“Security” and “overtime” go hand in hand. According to a recent survey, one in five CISOs works 65 hours a week, not the 38 or 40 written in their contract. Average overtime clocks in at 16 hours a week. The same is true for the rank-and-file infosec employees — roughly half complain of burnout due to constant stress and overwork. At the same time, staff shortages and budget constraints make it very hard to do the obvious thing: hire more people. But there are other options! We investigated the most time-consuming tasks faced by security teams, and how to speed them up.

Security alerts

The sure winner in the “timewaster” category is alerts generated by corporate IT and infosec systems. Since these systems often number in the dozens, they produce thousands of events that need to be handled. On average, a security expert has to review 23 alerts an hour — even off the clock. 38% of respondents admitted to having to respond to alerts at night.

What to do

  1. Use more solutions from the same vendor. A centralized management console with an integrated alert system reduces the number of alarms and speeds up their processing.
  2. Implement automation. For example, an XDR solution can automate typical analysis/response scenarios and reduce the number of alerts by combining disparate events into a single incident.
  3. Leverage an MSSP, MDR service or commercial SoC. This is the most efficient way to flexibly scale alert handling. Full-time team members will be able to focus on building overall security and investigating complex incidents.

Emails with warnings

Notices from vendors and regulators and alerts from security systems get sent to the infosec team by email — often to a shared inbox. As a result, the same messages get read by several employees, including the CISO, and the time outlays can run to 5–10 hours a week.

What to do

  1. Offload as many alerts as possible to specialized systems. If security products can send alerts to a SIEM or a dashboard, that’s better than email.
  2. Use automation. Some typical emails can be analyzed using simple scripts and transformed into alerts in the dashboard. Emails that are unsuited to this method should be analyzed, scored for urgency and subject matter, and then moved to a specific folder or assigned to a designated employee. You don’t need an AI bot to complete this task; email-processing rules or simple scripts will do the job.

These approaches dramatically reduce the number of emails that require reading and fully manual processing by multiple experts.

Emails flagged by employees

Let’s end the email topic with a look at one last category of attention-seeking messages. If your company has carried out infosec training or is experiencing a major attack, many employees will consider it their duty to forward any suspicious-looking emails to the infosec team. If you have lots of eagle-eyed colleagues on your staff, your inbox will be overflowing.

What to do

  1. Deploy reliable protection at the mail gateway level — this will significantly reduce the number of genuine phishing emails. With specialized defense mechanisms in place, you’ll defeat sophisticated targeted attacks as well. Of course, this will have no impact on the number of vigilant employees.
  2. If your email security solution allows users to “report a suspicious email”, instruct your colleagues to use it so they don’t have to manually process such alerts.
  3. Set up a separate email address for messages with employees’ suspicions so as to avoid mixing this category of emails with other security alerts.

    4. If item 2 is not feasible, focus your efforts on automatically searching for known safe emails among those sent to the address for suspicious messages. These make up a large percentage, so the infosec team will only have to check the truly dangerous ones.

Prohibitions, risk assessments, and risk negotiations

As part of the job, the CISO must strike a delicate balance between information security, operational efficiency, regulatory compliance, and resource limitations. To improve security, infosec teams very often ban certain technologies, online services, data storage methods, etc., in the company. While such bans are inevitable and necessary, it’s important to regularly review how they impact the business and how the business adapts to them. You may find, for example, that an overly strict policy on personal data processing has resulted in that process being outsourced, or that a secure file-sharing service was replaced by something more convenient. As a result, infosec wastes precious time and energy clambering over obstacles: first negotiating the “must-nots” with the business, then discovering workarounds, and then fixing inevitable incidents and problems.

Even if such incidents do not occur, the processes for assessing risks and infosec requirements when launching new initiatives are multi-layered, involve too many people, and consume too much time for both the CISO and their team.

What to do

  1. Avoid overly strict prohibitions. The more bans, the more time spent on policing them.
    2. Maintain an open dialogue with key customers about how infosec controls impact their processes and performance. Compromise on technologies and procedures to avoid the issues described above.
    3. Draw up standard documents and scenarios for recurring business requests (“build a website”, “collect a new type of information from customers”, etc.), giving key departments a simple and predictable way to solve their business problems with full infosec compliance.
  2. Handle these business requests on a case-by-case basis. Teams that show a strong infosec culture can undergo security audits less frequently — only at the most critical phases of a project. This will reduce the time outlays for both the business and the infosec team.

Checklists, reports, and guidance documents

Considerable time is spent on “paper security” — from filling out forms for the audit and compliance departments to reviewing regulatory documents and assessing their applicability in practice. The infosec team may also be asked to provide information to business partners, who are increasingly focused on supply chain risks and demanding robust information security from their counterparties.

What to do

  1. Invest time and effort in creating “reusable” documents, such as a comprehensive security whitepaper, a PCI Report on Compliance, or a SOC2 audit. Having such a document helps not only with regulatory compliance, but also with responding quickly to typical requests from counterparties.
  2. Hire a subspecialist (or train someone from your team). Many infosec practitioners spend a disproportionate amount of time formulating ideas for whitepapers. Better to have them focus on practical tasks and have specially trained people handle the paperwork, checklists, and presentations.
  3. Automate processes — this helps not only to shift routine control operations to machines but to correctly document them. For example, if the regulator requires periodic vulnerability scan reports, a one-off resource investment in an automatic procedure for generating compliant reports would make sense.

Selecting security technologies

New infosec tools appear monthly. Buying as many solutions as possible won’t only balloon the budget and the number of alerts, but also create a need for a separate, labor-intensive process for evaluating and procuring new solutions. Even leaving tenders and paperwork aside, the team will need to conduct market research, evaluate the contenders in depth, and then carry out pilot implementation.

What to do

  1. Try to minimize the number of infosec vendors you use. A single-vendor approach tends to improve performance in the long run.
    2. Include system integrators, VARs, or other partners in the evaluation and testing process when purchasing solutions. An experienced partner will help weed out unsuitable solutions at once, reducing the burden on in-house infosec during the pilot implementation.

Security training

Although various types of infosec training are mandatory for all employees, their ineffective implementation can overwhelm the infosec team. Typical problems: the entire training is designed and delivered in-house; a simulated phishing attack provokes a wave of panic and calls to infosec; the training isn’t tailored to the employees’ level, potentially leading to an absurd situation where infosec itself undergoes basic training because it’s mandatory for all.

What to do

Use an automated platform for employee training. This will make it easy to customize the content to the industry and the specifics of the department being trained. In terms of complexity, both the training materials and the tests adapt automatically to the employee’s level; and gamification increases the enjoyment factor, raising the successful completion rate.

#boost #performance #infosec #team

Anyar-anyar ieu, téknologi urang mendakan serangan APT énggal dina iPhone. Serangan éta bagian tina kampanye anu ditujukeun, antara séjén, pikeun pagawé Kaspersky. Panyerang anu teu dipikanyaho ngagunakeun kerentanan kernel ios pikeun nyebarkeun implan spyware anu disebat TriangleDB dina mémori alat. Ahli kami geus bisa nalungtik susuk ieu tuntas.

Naon anu tiasa dilakukeun ku implan TriangleDB?

Diajar ngeunaan susuk ieu sanés tugas anu gampang, sabab ngan ukur tiasa dianggo dina mémori telepon — teu nyésakeun ngambah dina sistem. Ieu ngandung harti yén reboot lengkep ngaleungitkeun sagala ngambah serangan, sarta malware ngabogaan timer otomatis otomatis nu ngaktifkeun otomatis 30 poé sanggeus inféksi awal (lamun operator megatkeun teu ngirim paréntah pikeun manjangkeun uptime na). Fungsi dasar tina implant ngawengku fitur di handap ieu:

  • manipulasi file (nyieun, modifikasi, ngahapus sareng exfiltration);
  • manipulasi kalayan prosés ngajalankeun (meunang daptar sareng maéhanana);
  • exfiltration elemen keychain ios – nu bisa ngandung sertipikat, idéntitas digital, jeung/atawa credentials pikeun sagala rupa layanan;
  • pangiriman data geolocation – kaasup koordinat, élévasi, sarta speed sarta arah gerak.

Salaku tambahan, implant tiasa ngamuat modul tambahan kana mémori telepon sareng ngajalankeunana. Upami anjeun resep kana detil téknis tina susuk, anjeun tiasa mendakanana dina tulisan dina blog Securelist (ditujukeun pikeun ahli cybersecurity).

Serangan APT dina alat sélulér

Anyar-anyar ieu, target utama serangan APT sacara umum nyaéta komputer pribadi tradisional. Nanging, alat sélulér modern ayeuna tiasa dibandingkeun sareng PC kantor dina hal kinerja sareng fungsionalitas. Éta dianggo pikeun berinteraksi sareng inpormasi kritis bisnis, nyimpen rahasia pribadi sareng bisnis, sareng tiasa janten konci aksés kana jasa anu aya hubunganana. Ku alatan éta, grup APT geus nempatkeun usaha leuwih kana ngarancang serangan on sistem operasi mobile.

Tangtosna, Triangulasi sanés serangan anu munggaran pikeun alat ios. Sarerea apal kasus kawentar (jeung, hanjakalna, masih lumangsung) spyware komérsial Pegasus. Aya ogé conto anu sanés, sapertos Insomnia, Predator, Reign, jsb. Salaku tambahan, teu heran grup APT ogé resep kana OS Android. Teu lami pisan, toko warta nyerat ngeunaan serangan ku grup APT “Suku Transparan”, anu nganggo backdoor CapraRAT ngalawan pangguna India sareng Pakistan tina sistem ieu. Sarta dina kuartal katilu taun ka tukang, urang manggihan spyware saméméhna kanyahoan targeting pamaké diomongkeun Farsi.

Sadaya ieu nunjukkeun yén pikeun ngajagi perusahaan tina serangan APT dinten ayeuna, penting pikeun mastikeun kaamanan henteu ngan ukur alat stasioner – server sareng stasiun kerja – tapi ogé alat sélulér anu dianggo dina prosés kerja.

Kumaha carana ningkatkeun Chances anjeun ngalawan serangan APT on mobile

Lepat upami nganggap yén téknologi panyalindungan standar anu disayogikeun ku produsén alat cekap pikeun ngajagi alat sélulér. Kasus Triangulasi Operasi jelas nunjukkeun yén bahkan téknologi Apple henteu sampurna. Ku alatan éta, kami nyarankeun yén usaha salawasna ngagunakeun sistem panyalindungan multi-tingkat, nu ngawengku parabot basajan nu ngaktipkeun kadali alat mobile, tambah sistem nu bisa ngawas interaksi jaringan maranéhanana.

Garis pertahanan kahiji kedah janten solusi kelas MDM. Kaamanan Titik Akhir kami pikeun Seluler, nyayogikeun manajemén kaamanan alat sélulér terpusat via Kaspersky Security Center, konsol administrasi kami. Salaku tambahan, solusi kami nyayogikeun panyalindungan ngalawan phishing, ancaman wéb, sareng malware (ngan pikeun Android; hanjakalna, Apple henteu ngijinkeun solusi antipirus pihak katilu).

Sacara khusus, éta ngagunakeun téknologi Cloud ML pikeun Android pikeun ngadeteksi malware anu aya hubunganana sareng Android. Téknologi ieu, anu dianggo dina awan KSN, dumasar kana metode pembelajaran mesin. Modelna, dilatih dina jutaan conto malware Android anu dipikanyaho, ngadeteksi malware anu teu dipikanyaho sateuacanna kalayan akurasi anu luhur.

Tapi, aktor ancaman beuki ngagunakeun platform mobile dina serangan sasaran canggih. Ku alatan éta, masuk akal pikeun nyebarkeun sistem anu tiasa ngawas kagiatan jaringan – naha éta inpormasi kaamanan sareng manajemén acara (SIEM) atanapi alat-alat sanés anu tiasa nguatkeun para ahli anjeun pikeun nungkulan insiden cybersecurity rumit kalayan deteksi sareng réspon anu ditambah sareng teu aya tandingan, sapertos Kaspersky kami. Platform Serangan Anti Sasaran.

Triangulasi Operasi anu disebatkeun di luhur kapanggih ku para ahli urang nalika ngawaskeun jaringan Wi-Fi perusahaan nganggo sistem SIEM urang sorangan Kaspersky Unified Monitoring and Analysis Platform (KUMA). Salaku tambahan, solusi Ancaman Ancaman urang tiasa nyayogikeun sistem kaamanan sareng para ahli inpormasi anu énggal ngeunaan ancaman énggal, ogé ngeunaan téknik, taktik sareng prosedur panyerang.

#TriangleDB #implan #spyware #Operasi #Triangulation