that align with your organization’s goals and resources. A robust exposure response program elevates this process by creating comprehensive, actionable workflows that prioritize based on real-world impact rather than just risk scores or vulnerability counts. This approach shifts vulnerability management from a reactive scramble into a proactive, sustainable strategy, driven by clear accountability and performance metrics.
Exposure response workflows help teams prioritize risks based on impact and urgency. But prioritizing isn’t enough on its own — effective exposure response requires a practical approach to execution, which is where service level agreements (SLAs) make the difference.
A crucial part of exposure response is establishing SLAs. Unlike traditional methods that rely on cumulative risk scores or vulnerability counts, SLA-based workflows measure performance by individual campaigns and specific accountability metrics. This approach prevents “learned helplessness,” where constant urgency can overwhelm teams and make the workload feel insurmountable.
SLAs help teams focus on attainable goals by defining what ‘critical’ or ‘high’ means based on your organization’s risk appetite, using Common Vulnerability Scoring System (CVSS) or Tenable Vulnerability Priority Rating (VPR) score ranges as benchmarks. This approach reduces the count of past-due critical and high vulnerabilities to zero instead of attempting to fix every issue at once — even if not every vulnerability is resolved immediately.
Moreover, SLAs offer flexibility for specific needs. Industry requirements, such as Payment Card Industry Data Security Standard (PCI-DSS) compliance, may necessitate stricter SLAs for certain areas. Exposure Response in Tenable Vulnerability Management allows teams to set customized SLAs in these contexts without disrupting the overall program.
By establishing realistic SLAs, teams can maintain focus and ensure that critical vulnerabilities are addressed promptly, preventing chaos and inefficiency.
For a deeper dive into these concepts, check out the video below.
With cybersecurity talent hard to come by and companies increasingly looking for guidance and best practices, virtual and fractional chief information security officers can make a lot of sense.
![[New!] Check Out These Powerful New KnowBe4 AI Features](https://blog.knowbe4.com/hubfs/AIDA-Orange-500-RGB.png)
You do not want to miss this one! You can now see our AI Defense Agents (AIDA) live in a demo, now that they are released. Customers can now fight AI with AI !
Source:Packet Storm Security Author:unknown https://packetstormsecurity.com/news/view/36634/US-Takes-Down-Stolen-Credit-Card-Marketplace-PopeyeTools.html Keywords:
A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.
Microsoft’s Active Directory (AD) is at the heart of identity and access management (IAM) for organizations worldwide, making it an attractive target for cyberattackers. Concerns over the risks of AD compromise prompted cybersecurity agencies from Australia, Canada, New Zealand, U.K. and U.S. to issue a landmark report, Detecting and Mitigating Active Directory Compromises. The report, released in September, details 17 attack techniques, from Kerberoasting to Golden Ticket attacks, which, left unchecked, can enable attackers to take total control over systems.
In the first of our two-part series, we look beyond the report’s guidance for detecting and mitigating AD compromises to explore how organizations can institute a dynamic, proactive AD cybersecurity strategy. We discuss how continuous monitoring, adaptive defenses and risk-based prioritization can help security leaders protect their AD infrastructure. We provide five action items you can use to operationalize your identity security strategy.
In part two, we go beyond the basics to provide insight and guidance about additional areas of AD exposure worth addressing.
As the backbone of authentication and authorization in most organizations, AD controls access to sensitive data and critical systems. Identity has become the modern control plane for enterprises, and attackers know that compromising AD can be their gateway to a treasure trove of information and control. High-profile attacks, such as those by Storm-0501 and Conti ransomware, demonstrate the devastating financial and operational impact that can result when AD security is breached.
It’s important to note that the report issued by the cyberagencies — known collectively as the Five Eyes Alliance — is much more than a compliance checklist. Too often, we see organizations approach such cybersecurity guidance by taking a series of one-off actions, assuming that ticking a few boxes ensures lasting security.
In reality, attackers exploit vulnerabilities as soon as they arise. Point-in-time compliance efforts can’t keep up with the adaptive nature of today’s cyberthreats. To stay ahead, organizations must go beyond compliance, adopting a continuous, adaptive approach that anticipates and mitigates risks in real-time, ensuring that AD remains secure against evolving threats.
The guidance from the cybersecurity agencies makes it clear: Active Directory isn’t a "set-it-and-forget-it" system.
As AD environments continuously evolve — whether through new users, permission updates or expanded cloud integrations — cybersecurity strategies must evolve in tandem. Misconfigurations and identity-based vulnerabilities open new doorways to risk because they don’t stay put. This is precisely why organizations must adopt a structured, real-time approach to managing AD, including continuous monitoring, risk-based prioritization and adaptive security practices responsive to the shifting threat landscape.
Operationalizing the report’s guidance requires more than static point-in-time tech fixes. It calls for a series of game-changing steps to keep your AD secure.
Below, we break down five key areas to focus on as you turn the report’s guidance into actionable steps.
Organizations often behave as though AD is a static system, a thing to be configured once and then assumed to be secure. However, as the Five Eyes report illustrates, AD is in constant flux, with each change potentially opening new vulnerabilities. From new hires and permission updates to expanding cloud connections, any shift in AD can create an unseen entry point for attackers. Real-time visibility and continuous monitoring are behavioral steps to stay ahead of evolving risks.
Attackers thrive on hidden weaknesses, like subtle misconfigurations and creeping permission drift, exploiting tactics like DCSync and Kerberoasting to infiltrate your systems silently. Without real-time oversight, these tactics can remain undetected. That’s why it’s essential to identify and prioritize identity weaknesses as soon as they surface — catching risks early stops attackers in their tracks.
Not every weakness in Active Directory carries the same level of risk Treating each issue with equal priority can drain resources while leaving critical exposures unattended. A risk-based model automatically prioritizes AD weaknesses and allows security teams to focus on the exposures that matter most, rather than getting bogged down in low-risk issues.
Among the 17 attack tactics highlighted in the Five Eyes report, some — like DCSync — might be more critical in traditional infrastructures, while others, such as password spraying, may pose a higher risk in cloud-heavy environments. Automated risk scoring tailors prioritization to your organization’s unique setup, ensuring that high-impact threats are addressed promptly.
A resilient Active Directory environment relies on enforcing least-privilege access, granting users only the permissions they need to perform their roles. However, over time, privileges can expand unintentionally — through changes in group memberships, role adjustments or emergency access that is not promptly revoked. This "privilege creep" broadens the attack surface attackers can exploit, as excessive permissions make lateral movement and privilege escalation easier.
Excessive permissions in Active Directory enable various attack techniques, including Silver Ticket compromises where adversaries forge Kerberos tickets for unauthorized access. Without least-privilege enforcement, attackers can exploit over-permissioned accounts to move laterally and access sensitive resources undetected. Proper privilege management is essential to prevent these and other AD-based cyberattacks.
Your security mindset sets the stage for securing AD. We all know that responding to incidents after they occur is painful, especially when there is a chance to preemptively identify and address potential threats. The nature of the Five Eyes guidance is proactive. Understanding Indicators of Exposure (IoE) and looking for those early warning signs can help teams address vulnerabilities before they become an attacker’s foothold in the network.
A reactive approach leaves security teams in constant catch-up mode, dealing with incidents as they happen instead of eliminating root causes. Focusing on IoE systematically closes off pathways that adversaries exploit to infiltrate environments. It also allows security teams to expand their protective reach without adding to their alert fatigue. This equates to a broader security strategy prioritizing long-term resilience over short-term fixes.
Enterprise expansion pits cybersecurity teams against a sprawling landscape of domains, assets and identities — each adding layers of complexity. When security forms a phalanx, with a unified approach of shared insights and tools, efficiency emerges and gaps close. Scaling security demands a cohesive strategy that seamlessly integrates identity management, asset visibility and threat detection into a single, unified framework, ensuring consistent security practices.
Lack of unification is a recipe for disaster. Without a platform that normalizes data and promotes shared understanding, teams work in silos, widening gaps in coverage and leaving critical assets vulnerable. In complex, multi-domain environments, it’s essential to take a unified approach — fostered by integrated, scalable platforms — for fast, coordinated responses to cyberthreats. By closing these gaps, organizations can maintain comprehensive oversight, enabling teams to keep pace with growth while ensuring consistent security across the enterprise.
The above five steps offer a solid foundation for operationalizing the Five Eyes guidance. But stopping there misses important considerations for enhancing and adapting security strategies. In part two of this series, we go beyond the basics, offering guidance on achieving full coverage, addressing modern attack techniques and securing Active Directory and Entra ID as part of a holistic identity security approach.
In the most recent revision of the OWASP Top 10, Broken Access Controls leapt from fifth to first.1 OWASP describes an access control as something that “enforces policy such that […]
The post Finding Access Control Vulnerabilities with Autorize appeared first on Black Hills Information Security.
Source:Packet Storm Security Author:unknown https://packetstormsecurity.com/news/view/36622/MITRE-Updates-List-Of-25-Most-Dangerous-Software-Vulnerabilities.html Keywords: headline,government,usa,flaw
As part of Palo Alto Networks 2025 predictions, read on to uncover Unit 42’s insights on what to expect in the coming year.
The post Unit 42 Predicts the Year of Disruption and Other Top Threats in 2025 appeared first on Palo Alto Networks Blog.