Author: Joey Vandegrift

Categories
General Cyber and IT Security

Introducing New Managed Detection and Response Capabilities: Enhanced Security for Microsoft 365

Announcing two new capabilities within our Managed Detection and Response (MDR) services, specifically designed to enhance the monitoring and security of your Microsoft 365 environment. These additions are part of our ongoing commitment to provide the best possible protection against evolving cyber threats.

  1. Microsoft 365 Account Isolation: Our first new feature, Microsoft 365 Account Isolation, is a significant step forward in securing M365 user accounts and sensitive data. Compromised accounts can lead to Business Email Compromise (BEC) attacks and even data exfiltration. Let us help you remediate this faster by acting on the suspected accounts to prevent further compromise and loss when your IT staff or MSP are not available to respond.

This capability allows us to:

  • Isolate Compromised Accounts: In the event of a suspected compromise, we can now quickly isolate affected accounts, minimizing the risk of data breaches or further infiltration.
  • Faster Remediation: Our SOC analysts can disable accounts and revoke all user sessions when suspicious activities are detected, ensuring faster remediation action.  We will also have the ability to re-enable accounts if needed.
  1. Microsoft Risky Users Alerting: The second feature, Microsoft Risky Users Alerting, provides enhanced monitoring of account activity classified as Risky Users within your Microsoft 365 environment. Previously we were unable to see this activity.  To take advantage of this enhanced monitoring, you must have a Microsoft Identity Protection with a P2 license level.  Additional permissions will be required and we can provide instructions to help you make the necessary changes.

Microsoft documentation classifies Risky users as:

  • The user has one or more Risky sign-ins.
  • One or more risk detections have been reported

        For more information on Risky Users, see the official Microsoft Identity Protection documentation.

What This Means for You

  • Enhanced Security: These new capabilities can significantly bolster your defense against cyber threats, particularly in visibility and protecting your Microsoft 365 environment.
  • Peace of Mind: With these new capabilities, you can be assured of a safer and more secure digital workspace.
  • Seamless Integration: These features are integrated into our existing MDR services, ensuring a smooth and uninterrupted experience.

Next Steps

  • Opt-in for these new capabilities: Contact us via email at soc@securit360.com or by telephone at 205-419-9066 or toll-free 844-474-1244. Not yet a client? Contact us through this form.
  • Establish rules of engagement: We can discuss your preferences for utilizing the account isolation features such as:
    • Should we disable accounts upon suspicious activity?
    • Or only use isolation when we receive email or voice approval?
  • Setup Additional Permissions in Microsoft Entra ID (formerly Azure) / 365: Your team will need to enable some additional API permissions within your Microsoft Entra ID / 365 environment to allow these additional capabilities.
    • We have instructions we can provide to you during the setup process

We are committed to continuously enhancing your cybersecurity posture, and these new MDR capabilities are a testament to that commitment. Thank you for your ongoing support and cooperation in maintaining a secure and resilient digital environment.

 

Categories
Security Operations Center

Why Businesses Should Consider Utilizing SOC Managed Services in 2024

Businesses should consider utilizing SOC (Security Operations Center) managed services in 2024 because the threat landscape for cyber-attacks continues to evolve and become more sophisticated each year, and the cost of a data breach or cyber-attack can be devastating to a business. The SecurIT360 SOC team consist of a dedicated team that provides 24/7 monitoring and analysis of an organization’s IT environment, detects and responds to security incidents, and performs regular external security assessments to identify potential vulnerabilities.

Here are 7 reasons why you should consider utilizing our SOC managed services in 2024:

  1. Round-the-clock monitoring: Our SOC operates 24/7/365, providing real-time monitoring of your company’s IT environment (cloud, network, server, endpoints). This gives your organization a greater chance to detect and respond to any security incidents as soon as they occur, which can help prevent, mitigate, or limit any damage.
  2. Access to expertise: Our SOC managed services provide access to a team of security analysts who have specialized knowledge and training in cybersecurity. Our team will provide security initiatives to guide you on implementing the best practices and strategies to protect your business from cyber threats.
  3. Cost-effective: Building an in-house SOC can be expensive and time-consuming. Utilizing SOC managed services is a cost-effective alternative, allowing you to have access to expert security services without the need to invest in expensive infrastructure and personnel.
  4. Scalability: Our SOC managed services can scale to meet the changing needs of your company. As your company grows, we can adjust the level of support provided, adding more resources or expertise as needed.
  5. Compliance: Many regulations and standards such as GDPR, HIPAA, and PCI DSS, require businesses to implement specific security controls to protect sensitive data. A SOC managed service provider can help ensure that your company is compliant with these regulations and standards.
  6. Business continuity: A cyber-attack or data breach can cause significant damage to a company’s reputation, financials, and customer trust. By utilizing SOC managed services, you can help ensure business continuity and minimize the damage from a security incident.
  7. Focus on Core Business: By extending your team with our SOC services, your company can free up internal IT teams to focus on core business functions, rather than security monitoring and incident response. This allows your company to stay competitive and focus on innovation, while ensuring security needs are met by a trusted and experienced third-party provider.

Services offered under our SOC managed services umbrella:

  • MDR – Managed Detection and Response
  • EDR – Endpoint Detection and Response
  • Simulated Phishing Campaigns and Cybersecurity Awareness Training
  • You can utilize all 3 or pick and choose, pricing varies depending on your choice

Overall, our SOC managed services are an important tool for any business that wants to protect its assets, data, and reputation from the growing threat of cyber-attacks. By working with our SOC team at SecurIT360, businesses can benefit from expert security services, round-the-clock monitoring, and compliance support at a cost-effective price.

Categories
General Cyber and IT Security

The Critical Role of Cyber Threat Intelligence for SMBs

Hello, savvy business owners and entrepreneurs!  Let’s cut to the chase: cybersecurity isn’t just a buzzword; it’s a necessity. And while you might be doing the basics like firewalls and endpoint security software, there’s a hidden gem you’re likely missing out on: Cyber Threat Intelligence (CTI). 

What is CTI and Why Should You Care? 

Imagine CTI as your business’s personal meteorologist, but for cyber threats. It’s not just about telling you it’s going to rain; it gives you the exact time, the severity, and even what kind of umbrella to use. Here’s the breakdown: 

  • Reduce the Noise: CTI is like a museum curator for your cybersecurity, carefully selecting the most relevant information and discarding the noise.  This allows you to focus your time on the threats that matter. 
  • Navigation Assistance: Imagine CTI as your ship’s captain, steering you through the treacherous waters of cyber threats and ensuring you reach your destination safely.  Don’t let decision fatigue set in, know where you’re heading.   
  • Be Proactive: CTI serves as your watchtower, giving you a bird’s-eye view of the cyber landscape and alerting you to any approaching dangers.  With this knowledge you can be proactive before it’s too late. 

The SMB Dilemma: Size Doesn’t Matter to Cybercriminals 

One of the biggest myths in the cybersecurity world is that small to medium-sized businesses (SMBs) are too insignificant to be targeted. Wrong. Cybercriminals are opportunists; they go for easy targets. Without CTI, you’re essentially putting a “Kick Me” sign on your business. 

Statistics: Cyber Attacks on SMBs 

Nearly 43% of cyberattacks are on small businesses, with most unprepared to face such an attack. Over the past twelve months, there has been a spike in attacks against SMBs. The trend is only continuing and evolving. CTI reduces cyber risk, allowing businesses to identify potential attacks and apply countermeasures. 

The ROI of CTI: An Investment, Not a Cost 

Let’s talk about numbers. A single cyber-attack can cost an SMB thousands, if not millions, in damages, not to mention the loss of customer trust. CTI is your insurance policy. It helps you allocate your limited resources where they’re needed most, giving you the best bang for your buck. 

The Future is Now: AI and CTI 

The world of CTI is evolving at warp speed, thanks to advancements in AI and machine learning. These technologies are making CTI more accurate, faster, and incredibly efficient. It’s not science fiction; it’s your new reality. 

Your Next Steps: We’ve Got Your Back 

Here at SecurIT360, we’re not just another cybersecurity company. We’re your cybersecurity partners. We offer several services including but not limited to 24/7 SOC monitoring, incident response, compliance assessments, customized program and policy development, pen testing and vulnerability management to fit your unique needs. 

If you’re already using one of our Managed SOC services, then our Threat Intelligence team is already working alongside you. 

And because we believe knowledge is power, we’ve got a free threat intelligence newsletter that’s like a weekly cybersecurity masterclass. It’s actionable, it’s insightful, and it’s free.  Subscribe here 

Ready to make cybersecurity your strength, not your weakness? Contact us today and let’s build a safer, more secure digital future for your business. 

Categories
General Cyber and IT Security

The Building Blocks of Cyber Defense: Why Your Business Needs a Cybersecurity Framework

Let’s talk about something that’s as essential to your business as a solid foundation is to a skyscraper: Cybersecurity Frameworks. Trust me, this is the blueprint you didn’t know you needed.

What’s a Cybersecurity Framework and Why It’s Your New BFF?

Think of a cybersecurity framework as your business’s recipe for Grandma’s secret sauce. It’s a step-by-step guide that helps you mix the right ingredients in the right order to cook up some top-notch cybersecurity.  A framework offers a common language that allows businesses to understand, manage, and reduce cybersecurity risks effectively.

  • The Universal Translator: Imagine you’re at a United Nations meeting, but for cybersecurity. A framework is the translator that helps everyone speak the same language, making sure you and your partners are on the same page.
  • The GPS for Your Cyber Journey: It’s like having a GPS that not only tells you how to get from point A to point B but also warns you about roadblocks and speed traps along the way.
  • The Health Checkup: Just like you’d go to a doctor for a health checkup, a cybersecurity framework gives your business a thorough examination to spot any weak points before they become major issues.

Popular Cybersecurity Frameworks  

 1. CIS Controls v8: The Center for Internet Security (CIS) Controls v8 provides a prioritized set of actions to help organizations defend against cyber threats. It is a flexible framework suitable for various industries, emphasizing a risk-based approach.

Industry Applicability: CIS Controls can be applied across various industries, making it a versatile choice. Whether you’re a small business or a large corporation, CIS Controls offers a strong cybersecurity foundation.

Why Choose CIS Controls: CIS Controls are known for their simplicity and effectiveness. They provide actionable steps that organizations can implement to strengthen their cybersecurity posture. Moreover, they are regularly updated to address emerging threats.

2. NIST CSF: The National Institute of Standards and Technology (NIST) Cybersecurity Framework offers guidelines for organizations to improve their cybersecurity posture. It’s especially relevant to critical infrastructure sectors.

Industry Applicability: Critical infrastructure sectors such as energy, healthcare, and finance find the NIST CSF particularly valuable due to its sector-specific adaptation.

Why Choose NIST CSF: NIST CSF is a comprehensive framework that aligns well with industry-specific regulations and standards. It helps organizations identify, protect, detect, respond to, and recover from cybersecurity incidents, making it a holistic choice.

3. NIST 800-0171: NIST 800-0171 safeguards Controlled Unclassified Information (CUI) and is mandated for government contractors. It’s crucial for industries handling sensitive government data.

Industry Applicability: Government contractors, suppliers, and subcontractors dealing with CUI must adhere to NIST 800-171 to maintain government contracts.

Why Choose NIST 800-0171: If your business is involved in government contracting or collaborates with federal agencies, NIST 800-171 is a legal requirement. Implementing this framework ensures compliance and security in handling CUI.

4. CMMC Levels 1 and 2: The Cybersecurity Maturity Model Certification (CMMC) focuses on protecting Controlled Unclassified Information (CUI) within the defense industry supply chain.

Industry Applicability: Mandatory for defense industry contractors handling CUI, CMMC Levels 1 and 2 lay the foundation for robust cybersecurity in this sector.

Why Choose CMMC Levels 1 and 2: If your business is involved in defense contracts or part of the supply chain, compliance with CMMC Levels 1 and 2 is essential for contract eligibility. These levels provide fundamental cybersecurity controls.

5. NIST Security and Privacy Framework (NIST SSDF): NIST SSDF combines security and privacy considerations, helping organizations address both aspects simultaneously.

Industry Applicability: Suitable for organizations prioritizing privacy alongside security, particularly those handling sensitive personal information. Industries such as healthcare and finance benefit from this dual-focus framework.

Why Choose NIST SSDF: NIST SSDF simplifies the integration of security and privacy practices. This framework streamlines compliance efforts and protects customer data in an era of increasing data privacy regulations.

6. ISO 27001/2: ISO 27001 is a globally recognized information security management system (ISMS) standard. It applies to organizations of all sizes and industries.

Industry Applicability: ISO 27001 is versatile and can be implemented by any organization seeking a comprehensive cybersecurity framework. It is often chosen by multinational corporations and organizations seeking a universally recognized certification.

Why Choose ISO 27001: ISO 27001 is renowned for its global recognition and flexibility. It allows organizations to customize their security controls to meet their needs while adhering to international best practices.

7. SOC2: Service Organization Control (SOC) 2 focuses on controls relevant to data security, availability, processing integrity, confidentiality, and customer data privacy.

Industry Applicability: Service providers, including cloud and SaaS companies, commonly adopt SOC 2 to assure clients of their security measures.

Why Choose SOC 2: SOC 2 is crucial for service providers as it builds customer trust. It demonstrates your commitment to protecting their data, making it a competitive advantage in the market.

8. GDPR: The General Data Protection Regulation (GDPR) is a European regulation that governs personal data protection. It applies to organizations processing EU citizens’ data.

Industry Applicability: Essential for organizations handling European customer data or operating in the EU. Industries such as e-commerce, marketing, and healthcare are particularly affected.

Why Choose GDPR: GDPR compliance is not optional if you handle EU data. Non-compliance can result in hefty fines. Implementing GDPR measures also enhances data protection and customer trust.

9. FTC Safeguards Rule: The Federal Trade Commission (FTC) Safeguards Rule applies to financial institutions and requires them to implement security measures to protect consumer information.

Industry Applicability: Financial institutions must adhere to the FTC Safeguards Rule to safeguard customer data.

Why Choose FTC Safeguards Rule: Compliance is a legal obligation for financial institutions. By implementing these safeguards, you meet regulatory requirements and safeguard your customers’ financial information.

10. SEC Compliance: SEC Compliance involves adhering to the Securities and Exchange Commission’s regulations, including cybersecurity disclosure requirements.

Industry Applicability: Essential for publicly traded companies subject to SEC regulations, primarily in the finance and investment sectors.

Why Choose SEC Compliance: SEC compliance ensures transparency and accountability in financial markets. It helps protect investors and maintain the integrity of financial systems.

11. Cyber Essentials: Cyber Essentials is a UK government-backed certification scheme focusing on fundamental cybersecurity practices.

Industry Applicability: Suitable for small to medium-sized businesses seeking a cost-effective cybersecurity framework.

Why Choose Cyber Essentials: If you’re a smaller organization with limited resources, Cyber Essentials offers a practical and affordable way to establish basic cybersecurity measures and build a strong foundation.

12. CCPA: The California Consumer Privacy Act (CCPA) aims to protect the privacy of California residents and applies to organizations handling their personal information.

Industry Applicability: Necessary for businesses dealing with California residents’ data, particularly in the tech and retail sectors.

Why Choose CCPA: CCPA compliance is crucial for companies with a California customer base. It demonstrates a commitment to respecting consumer privacy and avoids costly penalties.

13. HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) Security Rule applies to healthcare organizations handling protected health information (PHI).

Industry Applicability: Mandatory for healthcare providers and entities handling PHI.

Why Choose HIPAA Security: Compliance with HIPAA is a legal requirement and essential for safeguarding sensitive patient information. Non-compliance can result in severe penalties and damage to reputation.

14. PCI-DSS: The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that organizations that accept, process, store, or transmit credit card information maintain a secure environment.

Industry Applicability: PCI DSS is particularly relevant to businesses in the retail, e-commerce, hospitality, and financial sectors that handle payment card data. It is essential for any organization that accepts credit card payments.

Why Choose PCI DSS: PCI DSS compliance is not just a best practice but often a contractual requirement enforced by credit card companies. Failure to comply can result in financial penalties and the loss of the ability to process credit card payments. Implementing PCI DSS measures protects sensitive customer data and enhances trust and credibility with customers.

Why You Can’t Afford to Skip This

Imagine you’re building a house. You wouldn’t start without a blueprint, right? Similarly, a cybersecurity framework is your blueprint for building a secure digital environment. It’s not just a nice-to-have; it’s a must-have. Here’s why:

  • Risk Mitigation: Operating without a framework is like driving without a GPS—you’re more likely to end up in a bad neighborhood. A framework helps you identify and prioritize risks, guiding you safely to your destination.
  • Trust Factor: In a world where data breaches make headlines, a recognized framework is your seal of approval. It tells your clients, partners, and stakeholders that you’re serious about security.
  • Regulatory Compliance: A framework is your roadmap to compliance, helping you avoid the pitfalls of hefty fines and legal troubles. It’s like having a lawyer in your pocket, guiding you through the complex legal landscape.
  • Competitive Edge: In a saturated market, a robust cybersecurity posture can set you apart. It’s like having a five-star safety rating in a world of three-star competitors.
  • Cost-Effective Prioritization: Frameworks enable you to allocate your limited resources wisely. It’s like having a financial advisor for your cybersecurity budget, ensuring you get the most bang for your buck.
  • Unified Communication: One of the key benefits of a framework is that it provides a common language for discussing cybersecurity issues. This enhances internal communication and can also improve your interactions with suppliers and partners.

So, a cybersecurity framework isn’t just a set of guidelines; it’s your strategic asset. It’s the VIP pass that not only gets you into the cybersecurity club but also helps you navigate it like a pro. 

Ready to Level Up Your Cybersecurity Game?

By adopting a framework, you’re not just ticking off a compliance checklist; you’re making a strategic business decision. It helps you cut through the noise, focus on what matters, and shows everyone that you’re a business that takes security seriously.

So, if you’re ready to take your cybersecurity to the next level, contact us and let us be your cybersecurity wingman. We offer several services including but not limited to 24/7 SOC monitoring, incident response, compliance assessments, customized program and policy development, pen testing and vulnerability management to fit your unique needs.

Categories
Cybersecurity Advisories

Log4j Zero-Day Advisory

We would like to make you aware of a critical and widespread unauthenticated Remote Code Execution (RCE) vulnerability involving Apache’s Log4j Java logging library.

Update – December 28th, 2021 (CVE-2021-44832)
On December 28th, Apache confirmed yet another vulnerability (CVE-2021-44832) that affects Log4j 2.0-beta7 to 2.17.0 (excluding 2.3.2 and 2.12.4). This is a new remote code execution vulnerability that requires an attacker to have permissions to modify the logging configuration file in order to be exploited. Apache has released Log4j 2.17.1 to fix this and previous vulnerabilities (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105).

December 16th, 2021 (CVE-2021-45105)
On December 16th, Apache confirmed another vulnerability (CVE-2021-45105) that affects Log4j 2.0-alpha1 to 2.16.0 (excluding 2.12.3). It has been discovered that certain non-default configurations could allow attackers to perform a denial-of-service attack. Apache has released Log4j 2.17.0 to fix this and previous vulnerabilities associated with CVE-2021-44228 and CVE-2021-45046

SecurIT360 Managed Services ImpactAccording to FortiNET, FortiSIEM is listed as one of their applications that is impacted by Log4j.  We have followed the recommended mitigation steps across our FortiSIEM infrastructure.  Access to our FortiSIEM product externally is controlled by IP whitelisting, therefore only approved IP addresses can communicate with our environment by design. Their advisory page for this exploit is here for reference.
For Carbon Black, we use their cloud product and do not utilize any on-prem servers; therefore, it is not vulnerable to Log4j.  Their advisory page for this exploit is here for reference.
Detection of Vulnerable Log4j Versions

  • You can still utilize these detection methods that have been published to GitHub by security researchers
  • Nessus has released another updated plugin to help detect vulnerabilities associated with Log4j.  Our SOC analysts continue to run Nessus external vulnerability scans for all SecurIT360 MDR managed service clients as new plugins are released and will alert on successful findings.
    • So far, we have not detected any vulnerable versions via the external Nessus scans.  All scheduled routine external scans will continue to utilize this new plugin going forward.
    • An external scan is not enough, we do recommend utilizing the open-source tools mentioned above to detect all instances of Log4j in your environment.  Nessus plugins are also available for internal credentialed scans which can provide more thorough detection.
    • If you would like us to assist with Log4j detection utilizing Nessus Internal/External scanning please let us know and we can notify your account representative.
    • If you are a MDR managed client and would like us to update the external targets and rerun the scan or rerun the scan following a successful upgrade, please reach out via email to soc@securit360.com
  • A community-maintained list of known IPs associated with this exploit can be found here
    • All SecurIT360 MDR managed service clients are receiving alerts on permitted web traffic involving these known IP addresses
  • Hashes of vulnerable versions can also be found here for internal detection. Routine searches for these hashes are being conducted in Carbon Black across all SecurIT360 EDR managed service clients, we will alert on successful findings
    • All EDR managed service clients will be alerted to potential exploit activity if detected.

Recommended Mitigation Steps

  • Identify all applications in your environment that use Log4j and follow vendor guidance
  • Utilize open-source detection tools, Nessus, etc.
  • Upgrade to version Log4j 2.17.1 or later as soon as possible.
  • If upgrading is not feasible, we recommend following Apache’s mitigation guidance for Log4j 2.10 and later which can be found here
  • Restrict egress traffic to approved destinations at your firewall
    • IP Whitelisting
    • Restrict the types of traffic going out such as LDAP
  • Consider preemptively blocking known IPs associated with this exploit at your firewall
  • CSV format
  • TXT Format

Links