Category: InfoSec

CIS Control 08: Audit Log Management

URL:

Audit logs provide a rich source of data critical to preventing, detecting, understanding, and minimizing the impact of network or data compromise in a timely manner. Collection logs and regular reviews are useful for identifying baselines, establishing operational trends, and detecting abnormalities. In some cases, logging may be the only evidence of a successful attack. CIS Control 8 emphasizes the need for centralized collection and storage and standardization to better coordinate audit log reviews. Some industries have regulatory bodies that require the collection, retention, and review of…

Varonis Adds Dynamic Data Masking to Unified Data Security Platform

Source: Varonis Blog
Author: Nathan Coppinger
URL: https://www.varonis.com/blog/data-masking

Databases and data warehouses store vast amounts of sensitive information, making them prime targets for attackers. One of the most effective strategies to mitigate exposure risks and lock down data is data masking, which enables organizations to protect their data by obfuscating it or replacing it with dummy data, rendering it useless to unauthorized users.

What’s the Difference Between DSPM, CSPM, and CIEM?

URL: https://www.tripwire.com/state-of-security/whats-difference-between-dspm-cspm-and-ciem

DSPM, CSPM, and CIEM are more than just a mouthful of acronyms. They are some of today’s most sophisticated tools for managing data security in the cloud. While they are all distinct entities and go about protecting data in different ways, the fact that they all seem to do very much the same thing can lead to a lot of confusion. This, in turn, can sell each of these unique solutions short – after all, they were all created in response to a specific problem. And the cloud is full of complex issues, warranting layered solutions in response. Just like antivirus tools, firewalls, and email…

New Microsoft Purview features help protect and govern your data in the era of AI

URL: https://www.microsoft.com/en-us/security/blog/2024/12/10/new-microsoft-purview-features-help-protect-and-govern-your-data-in-the-era-of-ai/

Microsoft Purview delivers unified data security, governance, and compliance for the era of AI. Read about the new features.

The post New Microsoft Purview features help protect and govern your data in the era of AI appeared first on Microsoft Security Blog.

Microsoft Defender XDR demonstrates 100% detection coverage across all cyberattack stages in the 2024 MITRE ATT&CK® Evaluations: Enterprise​​

URL: https://www.microsoft.com/en-us/security/blog/2024/12/11/microsoft-defender-xdr-demonstrates-100-detection-coverage-across-all-cyberattack-stages-in-the-2024-mitre-attck-evaluations-enterprise/

For the sixth year in a row, Microsoft Defender XDR demonstrated industry-leading extended detection and response (XDR) capabilities in the independent MITRE ATT&CK® Evaluations: Enterprise. The cyberattack used during the detection test highlights the importance of a unified XDR platform and showcases Defender XDR as a leading solution for securing your multi-operating system estate.

The post Microsoft Defender XDR demonstrates 100% detection coverage across all cyberattack stages in the 2024 MITRE ATT&CK® Evaluations: Enterprise​​ appeared first on Microsoft Security Blog.

Ivanti Releases Security Updates for Multiple Products

Ivanti released security updates to address vulnerabilities in Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Police Secure, Ivanti Sentry, and Ivanti Patch SDK.

CISA encourages users and administrators to review the following Ivanti security advisories and apply the necessary guidance and updates:

  • Ivanti Cloud Service Application
  • Ivanti Desktop and Server Management (DSM)
  • Ivanti Connect Secure and Policy Secure
  • Ivanti Sentry
  • Ivanti Patch SDK (This also affects Ivanti Endpoint Manager (EPM), Ivanti Security Controls, Ivanti Neurons Agent, Ivanti Neurons for Patch Management, and Ivanti Patch for Configuration Manager.)

10 Best Virtual CISO Services for 2025 | Rivial Security

URL: https://www.rivialsecurity.com/blog/best-vciso-services

For security leaders responsible for safeguarding critical business data, choosing the right vCISO (Virtual Chief Information Security Officer) service is crucial. These vCISO solutions drive technological innovation and operational efficiency, delivering top-tier cybersecurity services that include advanced threat detection and robust incident response strategies.

In this article, we highlight the leading vCISO firms known for their proactive methodologies and dedication to protecting data integrity and maintaining operational resilience. Whether addressing industry-specific risks or implementing scalable security solutions, these vCISO experts represent the highest level of cybersecurity proficiency, helping organizations navigate governance, risk, and compliance management with confidence.

Ivanti Releases Security Updates for Multiple Products

Ivanti released security updates to address vulnerabilities in Ivanti Cloud Service Application, Ivanti Desktop and Server Management (DSM), Ivanti Connect Secure and Police Secure, Ivanti Sentry, and Ivanti Patch SDK.

CISA encourages users and administrators to review the following Ivanti security advisories and apply the necessary guidance and updates:

Making Zero Trust Architecture Achievable

How NIST is working with Tenable and other private sector stakeholders to better enable zero trust implementation.

Trust no one. Verify everything. All the time. When it comes to cybersecurity and protecting your expanding attack surface, that’s more than a catchphrase. It’s the way you must approach access to your network, systems and assets. Ultimately, this is an approach the federal government must use, expand upon and intertwine into its cybersecurity standards.

When thinking about zero trust, it’s important to understand this is an evolving practice that goes beyond traditional “trust but verify” approaches to cybersecurity. According to a Tenable blog by John Kindervag, who created the Zero Trust Model of Cybersecurity when he was a principal analyst at Forrester Research, “While the zero trust model represents a significant divergence from the legacy, moat-and-castle approach to network security, it can be implemented by practitioners using commercial off-the-shelf technology. And it’s built upon current cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring, already implemented in most organizations today.”

It’s time to rethink the trust-but-verify model of cybersecurity

The principles of zero trust require rethinking the trust-but-verify model upon which so much IT infrastructure has been built. It calls for viewing trust as a vulnerability instead and calls for removing the notion of trust from digital systems.

Zero trust is a proactive cybersecurity approach. However, with anything proactive, it’s important to remember there is a constant need for adaptation and new protocols that can withstand the changing threat landscape.

On Dec. 4, NIST released the draft Guidance for Implementing Zero Trust Architecture for public comment. Tenable has been proud to work alongside the NIST National Cybersecurity Center of Excellence (NCCoE) to launch the Zero Trust Architecture Demonstration Project. This collaborative project has brought together multiple industry participants to launch end-to-end zero trust architecture implementations to help industry and government reduce the risk of cyberattacks. As part of this collaborative project, Tenable has participated in a lab demonstration of how to deploy examples of zero trust architecture in hybrid enterprise environments using commercially available technology contributions.

“The […] demonstration project, ‘Implementing a Zero Trust Architecture,’ stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations.”

—Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST

“The NCCoE ZTA demonstration project, ‘Implementing a Zero Trust Architecture,’ stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations,” explained Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST. “Each implementation combines a strategic mix of commercially available products and services, contributed by partner organizations such as Tenable. Their invaluable role in providing enhanced visibility and insights has been essential in strengthening our defenses, ensuring we can safeguard our networks against the ever-evolving landscape of cyberthreats.”

As a main collaborator, Tenable contributed exposure management technology and capabilities for the ZTA Demonstration Protect. As a leader in cybersecurity, Tenable was able to harness its expertise to best use security analytics, building out a program that had orchestration and enforcement capabilities through scanning and assessment, endpoint monitoring, traffic inspection and network discovery.

When implementing a zero trust architecture, it is a foundational imperative for organizations and enterprises to inventory, enumerate and assess every asset on the network. This allows for a better understanding of assets in context and how they are interconnected. Analyzing data from operational technology (OT), internet of things (IoT), IT, cloud and network plays a critical role in helping organizations gain visibility into how assets are interconnected, evaluate exposure based on real-world threats and context, and prioritize remediation and mitigation efforts. Ultimately, it’s important for an organization to completely understand the entire attack surface in order to evaluate which assets are most vulnerable. Zero trust architecture is a way to programmatically collect risk telemetry and make informed decisions that can help reduce exposure. By adopting zero trust architecture approaches, it is possible to make significant progress toward this objective.

At Tenable, we are proud to partner with our government’s leading agencies to develop strategic ways to approach cybersecurity practices. Our technology solutions help the NCCoE develop a use case that exemplifies the ZTA motto — Trust no one. Verify everything. All the time. Organizations, enterprises and federal agencies need a security model that adapts to today’s modern network, embraces remote work and protects users, applications and data wherever they’re located. The NCCoE ZTA practice guide and reference architecture can serve as an outstanding model to help them achieve their cybersecurity objectives.

Learn more

If You Only Have 3 Minutes: Key Elements of Effective Exposure Response

Learned helplessness and lack of prioritization are two vulnerability management pitfalls cybersecurity teams face. Here’s how an exposure response program can help.

In today’s complex cybersecurity landscape, effective vulnerability management is crucial. Organizations are bombarded with a staggering volume of vulnerabilities every month, and traditional methods often fall short. They tend to just identify issues without offering a sustainable way to tackle them.

Enter exposure response. This approach transforms how teams prioritize, remediate and manage vulnerabilities. Instead of overwhelming teams, exposure response workflows empower them to focus on the most critical threats to their cybersecurity posture.

Why should you care? Here are some common pitfalls organizations face:

  • Learned helplessness: Teams can become paralyzed by the sheer number of vulnerabilities, leading to inaction.
  • Emergency mode: When every vulnerability feels urgent, it becomes impossible to prioritize effectively.

Exposure response workflows address these challenges head-on. By leveraging Service Level Agreements (SLAs), teams can maintain focus and drive measurable progress. This shift enhances security outcomes and fosters a resilient, sustainable cybersecurity strategy that adapts to evolving threats.

Why exposure response matters

Exposure response programs are essential for creating a sustainable cybersecurity strategy. By implementing exposure response workflows, teams can avoid being overwhelmed by vulnerabilities.

Teams can become paralyzed by the sheer number of vulnerabilities, leading to inaction.

Instead of trying to fix every issue, they can work within SLAs to prioritize and tackle what matters most, using tools like the Tenable Vulnerability Priority Rating (VPR) and the Common Vulnerability Scoring System (CVSS). This structured approach mitigates risk and empowers leaders to make data-driven decisions, enhancing their cybersecurity posture.

SLAs: The foundation of effective exposure response

SLAs are tailored deadlines reflecting organizational priorities. SLA-based workflows outperform traditional methods by enabling measurement at the campaign level, providing clearer accountability. This unique approach allows organizations to compare progress internally and against industry peers, driving continuous improvement.

When every vulnerability feels urgent, it becomes impossible to prioritize effectively.

Setting practical SLAs helps teams focus on achievable goals, such as reducing past-due vulnerabilities rather than addressing everything at once. This targeted approach not only supports compliance but also enhances the team’s ability to manage workloads sustainably.

The golden metrics: Keys to a well-functioning exposure response program

Tracking key metrics provides an accurate assessment of exposure response effectiveness. Three “golden metrics” serve as essential indicators:

  • Vulnerability age: This is the age of your unresolved vulnerabilities. Shorter ages indicate rapid identification and resolution.
  • Mean time to remediate (MTTR): Measures how long your vulnerabilities remain open.
  • Percentage of vulnerabilities remediated: Reflects the scope of remediation efforts and the team’s overall effectiveness.

When all three metrics are favorable, the exposure response program is performing well. Detailed tracking and reporting offer clear accountability and visibility into remediation efforts, reinforcing the importance of consistent progress.

Moving forward

Incorporating exposure response into vulnerability management gives organizations a structured way to handle cybersecurity risks proactively. By focusing on SLAs and tracking critical metrics, organizations can maintain resilience against threats while fostering a sustainable, impactful security posture. For more insights, check out the accompanying video and other posts in this series.

Video: Vulnerability Management Key Elements for Effective Exposure Response

Learn more

If You Only Have 2 Minutes: Best Practices for Setting Exposure Response SLAs

Keeping vulnerability management efforts focused on achievable goals is key to avoiding cybersecurity team burnout. Here’s how exposure response workflows and SLAs can help.

As organizations grow in the digital age, vulnerability management has become a vital cybersecurity practice. But managing vulnerabilities effectively means more than just identifying potential issues; it’s about setting priorities that align with your organization’s goals and resources. A robust exposure response program elevates this process by creating comprehensive, actionable workflows that prioritize based on real-world impact rather than just risk scores or vulnerability counts. This approach shifts vulnerability management from a reactive scramble into a proactive, sustainable strategy, driven by clear accountability and performance metrics.

Exposure response workflows help teams prioritize risks based on impact and urgency. But prioritizing isn’t enough on its own — effective exposure response requires a practical approach to execution, which is where service level agreements (SLAs) make the difference.

Setting the pace: How SLAs guide effective exposure response

A crucial part of exposure response is establishing SLAs. Unlike traditional methods that rely on cumulative risk scores or vulnerability counts, SLA-based workflows measure performance by individual campaigns and specific accountability metrics. This approach prevents “learned helplessness,” where constant urgency can overwhelm teams and make the workload feel insurmountable. 

Managing SLAs for achievable goals

SLAs help teams focus on attainable goals by defining what ‘critical’ or ‘high’ means based on your organization’s risk appetite, using Common Vulnerability Scoring System (CVSS) or Tenable Vulnerability Priority Rating (VPR) score ranges as benchmarks. This approach reduces the count of past-due critical and high vulnerabilities to zero instead of attempting to fix every issue at once — even if not every vulnerability is resolved immediately.

Moreover, SLAs offer flexibility for specific needs. Industry requirements, such as Payment Card Industry Data Security Standard (PCI-DSS) compliance, may necessitate stricter SLAs for certain areas. Exposure Response in Tenable Vulnerability Management allows teams to set customized SLAs in these contexts without disrupting the overall program.

Moving forward with exposure response

By establishing realistic SLAs, teams can maintain focus and ensure that critical vulnerabilities are addressed promptly, preventing chaos and inefficiency.

For a deeper dive into these concepts, check out the video below.

Learn more

Active Directory Under Attack: Five Eyes Guidance Targets Crucial Security Gaps

A landmark global report from cybersecurity agencies emphasizes 17 attack techniques against Microsoft Active Directory and cautions organizations to step up protections. In the first of our two-part series, we offer five steps you can take today to shore up your AD defenses.

Microsoft’s Active Directory (AD) is at the heart of identity and access management (IAM) for organizations worldwide, making it an attractive target for cyberattackers. Concerns over the risks of AD compromise prompted cybersecurity agencies from Australia, Canada, New Zealand, U.K. and U.S. to issue a landmark report, Detecting and Mitigating Active Directory Compromises. The report, released in September, details 17 attack techniques, from Kerberoasting to Golden Ticket attacks, which, left unchecked, can enable attackers to take total control over systems.

In the first of our two-part series, we look beyond the report’s guidance for detecting and mitigating AD compromises to explore how organizations can institute a dynamic, proactive AD cybersecurity strategy. We discuss how continuous monitoring, adaptive defenses and risk-based prioritization can help security leaders protect their AD infrastructure. We provide five action items you can use to operationalize your identity security strategy.

In part two, we go beyond the basics to provide insight and guidance about additional areas of AD exposure worth addressing.

Attackers see AD as a gateway

As the backbone of authentication and authorization in most organizations, AD controls access to sensitive data and critical systems. Identity has become the modern control plane for enterprises, and attackers know that compromising AD can be their gateway to a treasure trove of information and control. High-profile attacks, such as those by Storm-0501 and Conti ransomware, demonstrate the devastating financial and operational impact that can result when AD security is breached.

It’s important to note that the report issued by the cyberagencies — known collectively as the Five Eyes Alliance — is much more than a compliance checklist. Too often, we see organizations approach such cybersecurity guidance by taking a series of one-off actions, assuming that ticking a few boxes ensures lasting security.

In reality, attackers exploit vulnerabilities as soon as they arise. Point-in-time compliance efforts can’t keep up with the adaptive nature of today’s cyberthreats. To stay ahead, organizations must go beyond compliance, adopting a continuous, adaptive approach that anticipates and mitigates risks in real-time, ensuring that AD remains secure against evolving threats.

From insight to action: Operationalizing the report’s recommendations

The guidance from the cybersecurity agencies makes it clear: Active Directory isn’t a "set-it-and-forget-it" system.

As AD environments continuously evolve — whether through new users, permission updates or expanded cloud integrations — cybersecurity strategies must evolve in tandem. Misconfigurations and identity-based vulnerabilities open new doorways to risk because they don’t stay put. This is precisely why organizations must adopt a structured, real-time approach to managing AD, including continuous monitoring, risk-based prioritization and adaptive security practices responsive to the shifting threat landscape.

Operationalizing the report’s guidance requires more than static point-in-time tech fixes. It calls for a series of game-changing steps to keep your AD secure.

Below, we break down five key areas to focus on as you turn the report’s guidance into actionable steps.

1. Continuously monitor with real-time visibility

Organizations often behave as though AD is a static system, a thing to be configured once and then assumed to be secure. However, as the Five Eyes report illustrates, AD is in constant flux, with each change potentially opening new vulnerabilities. From new hires and permission updates to expanding cloud connections, any shift in AD can create an unseen entry point for attackers. Real-time visibility and continuous monitoring are behavioral steps to stay ahead of evolving risks.

Why it matters

Attackers thrive on hidden weaknesses, like subtle misconfigurations and creeping permission drift, exploiting tactics like DCSync and Kerberoasting to infiltrate your systems silently. Without real-time oversight, these tactics can remain undetected. That’s why it’s essential to identify and prioritize identity weaknesses as soon as they surface — catching risks early stops attackers in their tracks.

What to do
  • Automate monitoring: Implement tools that trigger real-time alerts on AD changes — flagging unexpected privilege escalations, risky permission shifts and service account modifications that could indicate an active breach attempt.
  • Detect toxic combinations: Continuous monitoring allows security teams to spot dangerous combinations of permissions and misconfigurations — such as high privileges combined with weak passwords or accounts with overlapping permissions — before they’re exploited.
  • Implement immediate remediation: Establish processes for immediate response when high-risk changes are detected. The ability to revoke excessive permissions or adjust configurations in real-time significantly limits opportunities for attackers to escalate their actions.

2. Automate risk-based prioritization

Not every weakness in Active Directory carries the same level of risk Treating each issue with equal priority can drain resources while leaving critical exposures unattended. A risk-based model automatically prioritizes AD weaknesses and allows security teams to focus on the exposures that matter most, rather than getting bogged down in low-risk issues.

Why it matters

Among the 17 attack tactics highlighted in the Five Eyes report, some — like DCSync — might be more critical in traditional infrastructures, while others, such as password spraying, may pose a higher risk in cloud-heavy environments. Automated risk scoring tailors prioritization to your organization’s unique setup, ensuring that high-impact threats are addressed promptly.

What to do
  • Focus on dynamic risk scoring: Leverage tools that continuously evaluate and rank vulnerabilities, prioritizing them by exposure level, privilege escalation risks and known attack vectors. Start pinpointing the most exploitable risks so teams can zero in, ensuring critical exposures don’t go unnoticed.
  • Map potential attack paths: Visualizing attack paths to critical assets helps pinpoint which weaknesses are likely to be targeted and enables teams to allocate resources effectively.
  • Prioritize for your environment: Tailor prioritization to fit your specific infrastructure — whether it’s primarily on-premises, cloud-based or hybrid — so that the highest-risk exposures in your unique environment are addressed first.

3. Build operational resilience through least-privilege access

A resilient Active Directory environment relies on enforcing least-privilege access, granting users only the permissions they need to perform their roles. However, over time, privileges can expand unintentionally — through changes in group memberships, role adjustments or emergency access that is not promptly revoked. This "privilege creep" broadens the attack surface attackers can exploit, as excessive permissions make lateral movement and privilege escalation easier.

Why it matters

Excessive permissions in Active Directory enable various attack techniques, including Silver Ticket compromises where adversaries forge Kerberos tickets for unauthorized access. Without least-privilege enforcement, attackers can exploit over-permissioned accounts to move laterally and access sensitive resources undetected. Proper privilege management is essential to prevent these and other AD-based cyberattacks.

What to do
  • Implement automated monthly scans: These can identify accounts with excessive privileges or permissions, flagging them for immediate review.
  • Use role-based permission templates: These can standardize access across accounts, ensuring only the necessary privileges are granted.
  • Enforce a 24-hour revoke policy: This limits temporary or emergency access, quickly closing off potential attack paths.
  • Regularly audit service accounts: Giving service providers a regular "check-up" ensures their privileges align with their job description and that they aren’t offering attackers any uninvited perks.

4. Set the stage for success with a preventive mindset

Your security mindset sets the stage for securing AD. We all know that responding to incidents after they occur is painful, especially when there is a chance to preemptively identify and address potential threats. The nature of the Five Eyes guidance is proactive. Understanding Indicators of Exposure (IoE) and looking for those early warning signs can help teams address vulnerabilities before they become an attacker’s foothold in the network.

Why it matters

A reactive approach leaves security teams in constant catch-up mode, dealing with incidents as they happen instead of eliminating root causes. Focusing on IoE systematically closes off pathways that adversaries exploit to infiltrate environments. It also allows security teams to expand their protective reach without adding to their alert fatigue. This equates to a broader security strategy prioritizing long-term resilience over short-term fixes.

What to do
  • Adopt an "assume breach" mindset: Treat every vulnerability as a potential entry point and monitor for exposure gaps around critical assets.
  • Focus on IoE: Identify and track early signs of risk, such as misconfigurations or unusual permission changes. It is better to prevent breaches than to detect them after they happen.
  • Battle-test defenses: Red team like you mean it. Don’t just defend — pressure test. The best defenders aren’t the ones who’ve never been hit — they’re the ones who’ve learned from every attempted breach, actual or simulated.
  • Continuously tune detection and response processes: Ensure your detection and response strategies are agile and adapt to the evolving threat landscape.

5. Ensure scalable, unified security operations across the enterprise

Enterprise expansion pits cybersecurity teams against a sprawling landscape of domains, assets and identities — each adding layers of complexity. When security forms a phalanx, with a unified approach of shared insights and tools, efficiency emerges and gaps close. Scaling security demands a cohesive strategy that seamlessly integrates identity management, asset visibility and threat detection into a single, unified framework, ensuring consistent security practices.

Why it matters

Lack of unification is a recipe for disaster. Without a platform that normalizes data and promotes shared understanding, teams work in silos, widening gaps in coverage and leaving critical assets vulnerable. In complex, multi-domain environments, it’s essential to take a unified approach — fostered by integrated, scalable platforms — for fast, coordinated responses to cyberthreats. By closing these gaps, organizations can maintain comprehensive oversight, enabling teams to keep pace with growth while ensuring consistent security across the enterprise.

What to do
  • Integrate AD monitoring with broader IT operations: Align AD security monitoring with other IT functions through a unified platform. This will ensure all domains, whether cloud-based or on-premises, are monitored under a single pane of glass.
  • Streamline IAM: Implement centralized IAM solutions to consistently manage identities across all environments, reducing the risk of orphaned accounts or inconsistent permissions.
  • Automate policy enforcement: Use automation to enforce security policies across all domains, ensuring real-time adjustments and adherence to best practices as infrastructure changes.
  • Enable cross-functional collaboration: Break down silos by fostering collaboration between IT, security and operations teams, enabling quicker response times and better information sharing.

What’s next: Additional considerations for comprehensive AD security

The above five steps offer a solid foundation for operationalizing the Five Eyes guidance. But stopping there misses important considerations for enhancing and adapting security strategies. In part two of this series, we go beyond the basics, offering guidance on achieving full coverage, addressing modern attack techniques and securing Active Directory and Entra ID as part of a holistic identity security approach.

Learn more