Cyber Defense eMagazine March Edition for 2022

Why Changing Classified Document Status 

Can Affect Risk Levels and How Proactive 

Cybersecurity Methods Can Help 

Ransomware — Encrypt Your Data Before 

Others Do 

The Role of The CFO In Enterprise Cyber 

Security 

…and much more… 

Cyber Defense eMagazine – March 2022 Edition 1 

Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.

CONTENTS 

Welcome to CDM’s March 2022 Issue ----------------------------------------------------------------------------------- 7 

Why Changing Classified Document Status Can Affect Risk Levels and How Proactive Cybersecurity 

Methods Can Help ---------------------------------------------------------------------------------------------------------- 18 

By Sam Hutton, SVP, Glasswall 

The Fragility of a GPS Centric World and the Importance of eLORAN ----------------------------------------- 21 

By Dan Dickey, President, Continental Electronics Corporation 

The Role of The CFO In Enterprise Cyber Security ------------------------------------------------------------------- 25 

By Glenn Murray, CEO at Sapien Cyber 

The Safest Ways for Bitcoin Trading ----------------------------------------------------------------------------------- 29 

By Robert Wilson, Freelancer 

Ransomware — Encrypt Your Data Before Others Do ------------------------------------------------------------- 32 

By Robert Freudenreich, CTO and Founder, Secomba GmbH | Boxcryptor 

Endpoint Malware and Ransomware Volume Already Exceeded 2020 Totals by the End of Q3 2021 36 

By Corey Nachreiner, CSO, WatchGuard Technologies 

Don’t Become a Horrible Headline: Some Tips on Redesigning Your Threat Posture for The 2022 Threat 

Landscape --------------------------------------------------------------------------------------------------------------------- 39 

By Omar Zarabi, Founder and CEO, Port53 Technologies 

Have We Learned from Our Past Mistakes to Prevent Future Cyberattacks? ------------------------------- 43 

By Marc Packler, President, CISO Advisory, Silent Quadrant 

How to strengthen cyber resilience with Unified BCDR ----------------------------------------------------------- 47 

By Joe Noonan, General Manager, Unitrends and Spanning 

3 Cybersecurity Certainties for 2022------------------------------------------------------------------------------------ 50 

By Bill Moore, XONA 

Is XDR The Right Solution for Today’s Security Threats? ---------------------------------------------------------- 53 

By Steve Garrison, VP Marketing, Stellar Cyber 

Why the Future of Threat Detection and Prevention is Unified Security and Risk Analytics ------------- 56 

By Sanjay Raja, VP of Product Marketing at Gurucul 



Tips And Trends for OT Cybersecurity In 2022: More SOAR, Cyber Hygiene And Renewed Compliance 

----------------------------------------------------------------------------------------------------------------------------------- 60 

By Peter Lund, Vice President of Product Management at OT security company Industrial Defender 

Top 10 Reasons Cyber Defense Firms Should Hire Veterans------------------------------------------------------ 63 

By Bryon Kroger, Founder of Rise8 

5 Reasons Organizations Need Comprehensive AD Security Across Cloud and On-Prem ----------------- 67 

By Justin Kohler, Director of BloodHound Enterprise at SpecterOps 

Directed Analytics - The Future of Data Management ------------------------------------------------------------ 71 

By Simon Rolph, CEO & Founder of Such Sweet Thunder 

Phishing Techniques in Disguise: What to Look for And Why You Should ------------------------------------ 74 

By By Rotem Shemesh, Lead Product Marketing Manager, Security Solutions, at Datto 

Are You Prepared for the New Normal of Jekyll and Hyde Data?----------------------------------------------- 77 

By Howard Ting, CEO, Cyberhaven 

How To Defend Railway Subsystems from Targeted Cyber-Attacks ------------------------------------------- 80 

By Michael Cheng, Director at TXOne Networks & C. Max. Farrell, Senior Technical Marketing Specialist at 

TXOne Networks 

Biggest Cyber Trend in 2022 ---------------------------------------------------------------------------------------------- 84 

By Guy Rosefelt, CPO, Sangfor Technologies 

On The Frontline in The War Against Hackers ----------------------------------------------------------------------- 89 

By Damien Fortune, Chief Operations Officer of Secured Communications 

How to Fix Mid-Market Security Using Intelligent Automation and AI --------------------------------------- 91 

By Guy Moskowitz, CEO, Coro 



5 Ways Cybersecurity Will Change In 2022 --------------------------------------------------------------------------- 95 

By Jaime Coreano, Vice President of Sales – Flexxon 

Executive Order Instructs Certain Organizations to Improve Their Cybersecurity Stance ---------------- 99 

By Bob Thibodeaux, Chief Information Security Officer, DefenseStorm 

Too Hot to Handle:The case for Zero Trust and SASE ------------------------------------------------------------ 103 

By Jonathan Lee, Senior Product Manager, Menlo Security 

Lessons Learned: In the Principle Of “Least Privilege,” Where Do Companies Fall Short? -------------- 106 

By Raj Dodhiawala, President, Remediant 

Redefining Resilience in The New World of Work ---------------------------------------------------------------- 109 

By Andrew Lawton, CEO of Reskube Ltd 



@MILIEFSKY 

From the 

Publisher… 

Dear Friends, 

We’ll be celebrating our 10 th Year in business and of our Global InfoSec Awards and as a 

Platinum Media Partner of RSA Conference on June 06 – 09 , 2022 – See You There! 

As international tensions rise, and manifest themselves as cybersecurity threats and attacks, the role of 

Cyber Defense Media Group becomes even more important than during “ordinary” times. We face both 

a reality and a challenge, but one we are well prepared to undertake. 

As our Editor-in-Chief has noted in his welcome message, we are now emphasizing immediacy of issues, 

and moving away from a fixed annual calendar, in order to support our community in responding 

effectively to the most pressing cybersecurity issues of the day. 

In that spirit, let me take this occasion to invite both our contributors and readers to submit, or suggest 

topics for, articles you perceive to be most valuable to you in your professional activities. “Actionable 

intelligence” continues to be our watchword, and we welcome thoughts and suggestions from our entire 

community. 

I would like to reiterate that, beyond the magazine, in response to the demands of our markets, the scope 

of CDMG’s activities has grown into many media endeavors. We now offer Cyber Defense Awards; 

Cyber Defense Conferences; Cyber Defense Professionals (job postings); Cyber Defense TV, Radio, 

and Webinars; and Cyber Defense Ventures (partnering with investors). 

Please check them out and see how much more CDMG has to offer! 

The full list, with links, can be accessed at: 

https://www.cyberdefensemagazine.com/cyber-defense-media-group-10-year-anniversary-dailycelebration-in-2022/ 

Warmest regards, 

Gary S.Miliefsky, CISSP®, fmDHS 

CEO, Cyber Defense Media Group 

Publisher, Cyber Defense Magazine 

P.S. When you share a story or an article or information about 

CDM, please use #CDM and @CyberDefenseMag and 

@Miliefsky – it helps spread the word about our free resources 

even more quickly 



@CYBERDEFENSEMAG 

CYBER DEFENSE eMAGAZINE 

Published monthly by the team at Cyber Defense Media Group 

and distributed electronically via opt-in Email, HTML, PDF and 

Online Flipbook formats. 

EDITOR-IN-CHIEF 

Yan Ross, JD 

Yan.Ross@cyberdefensemediagroup.com 

ADVERTISING 

Marketing Team 

marketing@cyberdefensemagazine.com 

CONTACT US: 

Cyber Defense Magazine 

Toll Free: 1-833-844-9468 

International: +1-603-280-4451 

http://www.cyberdefensemagazine.com 

Copyright © 2022, Cyber Defense Magazine, a division of 

CYBER DEFENSE MEDIA GROUP 

1717 Pennsylvania Avenue NW, Suite 1025 

Washington, D.C. 20006 USA 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 

PUBLISHER 

Gary S. Miliefsky, CISSP® 

Learn more about our founder & publisher at: 

http://www.cyberdefensemagazine.com/about-our-founder/ 

10 YEARS OF EXCELLENCE! 

Providing free information, best practices, tips, and techniques 

on cybersecurity since 2012, Cyber Defense magazine is your 

go-to-source for Information Security. We’re a proud division 

of Cyber Defense Media Group: 

CYBERDEFENSEMEDIAGROUP.COM 

MAGAZINE TV RADIO AWARDS 

PROFESSIONALS VENTURES WEBINARS 

CYBERDEFENSECONFERENCES 



Welcome to CDM’s March 2022 Issue 

From the Editor-in-Chief 

In editing, as in other activities, it’s important from time to time to review all processes and products in 

order to assure they are working smoothly. 

As my Dad often said: “You can’t tell how you stand from where you sit.” 

At this point, in conducting such a review, it appears that we have two aspects of our editorial process 

which are no longer in sync with each other: the annual editorial calendar and the submission of articles 

from sources in the cybersecurity industry. 

It has become clear that the strictures of a monthly calendar simply don’t work efficiently for CDM to bring 

to our audience the most current and relevant articles on topics of vital interest. 

As part of the central role Cyber Defense Magazine plays in the breadth of activities conducted by the 

entire Cyber Defense Media Group, we do now and will continue in the future to select and publish the 

most actionable intelligence from the most knowledgeable writers in the field. 

Of course, as we perceive patterns in the trends in cybersecurity, and the submission of articles, we will 

always be responsive to the needs and interests of both authors and readers. 

Wishing you all success in your cybersecurity endeavors, 

Yan Ross 

Editor-in-Chief 


About the US Editor-in-Chief 

Yan Ross, J.D., is a Cybersecurity Journalist & U.S. Editor-in-Chief of Cyber 

Defense Magazine. He is an accredited author and educator and has 

provided editorial services for award-winning best-selling books on a variety 

of topics. He also serves as ICFE's Director of Special Projects, and the author 

of the Certified Identity Theft Risk Management Specialist ® XV CITRMS® 

course. As an accredited educator for over 20 years, Yan addresses risk management in the areas of identity theft, 

privacy, and cyber security for consumers and organizations holding sensitive personal information. You can reach 

him by e-mail at yan.ross@cyberdefensemediagroup.com 























Why Changing Classified Document Status Can Affect Risk 

Levels and How Proactive Cybersecurity Methods Can 

Help 

By Sam Hutton, SVP, Glasswall 

As ransomware attacks, insider threats, data breaches and phishing attacks against government 

agencies continue to skyrocket, organisations are at constant risk. There are many recent events such 

as the JBS Foods, the Colonial Pipeline and SolarWinds in 2020, proving that organisations need to be 

aware of any possible vulnerabilities that could potentially affect sensitive data. 

Security risks for remote federal employees and government agencies 

Since there is a discussion on keeping federal workers remote, there are concerns around the decreased 

level of precautions being taken toward cyber risks and the legal implications associated with 

cyberattacks. The 2021 Thales Data Report: Global Edition stated that 82% of people expressed some 



level of concern while working remotely. This number is even higher for federal employees at 84%. 

Remote work can harbor more risk for cyber attacks than for those in offices because at home 

connections are generally less secure, making access easier for cybercriminals to find. The report also 

notes that only 44% of employees were not confident in their existing security protocols. 

For companies, organisations and government agencies, there can be legal repercussions for 

cyberattacks too. According to The Securities and Exchange Commission and Commodity Futures 

Trading Commission, while state and federal regulations vary, there may be further reporting required 

depending on the conditions of the cyberattack and the type of data that was compromised. 

The impact of malware on classified files 

Malware operates by infiltrating a point of weakness through a network, beginning the journey of lateral 

movement. Bad actors understand this and will intrude through an organisation, undetected, attempting 

to gather as much data as possible. For federal agencies, documents that enter government systems at 

an unclassified point are viewable for a wider audience, however, once they enter into a classification 

level -- whether confidential, secret or top secret -- there is a chance of malware being attached. 

“Classified” determines information specifically designated by a U.S. government agency for limited, 

restricted dissemination or distribution. When documents are being taken up or down to higher or lower 

confidentiality levels, there is valuable information at stake. If files that were previously unclassified carry 

hidden viruses, there is an opportunity for digital adversaries to break into top-secret networks and 

infiltrate government information. This could enable them to steal trade secrets, learn about secret foreign 

policies or military tactics, which in turn can put lives at risk. 

SolarWinds, one of the most catastrophic cyberattacks in U.S. history, resulted in the hacking of major 

enterprises and government agencies including the Department of Homeland Security and the Treasury 

Department for over 14 months before being discovered. The hackers were able to break into the 

SolarWinds systems by implementing a malicious code into a system known as “Orion” which was 

commonly known by companies to handle IT resources. This code is what created an opening for the 

hackers to install malware that allowed them to spy on companies. Due to the stealth movement of the 

hack, some of those involved may still be unaware. Bad actors know how to identify loopholes in the 

system to gain access to sensitive information. This further proves the value of implementing strict 

cybersecurity methods to ensure that sensitive data is protected. There needs to be proactive, zero-trust 

cybersecurity methods in place as government documents go through the confidentiality cycle to ensure 

that all files are protected and monitored. 

How Content Disarm and Reconstruction (CDR) technology can help 

It is imperative that federal agencies take a proactive approach in their file security methods. CDR 

technology works to clean and rebuild files to a ‘known good’ industry standard by automatically removing 



potential threats. Reactive cybersecurity strategies such as anti-virus software and sandboxing are no 

longer effective enough to keep up with the growing sophistication of cyberattacks. In fact, they can 

actually place users in the direct line of attack and increase the pressure on teams to handle threats. 

CDR helps assess the areas of weakness by rebuilding files and removing areas of vulnerability. For 

government agencies, it helps close up loopholes and allow leaders to focus on more important things 

such as policy making and strategy. 

The hackers behind SolarWinds are still actively trying to break into federal agencies. Cyberattacks are 

expected to become more prolific and more sophisticated as they develop new strategies for getting into 

private networks. Although there is an effort being made to improve the government’s cybersecurity such 

as Biden’s recent Cybersecurity bill, promising to develop a more comprehensive plan to mitigate risk; 

there is a crucial need to take steps to protect the safety of classified documents. If organisations 

implement a proper system of proactive cybersecurity, they will be better prepared to handle it when an 

attack comes. 

About the Author 

Sam Hutton, SVP, North America, Glasswall 

"Sam prides himself on offering perfect partnership (and true 

collaboration) to organizations all over North America. Because 

with over 20 years’ experience in selling and delivering solutions to 

financial, security, defense and commercial sectors in this space, 

Sam knows even the most cutting-edge technology needs the best 

team of people to support it." 

Sam can be reached online at (https://www.linkedin.com/in/samhutton-8b08243/) 

and at our company website 

https://www.glasswallsolutions.com/ 



The Fragility of a GPS Centric World and the Importance 

of eLORAN 

By Dan Dickey, President, Continental Electronics Corporation 

Both the importance of GPS systems and their vulnerability to a cyber incident or attack are well 

understood. What is less understood is that GPS and the satellites behind them now comprise 

the very threads in the fabric of our modern economy. 

The value of GPS is built on three primary pillars: position, navigation and timing (PNT). While 

position and navigation are a logical given, the exact time is the unsung contribution of GPS that 

largely affects the way our world functions. Without an accurate source of timing, banks would 

be unable to timestamp payments. In fact, they couldn’t conduct any kind of banking without 

GPS. Communications networks could not communicate, the stock market would seize, ships 

and aircraft would be imperiled and our various terrestrial networks from power grids to 

broadcasting and cloud computing – and the Internet itself - would fail or slow down dramatically. 

The newest 5G based systems also depend on GPS as their primary source of time. A 



staggering number of critical systems necessary for modern life are wholly dependent on GPS 

with no other primary standards traceable source for accurate time. 

Other countries have deployed their own systems such as BeiDou (China) and GLONASS 

(Russia). Today’s threat analysts are aware that being 100% dependent on space-based 

systems with no other PNT alternative leaves America’s national security profoundly vulnerable 

to a wide variety of attackers. Single person local attacks and nation-state threats are easily 

conceived. 

This leads to the question, “What is the likelihood of our GPS system failing?” The possibility of 

a system-wide failure is remote. But the impact of such a failure is incalculable. The reality is 

that GPS satellite signals are vulnerable, not only to space weather, missiles, space debris and 

general wear and tear, but also to bad actors on the ground via spoofing and jamming. If we 

continue to rely exclusively on GPS it will remain an attractive attack surface because nearly all 

modern systems depend on it as a source of coordinated universal time. 

Many analysts see such an exploitation as a matter of when, not if. Bad actors – any 

cybersecurity adversary interested in attacking IT systems – may harness a spoofing attack, an 

intelligent form of interference which makes the receiver unusable or worse by making it believe 

it is at a false location. Even traditional means of intentional interference such as jamming can 

still jeopardize GPS transmissions as effectively as they did to international broadcasting 

stations during the Cold War. 

Alarmingly, successful satellite hacking has already occurred multiple times over that last 20 

years and was first noted as far back as in 1998 when hackers took control of the U.S.-German 

ROSAT X-Ray satellite. Over the years, hacking became more prevalent with two more 

successful attacks, believed to be led by China in 2008 and 2018. In response to the growing 

amount of threats, specifically from Russia, China and Iran, the U.S created the Space Force in 

2019, specifically designed to operate and defend military satellites and ground stations that 

provide communications, navigation and Earth observation. While enhancing the profile of these 

initiatives is a step in the right direction, a more robust strategy is needed to ensure accurate 

PNT in case threats slip through new security measures. An equally dependable and ubiquitous 

source of position and time is the best way to minimize the attractiveness of the GPS system as 

an attack vector. eLORAN is the perfect tool to fill this role in any nation’s security. 

Enhanced Loran (eLORAN) is a positioning, navigation and timing (PNT) service for use by 

many modes of transport and a secure source of time for countless systems critical to everyday 

life. eLORAN is terrestrial based, meaning that instead of low power signals beamed from space, 

it utilizes much higher power transmitters which are difficult and expensive to jam. It is fully 

independent from GPS because it provides an independent source of accurate location and time 

traceable to a national time standard. 



Formerly known as LOng-RAnge Navigation (LORAN), eLORAN is “enhanced” to provide 

accurate time and geolocation data whereas LORAN originally only provided approximate 

location information. eLORAN is a modern digital system, which builds on proven analog radio 

frequency technologies such as Loran-C. eLORAN can provide robust and accurate position, 

navigation and time data across any desired area of the Earth. It can be received in many indoor 

and subsurface locations whereas GPS generally requires an unobstructed view of the sky. This 

makes eLORAN receiver installations less visible and thus more easily secured. 

Today’s eLORAN systems transmit signals that are three to five million times stronger than 

GPS/GNSS and have 99.999% availability and reliability. Each tower has up to a 1,200-mile 

signal range. Its spectrum of 90-110 kHz is internationally protected, and eLORAN is deployable 

rapidly, so military branches can quickly set up systems anywhere in the world. 

An eLORAN system designed to cover the contiguous United States requires only a handful of 

towers are for mission critical timing applications. Less than 2 dozen high-power transmission 

sites are needed for full CONUS position and navigation capability. 

eLORAN is a practical solution that is too often underestimated by planners and analysts, many 

of whom are not familiar with modern eLORAN. They know GPS is vulnerable but may not be 

aware of recent advancements that make eLORAN practical, affordable and deployable now. 

Fortunately, there is a renewed and growing national consensus that the deployment of eLORAN 

must be accelerated to strengthen the nation’s infrastructure that is increasingly and solely 

dependent on GPS. Companies such as ours, with a tradition of innovation and RF leadership, 

have spearheaded development of the latest generation of this technology. Through these 

efforts many of the past cost and technological constraints, such as land area needed for 

eLORAN transmission towers, have been overcome. Today’s fully digital eLORAN systems 

reduce antenna tower height by half and the necessary land area by 75%. Making eLORAN 

system planning and deployment much simpler at a time when the world needs the more resilient 

and independent solution eLORAN provides. 

For America and our allies, eLORAN is a necessary and fundamental “fail safe” at a critical time. 




Dan Dickey has been the President of Continental Electronics 

Corporation since 2009. Dickey is a named inventor on multiple 

patents, and has previously held design engineering and 

management positions at Harris Corp. and ADC 

Telecommunications. He has published papers through the world’s 

largest technical professional organizations, IEEE, and has coauthored 

a book on broadcast engineering published by the 

National Association of Broadcasters. Dickey holds a Bachelor of 

Science degree in Electrical, Electronics and Communications 

Engineering from the University of Missouri. For more information 

about Continental Electronics Corp. please use this link: 

https://contelec.com. 



The Role of The CFO In Enterprise Cyber Security 

By Glenn Murray, CEO at Sapien Cyber 

Who is responsible for cyber security in your organization? Smart businesses know that it’s not just the 

IT teams who need to be investing in cyber security. 

Faced with increasingly complex and severe cyber-attacks on operational technology (OT) designed by 

criminals who are well-organized, well-financed and willing to wait for the right opportunity to strike, 

businesses need everyone in leadership roles to not only acknowledge the situation, but put in place 

strategies to minimize risk. This includes the CFO. 

The Chief Financial Officer (CFO) plays a crucial part in ensuring that the investment in cyber security 

matches not only the potential risks but mirrors the value and importance of the company’s infrastructure, 

from financial systems to operational technology networks. In some organizations this can be viewed as 

a cost drain. As such, investment levels tend to be far too low relative to the scale of the risk. 

It is not uncommon for IT teams or their executives to be rewarded based on reduction in expenditure vs 

budget, breeding an alarming culture of penny pinching each year. This short-term thinking is putting 

organizations in jeopardy, and at risk of everything from data breaches to system hacks. A boardroom, 

including the CFO, that recognizes the devastating effect a cyber-attack can have, both financially and 

reputationally, will be better placed to protect their ‘crown jewels’ from this new age of cyber criminals. 

There is an opportunity to engage the CFO in the full spectrum of cyber security and the potential 

mitigations, from IT to OT networks. Great CFOs don’t act as a blocker or barrier but are ready to invest 

in comprehensive and robust cyber security systems. Here’s how to make sure your CFO is one of them: 



Make clear the opportunity cost 

There is, of course, a cost to cyber security systems, but the cost to not having them is far larger. The 

average cost of an attack has been rising rapidly and now stands at $3.9 million, according to the annual 

Cost of a Data Breach Report by IBM and the Ponemon Institute, although this rises to $8.64 million in 

the US. This includes costs of OT systems and hardware, disruptions to critical activity resulting in down 

time and business lost, and fines. When put in this context, the investment in cyber security will seem 

minimal. Businesses that rely on insurance as mitigation may feel that they are covering the financial 

cost, but this does not take into account the cost of reputational damage, which can far exceed any 

monetary loss. Further, the insurance market is taking a tougher stance due to the rising frequency and 

scale of cyber-attacks. This makes it a multi-faceted challenge for finance leaders. 

Think about long term sustainability 

Cyber-resilience is about ensuring the continued success of an organization. Business continuity, 

reputation and finance are all at stake, but also the potential for injury and even loss of life. Imagine how 

much money would be lost if you were unable to service clients, and the reputational damage of a splash 

across the headlines. To continually win new business you need to be able to show you are diligent and 

trustworthy, and cyber security plays a big role in this. Data security is increasingly important, and 

customers will not want to do business with you if their own information is seen to be at risk. Similarly, 

vendors will harbor concerns about stability and ultimately shareholders will become worried about 

performance. 

See cybersecurity not as an IT overhead but an OT asset 

Cyber security is not just a tick box or policy adherence exercise, but brings huge value. It’s about more 

than systems and software of IT – it’s essential for full and essential OT. The CFO’s remit spans the 

entire business, meaning they are perfectly positioned to support cyber security efforts spanning the 

entire estate. They are able to look at the technology and systems and what investment in them can bring 

the business from a strategic standpoint. 

Improve the risk management framework 

The CFO’s job is to finance things that are business critical. If the Chief Information Officer (CIO), Chief 

Information Security Officer (CISO), Senior Management Team (SMT) make cybersecurity part of 

everyone’s role, from team members to those at the top of the organization, it ensures it is ingrained in 

policy and procedure. By having this shared visibility and responsibility, it will be clearer as to why it needs 

financing, not just as a cost centre, but an enabler. Cyber security is about protecting the assets that are 

of value to your company, and so should be embedded in everything that you do. Effective governance 

is essential to business success. 



Help them mitigate potential risks 

Across the business we are constantly putting plans and procedures in place to mitigate risk. And most 

often this risk is based on potential risk, rather than historic experience. Just because it hasn’t happened 

doesn’t mean it won’t. In fact, threats are constantly changing and cyber criminals are increasingly 

diversifying the comprehensive strategies that they use to infiltrate organizations. Most businesses have 

smoke alarms or defibrillators yet have never had a fire or someone have a heart attack during the 

working week. They have this equipment installed to minimise the impact of any future disaster. The 

same is true of cybersecurity. CFOs should think of cyber security as part of the package that a business 

has to mitigate against risk and maintain fully functioning OT at all times to ensure business activity can 

proceed as normal. CFOs should therefore be discussing cyber-risk exposure with their CIO and CISO 

regularly. This ensures it doesn’t just get thought about on an annual basis but is front of mind all year 

round. That regular reminder of why it is so important will help ensure that it is viewed as a business 

critical expense that needs to be fully backed financially. 

Use their expertise 

Your CFO does not have to be a cyber security expert. But their risk management skills will be essential 

to asking the right questions around issues such as where data is stored and who has access to it. They 

especially understand the risks and issues presented by protecting financial data. By ensuring that your 

CFO is part of the process for assessing risk, identifying assets and selecting vendors, they become part 

of that process of essential cyber security. 

Present a united front 

The CFO is a business-critical part of strategic and functional operations across the organization. 

Businesses fall prey to cyber-attacks when they have a weak link. We think of clients as castles, and all 

of the battlements need to be strong. This includes everyone from the CEO to the cleaner to the 

connected systems used to make the business run. Vigilance and security are crucial across the board, 

and the CFO is an integral part of that. 

We know that cyber security is essential. In the modern working environment, more and more of us are 

geographically dispersed and more devices are connected to the internet. At the same time cyber 

criminals are getting increasingly sophisticated. Cyber security needs to be a top priority for all 

organizations – and all members of those organizations, including the CFO. Investment in cyber security 

is absolutely business-critical, and by making your CFO part of the strategic journey of cyber security you 

will make it easier to get that much needed sign off. 




Glenn Murray is the Chief Executive Officer at Sapien Cyber. Glenn has 

extensive experience in the management of multi-million dollar projects 

in the identification and application of ICT solutions across the oil and 

gas, mining, heavy vehicle manufacturing, mining, defence (Electronic 

Warfare) and telecommunication industries. 

His military background and focus on national security has built a 

passion for cyber security and protecting the world we live in. As CEO 

of Sapien Cyber, Glenn’s vision is to provide world class cyber security 

solutions to critical infrastructure industries globally. 

Glenn can be reached online at (https://au.linkedin.com/in/glennmurray, 

https://twitter.com/otcybergm?lang=en) and at our company 

website https://www.sapiencyber.com.au/. 



The Safest Ways for Bitcoin Trading 

By Robert Wilson, Freelancer 

During the year 2021, we experienced history in the cryptocurrency niche with the 3rd Bitcoin 

halving event unfolding. There has been unprecedented hype after this news with a great rise in 

interest for the coin around the world. More and more people are expressing their interest in 

learning about the places to buy Bitcoin safely and some are asking about how to become a 

reputable Bitcoin trader. Although the recent stats may dishearten you in getting into Bitcoin or 

crypto for the first time, it is a good idea to get into digital currencies. 

Using VPN 

The VPN allows you to hide the IP address and it provides better anonymity on the internet. It is 

possible to trade the cryptocurrency more securely by using the VPN because it can encrypt the 

internet connection you are using with the external server. This makes sure that your data is 

secure. Luckily for the Bitcoin traders, almost all the crypto exchanges use HTTPS end-to-end 

encryption for their activities. So, the hackers can't intercept the data this way unless the device 

you are using is susceptible to other security vulnerabilities. VPN adds another layer of security 



to the proceedings making your online activities anonymous. You can read VPN reviews online 

to get the most suitable alternative for your case. If VPN doesn’t seem the right option, try using 

Residential Proxies as a way to secure your privacy and browse anonymously. 

Secure avenues for trading Bitcoin 

Here are some secure avenues for trading Bitcoin. 

1. Using Fiat to Bitcoin exchanges 

Using a reputable and well-established cryptocurrency exchange is a simple and convenient 

way of buying Bitcoin for fiat through your bank account. The term "fiat" is utilized in the 

cryptocurrency sector for denoting government-backed currencies such as GBP, USD, or JPY. 

You can buy Bitcoin from several exchanges and the more dependable ones are secure and 

straightforward to use. But, keep in mind that if your currency is stored custodial meaning you 

do not hold the private keys, and if the exchange crashes or gets hacked you will lose all you’re 

holding. Therefore it is a good idea to move your funds to a private non-custodial wallet quickly 

after buying Bitcoin. Just keep the bare minimum currency required for the transactions. 

Remember, there are many fake exchanges on the internet that cheat gullible people. Investors 

should only use regulated exchanges that display their permits on their sites. 

2. ATM Action 

If you take into consideration convenience there is nothing to beat the Bitcoin ATMs especially 

when you are located near one of these machines. The buying process is stress-free and it is 

similar to depositing the fiat money in the ATM and then the BTC coins afterward. The accurate 

info about the machines can be found on Coinatmradar. There are more than 7000 crypto ATMs 

available across the world. They allow people to use cash and debit cards for buying Bitcoin and 

other similar digital assets. It is also possible to convert BTC into fiat. More than 5000 ATMs are 

located in the U.S. alone. Unlike conventional exchanges, these ATMs allow the users to access 

a physical kiosk where it is possible to trade fiat with popular digital assets such as ETH, BTC, 

and LTC. 

3. Using a credit card 

Another quite simple way of purchasing Bitcoin is by using credit cards. It is possible to do this 

from buy.Bitcoin.com and the users may select either BTC or BCH (Bitcoin Cash) for the 

transaction. After you have clicked the Buy button you will get a prompt pop-up asking you to 

enter your Bitcoin wallet address. For the users not having a BTC wallet, you can find simple 



and clear instructions through a "Need a wallet?" alternative. It offers assistance in downloading 

one for free. Even though this alternative normally charges a fixed service charge, it is a quick 

and convenient trade-off. 

Conclusion 

As we enter 2022, there are several references out there for buying Bitcoin. But, due to the 

availability of these many alternatives you are going to come across scammers and fraudsters 

who will also be geared up to get a piece of your hard-earned coin. Therefore the crypto-buyers 

have to be vigilant as there are several dishonest exchanges, sellers, and services out there. 

Ensure that you are buying from a credible source. 


I’m Robert Wilson and I’m a security software developer with 

three years of experience as a freelancer. I research, design, 

implement and manage software programs I test and evaluate 

new programs. I’m very passionate about writing, reading, and 

drawing. 



Ransomware — Encrypt Your Data Before Others Do 

Don’t let them look at your data. 

By Robert Freudenreich, CTO and Founder, Secomba GmbH | Boxcryptor 

A single malicious email, with the sender of the mail disguised as a colleague or client, can have severe 

consequences for a company. With a fraudulent link that transmits sensitive account data in the wrong 

hands or malware disguised as a seemingly ordinary Microsoft Office file, hackers will gain access to 

business systems and servers within minutes. In this article, we will take a look at how the cloud and 

encryption can help prevent or reduce damage in case of a ransomware attack on your company. 

What is Ransomware and Why is it so Dangerous? 

Ransomware is malicious software that gives unauthorized people access to company data, programs, 

or even the entire computer system. In case of an attack, business operations are severely affected and 

exclude personnel and organizations from accessing their files and systems. Ransomware attacks not 

only have an impact on individual company processes but can also affect the entire supply chain. 

The damage usually also affects external stakeholders of the company that was the victim of the attack, 

for example customers, suppliers, and partners. With most operations coming to a complete hold, 

companies are forced to pay high ransoms in order to regain control over their data and devices. 



According to Cybereason’s “Ransomware: The true cost to Business” (Source: 

https://www.cybereason.com/hubfs/dam/collateral/ebooks/Cybereason_Ransomware_Research_2021. 

pdf), it is estimated that there is a ransomware attack on a business every 11 seconds on average, with 

global ransomware damage losses projected to reach $20 billion in 2021. The FBI reported an increase 

of more than 225% in total losses from ransomware in the U.S. in 2020 alone. 

While the huge amount of ransom is already critically affecting companies, pressure is further increased 

when sensitive data is threatened to be publicized. While, in theory, the ransom payment can be settled 

rather inconspicuously, data protection laws like the European GDPR require very strict measures when 

data of citizens of the European Union is breached. The company, whether American or European, must 

notify all affected individuals or businesses about the data loss, which not only results in high 

inconveniences but more importantly a loss in trust. According to Cybereason, 53% of all attacked 

reported their brand suffered. 

How Can Businesses Prevent Ransomware Attacks? 

The likelihood of being affected by viruses or malware can be kept within limits if some internal company 

rules are observed. Even smaller measures can protect companies and organizations from severe 

consequences. Such measures can be comprehensive security software that detects unknown 

vulnerabilities or so-called zero-day gaps and prevents their execution. 

With a growing number of businesses allowing their employees to work from home, new security 

challenges arise. Therefore, companies need to sensitize their staff to the issue of proper cyber-security. 

This can include everything from a well-protected network to VPNs or data encryption solutions. 

Furthermore, companies should offer regular training and conduct random tests to raise awareness of 

ransomware and similar malware amongst employees. 

If despite all security measures, a company still falls victim to a ransomware attack, it is advised to have 

an emergency plan at hand. This way, those responsible in the company can act faster and keep the 

damage caused by ransomware as low as possible. Companies can implement the following steps into 

their data breach emergency plan: 

1. Immediately disconnect or remove any potentially affected or suspicious devices from the 

network. 

2. Inspect the damage that has been caused. 

3. Identify the ransomware to determine which relevant authorities or individuals need to be notified. 

4. Inform all relevant authorities and affected persons. 

How Can the Cloud and Encryption Help Against Ransomware Attacks? 

Many companies have already shifted their work into the cloud to benefit from increased flexibility, 

efficiency in team communication, and optimized workflows. Company data can be accessed at any time 

and from any location. One cloud feature that comes in handy in case of a ransomware attack is 

versioning. When your company data is encrypted by malicious software, you can simply switch back to 



a version of your data before the attack, and you gain back control over your data. This way, the damage 

done by the ransomware attack is reduced to a minimum. 

However, by the time you find out about the attack, the attackers probably already copied and stole your 

company data. This is where encryption comes in, as the second protection measure against 

ransomware. 

Every business possesses confidential information and data that should not be disclosed, such as 

personal data of customers or trade secrets. Therefore, it is important to protect this information as best 

as possible, for example through end-to-end encryption. When encrypted, the data contents are protected 

from malicious software, since only worthless strings are transmitted to the attackers. Thus, without 

interesting data, no worthwhile attack scenario arises, as the affected company cannot be blackmailed 

into paying a ransom. 

In the case of unencrypted data being involved in a data leak, there is no guarantee that the attacker will 

not still publish sensitive data, regardless of whether the ransom has been paid. This would hit companies 

particularly hard, as they not only suffer a huge financial loss but also must take responsibility for the lost 

data. 

In combination with the cloud, encryption solutions can offer even greater protection. In the event of an 

attack, all securely encrypted files are protected and can be restored even if the attacker deletes the files. 

However, regular backups and cloud-optimized encryption solutions, like Boxcryptor, are required to 

ensure continuity. At the same time, it is important to choose an encryption solution with zero-knowledge, 

so that only authorized people in your company will have access to sensitive company files. 

An example: You decide in your company to store the data not only locally, but also with an automatic, 

regular backup in the cloud storage of Microsoft and Dropbox. Additionally, you encrypt those data with 

Boxcryptor before uploading to the cloud. If you now become a victim of a ransomware attack, you can 

restore the affected data via your last backup in the Microsoft or Dropbox cloud. Moreover, you can be 

sure that the attacker will not be able to do anything with the stolen data, as this data has been encrypted 

with the key known only to you and is thus not visible to the attacker. You can rest easy and do not have 

to pay a ransom. 

Conclusion 

Companies all over the world are falling victim to ransomware attacks. However, it is important to ask 

how well or poorly prepared an organization is in the event of an attack. Fortunately, there are 

preventative measures that can be taken: 

- Make employees aware of spam and phishing emails. 

- Back up your data regularly. 

- Protect sensitive files with zero-knowledge encryption solutions. 



If you implement these three tips, your business will already be in a better position than most other 

companies worldwide. Use this knowledge to your advantage and start to encrypt your files today. 


Robert Freudenreich is the CTO of Secomba GmbH | Boxcryptor. In 

2011, the computer scientist founded the company together with 

Andrea Pfundmeier, CEO at Boxcryptor. The Germany-based 

company's software has over 500,000 satisfied customers worldwide 

and is used by both private users and numerous companies to protect 

data stored in the cloud. In their first year, Freudenreich and 

Pfundmeier received the EXIST Founders’ Scholarship from the 

German Federal Ministry for Economic Affairs and Energy. In 2013, 

they won the highly endowed “Wirtschaftswoche founder competition” 

and in 2014 the German Founder’s Prize. 

Robert can be reached online at Twitter (@robfreudenreich) and at our 

company website https://www.boxcryptor.com/de/ 



Endpoint Malware and Ransomware Volume Already 

Exceeded 2020 Totals by the End of Q3 2021 

By Corey Nachreiner, CSO, WatchGuard Technologies 

The cybersecurity landscape of today is constantly evolving and threat actors are not far behind as they 

target users with increasingly sophisticated and complex attacks. To help both professionals and casual 

Internet users alike better understand the current state of these threats, WatchGuard wanted to share 

our quarterly Internet Security Report (ISR), which outlines the latest malware and network attacks in Q3 

2021. 

The most shocking statistic from this recent report revealed that the volume of endpoint malware and 

ransomware exceeded all of 2020 by the end of Q3 2021. The research (done by the Threat Lab) also 

found that a significant percentage of malware continues to arrive over encrypted connections, as we 

saw in previous quarters, and much more. While most people continue to work in a hybrid or mobile 

workforce model, its crucial organizations move beyond a traditional approach to cybersecurity and 

leverage layered-security approaches and zero-trust. So, let’s take a look at some of the top insights from 

the Q3 ISR: 



• Nearly half of zero-day malware is now delivered via encrypted connections – While the 

total amount of zero-day malware increased by a modest 3% to 67.2% in Q3, the percentage of 

malware that arrived via Transport Layer Security (TLS) jumped from 31.6% to 47%. A lower 

percentage of encrypted zero-days are considered advanced, but it is still concerning given that 

WatchGuard’s data shows that many organizations are not decrypting these connections and 

therefore have poor visibility into the amount of malware hitting their networks. 

• As users upgrade to more recent versions of Microsoft Windows and Office, attackers are 

focusing on newer vulnerabilities – While unpatched vulnerabilities in older software continue 

to provide a rich hunting ground for attackers, they are also looking to exploit weaknesses in the 

latest versions of Microsoft’s widely used products. In Q3, CVE-2018-0802 – which exploits a 

vulnerability in the Equation Editor in Microsoft Office – cracked WatchGuard’s top 10 gateway 

antivirus malware by volume list, hitting number 6, after showing up in the most-widespread 

malware list in the previous quarter. In addition, two Windows code injectors (Win32/Heim.D and 

Win32/Heri) came in at number 1 and 6 on the most detected list respectively. 

• Attackers disproportionately targeted the Americas – The overwhelming majority of network 

attacks targeted the Americas in Q3 (64.5%) compared to Europe (15.5%) and APAC (20%). 

• Overall network attack detections resumed a more normal trajectory but still pose 

significant risks – After consecutive quarters of more than 20% growth, WatchGuard’s Intrusion 

Prevention Service (IPS) detected roughly 4.1 million unique network exploits in Q3. The drop of 

21% brought volumes down to Q1 levels, which were still high compared to the previous year. 

The shift doesn’t necessarily mean adversaries are letting up as they are possibly shifting their 

focus towards more targeted attacks. 

• The top 10 network attack signatures account for the vast majority of attacks – Of the 

4,095,320 hits detected by IPS in Q3, 81% were attributed to the top 10 signatures. In fact, there 

was just one new signature in the top 10 in Q3, ‘WEB Remote File Inclusion /etc/passwd’ 

(1054837), which targets older, but still widely used Microsoft Internet Information Services (IIS) 

web servers. One signature (1059160), a SQL injection, has continued to maintain the position it 

has held atop the list since Q2, 2019. 

• Scripting attacks on endpoints continue at record pace – By the end of Q3, WatchGuard’s 

AD360 threat intelligence and WatchGuard Endpoint Protection, Detection and Response 

(EPDR) had already seen 10% more attack scripts than in all of 2020 (which, in turn, saw a 666% 

increase over the prior year). As hybrid workforces start to look like the rule rather than the 

exception, a strong perimeter is no longer enough to stop threats. While there are several ways 

for cybercriminals to attack endpoints – from application exploits to script-based living-off-the-land 

attacks – even those with limited skills can often fully execute a malware payload with scripting 

tools like PowerSploit, PowerWare and Cobalt Strike, while evading basic endpoint detection. 

• Even normally safe domains can be compromised – A protocol flaw in Microsoft’s Exchange 

Server Autodiscover system allowed attackers to collect domain credentials and compromise 

several normally trustworthy domains. Overall, in Q3 WatchGuard Fireboxes blocked 5.6 million 

malicious domains, including several new malware domains that attempt to install software for 

cryptomining, key loggers and remote access trojans (RATs), as well as phishing domains 

masquerading as SharePoint sites to harvest Office365 login credentials. While down 23% from 

the previous quarter, the number of blocked domains is still several times higher than the level 

seen in Q4 2020 (1.3 million). This highlights the critical need for organizations to focus on keeping 



servers, databases, websites, and systems updated with the latest patches to limit vulnerabilities 

for attackers to exploit. 

• Ransomware, Ransomware, Ransomware – After a steep decline in 2020, ransomware attacks 

reached 105% of 2020 volume by the end of September (as WatchGuard predicted at the end of 

the prior quarter) and are on pace to reach 150% once the full year of 2021 data is analyzed. 

Ransomware-as-a-service operations such as REvil and GandCrap continue to lower the bar for 

criminals with little or no coding skills, providing the infrastructure and the malware payloads to 

carry out attacks globally in return for a percentage of the ransom. 

• The quarter’s top security incident, Kaseya, was another demonstration of the ongoing 

threat of digital supply chain attacks – Just before the start of the long 4 th of July holiday 

weekend in the US, dozens of organizations began reporting ransomware attacks against their 

endpoints. WatchGuard’s incident analysis described how attackers working with the REvil 

ransomware-as-a-service (RaaS) operation had exploited three zero-day vulnerabilities (including 

CVE-2021-30116 and CVE-2021-30118) in Kaseya VSA Remote Monitoring and Management 

(RMM) software to deliver ransomware to some 1,500 organizations and potentially millions of 

endpoints. While the FBI eventually compromised REvil’s servers and obtained the decryption 

key a few months later, the attack provided yet another stark reminder of the need for 

organizations to proactively take steps like adopting zero-trust, employing the principle of least 

privilege for vendor access and ensuring systems are patched and up to date to minimize the 

impact of supply chain attacks. 

In Q3, malware per device skyrocketed and was up for the first time since the pandemic began. Looking 

at 2021, it’s clear cybersecurity continues to challenge users. Its critical organizations think about the 

long-term ups and downs as well as focus on persistent, concerning trends factoring into their security 

posture. A strong cybersecurity strategy includes endpoint protection, multi-factor authentication and 

secure Wi-Fi – all important components in a layered approach to security. When implemented properly, 

users can drastically mitigate outsider threats. 


Corey Nachreiner is the CSO of WatchGuard Technologies. A front-line 

cybersecurity expert for nearly two decades, Corey regularly contributes 

to security publications and speaks internationally at leading industry 

trade shows like RSA. He has written thousands of security alerts and 

educational articles and is the primary contributor to the Secplicity 

Community, which provides daily videos and content on the latest security 

threats, news and best practices. A Certified Information Systems 

Security Professional (CISSP), Corey enjoys "modding" any technical 

gizmo he can get his hands on and considers himself a hacker in the old 

sense of the word. Corey can be reached at @SecAdept on Twitter or via 

https://www.watchguard.com. 



Don’t Become a Horrible Headline: Some Tips on 

Redesigning Your Threat Posture for The 2022 Threat 

Landscape 

By Omar Zarabi, Founder and CEO, Port53 Technologies 

As in previous years, the DefCon of the cybersecurity industry is best illustrated by the headlines – each 

a cautionary tale. The past two years were witness to a virtual House of Horrors that has propelled 

cybersecurity to the top of corporate agendas. The 2020 supply-chain attack on SolarWinds' network 

monitoring application Orion affected thousands of the company's customers around the world, including 

several government agencies here in the US. 

And the list goes on. March 2021: Verkada, a Silicon Valley start-up that provides cloud-based CCTV 

systems, was compromised through the simple hijacking of privileged credentials. Attackers were able to 

browse the real-time footage of every Verkada customer, including health clinics, psychiatric treatment 

centers, and the premises of hybrid and electric car manufacturer Tesla. Also available for viewing: 

Verkada's own offices. 

Another example of stolen credentials was May's DarkSide ransomware attack on the Colonial Pipeline. 

It led to panic-buying of gas by the public, and cost the operator $5 million, in a payout characterized by 

The New York Times as a red flag to other threat actors who may see a lucrative pay day on the horizon. 

Abnormal times 

Even in normal years, this series of events – and others too numerous to mention – would have CISOs 

scurrying to the drawing board to reimagine their threat postures. But we are not living in normal years. 

In the midst of the dramatic contortions we were seeing in the threat landscape, nature threw a curveball 



into the mix. The COVID-19 pandemic ravaged families, business communities, and economies around 

the globe. Those enterprises that moved decisively, migrated to the cloud almost overnight and instantly 

expanded the attack surface. 

The problems came from several different directions. First, employees working from home were using 

unvetted personal devices that potentially contained a smorgasbord of vulnerabilities. These devices 

used private and third-party networks to connect to the cloud-based environments required for remote 

work. And corporate data, sensitive or not, was crossing unknown boundaries on its journey between the 

WFH employee and the corporate environment. Penetration testing became unreliable because the 

architecture being probed was half in and half out of an organization’s jurisdiction. 

Second, DevOps teams – desperately trying to transform massive chunks of their employers’ business 

models to adapt to the new normal – were releasing new digital experiences at the speed of demand. 

These releases could, depending on circumstances, contain any number of security holes picked up from 

new PaaS environments. 

Rethink your digital dogma 

As has been said at many points throughout cybersecurity history, what we were doing two years ago no 

longer works. Threat actors have proved themselves capable of using every trend, every market shift, 

every consumer habit, and every employee error to their advantage. Responses from organizations have 

not been as swift. While cybersecurity professionals can never quite recall a “quiet past”, the “stormy 

present” of 2022 requires a rethink of our digital dogmas if we are to ensure that employees can stay 

safe but remain productive. 

The starting point: know yourself. Line of business will always have a handle on financial plans, 

operations, market conditions, and a range of other touchpoints. For IT and security teams to be 

successful, they must compile a comprehensive asset inventory – from the machines in the office to the 

devices in employees’ homes, from the tools on laptops to the inner workings of containerized apps in 

the cloud. 

Next comes triage. Identifying vulnerabilities is trivial next to the task of managing action. Some 

vulnerabilities will be common but may not represent great damage if they were to be exploited. Others 

may be rare but represent considerable business risk. The general rule of thumb is that if a vulnerability 

can cause significant damage and is relatively easy to exploit by an attacker, it should be high on the 

patching list. Anything that is high-risk and not readily addressable should be on a watch list. 

Free to innovate 

All of this, from the compilation of the asset inventory to the patching actions, should be automated where 

possible. Several tools today are capable of automatic asset discovery and policy-based patching. 

Overworked CISOs and their embattled teams represent the most overlooked security issue in the post- 



pandemic era. By empowering professionals with the tools needed to automate the mundane, we free 

them to become more effective threat hunters. 

Once the basics are in place, organizations will be better placed to meet regulation and compliance 

obligations. Policies alone will not allow you to prepare the reports required by auditors. And good 

intentions will not satisfy the strict requirements of standards such as PCI-DSS. The good news is cloudservice 

providers and other vendors are beginning to provide controls such as MFA and DNS security, 

and are even offering training sessions for end users to prepare them for the hybrid-work future. 

But chasing the regulators in a constantly reactive mode makes for poor security strategy. There is no 

substitute for gaining a deep and broad understanding of your organization’s environment and selecting 

the visualization and automation tools that best fit your circumstances, your architecture, and your 

business goals. Getting the basics in place – asset inventory, vulnerability management, and user 

awareness – will give you a strong foundation to secure your digital estate. 

What next? 

Once you have mastered your environment, you can turn your attention to some of the latest policies and 

tools that are being deployed against cybercriminals. Many of the headline-grabbing incidents that we 

have seen would not have occurred but for a lapse in the management of privileged credentials. 

SolarWinds’ Orion, for example, uses privileged access to connect to other systems, which is how 

attackers were able to compromise so many other organizations. Privileged access management (PAM) 

is an emerging technique that allows CISOs and their teams to stipulate how accounts connect to 

environments, using policies such as session monitoring, password rotation, least privilege, just-in-time 

provisioning, and the elimination of shared accounts to keep estates safe while avoiding hits on employee 

productivity. 

Other practices include Zero Trust, which has become something of a hot topic. Allowing everything in, 

and assuming all processes to be suspect until they can prove themselves otherwise, is an approach that 

shows how far removed we are from the recent past. Here, we not only assume we are going to be 

attacked; we assume we already have been. It is a grim yet justifiable assumption that accurately reflects 

the world in which we now live. 

Do not dismay, however. The headlines of horror may imply an inevitability in becoming a cyber-victim, 

but their postmortems also show a path to risk remediation. There are tools you can procure, policies you 

can enact, and action you can take that will ensure that your organization’s name is not the next to be 

splashed across media pages. 




Omar Zarabi Founder and CEO of Port53 Technologies. 

Growing up in a small, family-run organization, I saw firsthand the 

challenges the ever-changing technological landscape presented to 

resource-restrained IT teams. With a BA in Economics from UC Davis, I 

started my cybersecurity career at OpenDNS, where I was responsible 

for delivering the DNS security solution to small and mid-sized 

businesses in the US and Asia. I worked with thousands of IT 

professionals in the SMB space, and truly learned their biggest pain 

points, especially as it pertained to cloud adoption and cybersecurity - 

two rather new and fluid trends in the SMB IT space. 

In September of 2016, a little over a year after Cisco acquired OpenDNS, 

I founded Port53 Technologies and its CEO. Port53 is focused on 

delivering enterprise-grade, cloud-delivered security solutions that are 

easy to deploy, simple to manage and extremely effective, helping 

customers not only get a big-data and predictive approach to security, but also a more integrated and 

automated approach. 

Omar Zarabi can be reached online at (Twitter, Facebook, Linkedin ) 

Port53 at Port53 (Facebook, Twitter, Linkedin, Youtube) 



Have We Learned from Our Past Mistakes to Prevent 

Future Cyberattacks? 

By Marc Packler, President, CISO Advisory, Silent Quadrant 

Gartner’s article, “The Top Cybersecurity Predictions for 2021-2022,” contains a quote from philosopher 

George Santayana: “Those who cannot remember the past are condemned to repeat it.” Reading the 

article made me ponder whether we, as cybersecurity practitioners, actually do learn enough from our 

collective cybersecurity past to effectively protect present activities and to anticipate and meet future 

threats. 

Have we really learned from our past? Because protecting the cyber realm is such a broad duty, I would 

have to say the answer is not yes or no, but it is yes and no. As a society, it appears we’ve embraced or 

at least acknowledged the ease with which cyber criminals can manipulate enterprise systems, and we’ve 

generally accepted the risks-to-consequences ratios in both our personal and professional lives. As a 

result, many people take some measures to protect their personal home networks, but ultimately many 

just don't think they will be the victim of a cyber attack. So, I would say that yes—most people have 

learned that they need to protect themselves in some ways—but I would also say no to whether they 

generally do enough. Similarly, the overwhelming majority of corporations have run risk analyses 



egarding the use (or not) of various cybersecurity measures against their cost, and most have chosen 

to implement at least some protective measures. So, yes, the corporate world has learned that not taking 

measures to safeguard their networks would likely negatively impact their bottom lines at some point; 

however, I would again say no to whether they generally do enough or to whether they’re generally using 

the appropriate tools. 

Also, why do we still need to tell a story about cybersecurity to change corporate culture and get serious 

funding for security? Just walk around your organization, and everyone is on the network. Without it, little 

work gets done and productivity drops significantly. If this tool is so important, why do we not treat it as 

such? If Gartner’s data is accurate, lessons are coming slowly to many corporations: 

• By 2025 ONLY 40% of boards of directors will have a dedicated cybersecurity committee 

• By 2025, ONLY 70% of CEOs will mandate a culture of organizational resilience to combat threats 

Another lesson still being taught: Do most corporations know they should be enforcing updates for known 

security vulnerabilities that have been documented and announced by respective cyber communities to 

keep us all safe? The answer is yes, but do most of them do enough or do it effectively? That answer is 

no. Otherwise, consistently updating computers and keeping them current with the latest patches/security 

fixes across the enterprise would stop 99% of vulnerabilities exploited to date. 

Inconsistent system updates greatly expand cyber vulnerabilities and risks. If this is known and 

understood, then why is it seemingly so difficult to succeed at attaining effective cybersecurity? It’s 

because many companies don’t effectively cultivate three critical components of their cybersecurity 

processes: 1) people, 2) culture and 3) technology. We must have people who follow the security 

processes, a corporate cyber culture that supports its people and the processes, and the technology to 

implement the processes, when necessary. 

If we agree these are three critical components of effective cybersecurity processes, then we must 

remember that people are trainable; the culture can be fixed with training and leadership from senior 

management; and technology is constantly adapting with the use of artificial intelligence and machine 

learning. Strengthening cybersecurity processes through people, culture, and technology costs 

corporations valuable time and money, so it’s wise to use these three resources in the most practical and 

beneficial ways possible. This often means that the latest and greatest technologies or programs aren’t 

actually necessary to achieve effective cybersecurity. 

As an example, look at zero trust. It is an architecture and not a technology, but the cybersecurity industry 

very often wants customers to buy all new equipment to implement zero trust. This ends up helping the 

bottom lines of the said cybersecurity companies, but are organizations any safer? That is often arguable, 

but even newer tools have no better chance of succeeding than in the past unless the people using them 

use them appropriately, born out of a culture that teaches and supports such use. 

Aside from malicious actors themselves, if we believe people, or network users, are one of the biggest 

threats in the cybersecurity realm, an immediate and cost-effective fix is to engender a culture of 

cybersecurity professionalism in our everyday users. Train the users to not only prioritize necessary 

updates on their systems but to follow other cyber hygiene measures regarding the use of email, the 



internet, etc. How much training is sent to the employees? Is it completed, and is it a priority? Do the 

employees understand the risks associated with not following proper cybersecurity processes? And is 

the example of being a good cybersecurity steward exemplified from the top down—does it begin at 

senior levels within the company? This is often the best way for culture to be impacted. A great example 

of how senior levels can set the example can be taken from Netflix and the implementation of their leave 

policy, which is to say they have no complex leave policy. As long as people complete their work and 

don’t leave anyone else in the lurch, employees may take leave when and where they’d like. Employees 

were initially disbelieving; however, when Reed Hastings, the chairman of Netflix, and the leadership staff 

posted photos of their respective vacations, it changed the culture quickly because everyone could see 

the boss was embracing the company’s approach to leave. This leave approach certainly wouldn’t work 

in all organizations, but that is beside the point. It’s an example of how leaders in an organization can 

positively influence their employees. 

With predictions that threat actors will weaponize operational technology environments to cause human 

casualties by 2025, and with the influx of over-the-air updatable programmable logic controllers and 

continued malicious attacks on our SCADA networks, it’s more imperative than ever to learn from and 

apply the cybersecurity lessons of the past. We are starting to see more broad negative effects of 

breached or attacked systems on administrative networks today. Not only may companies have to stop 

operations temporarily, but entire supply chains can be affected, which ultimately can affect the entire 

country. 

As IT and cybersecurity professionals, it's our duty and challenge to push industry executives to prioritize 

cybersecurity as a high-interest item in the funding drills corporations exercise yearly. We must motivate 

them to continue to bake-cybersecurity-in from the initial design and conception phases of budgeting 

versus tacking it on at the end of the process. To prevent cyber attacks such as those on Sony in 2014 

or more recent examples such as Colonial Pipeline or JBS meat processing, we must use all the tools at 

our disposal and more effectively apply the cybersecurity lessons of the past. This means not only 

budgeting and applying funds to cybersecurity but also cultivating strong cybersecurity processes via 

three main components: people, culture and technology. As Gartner pointed out, “99% of vulnerabilities 

exploited will continue to be ones that teams knew existed.” 




(Source attribution: Silent Quadrant) 

Marc is the President, CISO Advisory at Silent Quadrant. He is a widely 

acknowledged subject matter expert and public speaker on matters of digital 

protection and risk management. 

Pioneering, innovative, highly accomplished, and decorated, Marc leverages an 

immense and diverse skillset – derived over the course of his 25+ year career in 

the United States Air Force – to positively impact digital security, digital 

transformation, risk management, and strategic operations within organizations 

across a vast array of industries. 

Achieving the rank of Colonel, Marc’s rich military career included assignments as: 

• Commander, Air Force Cyberspace Capabilities Center 

• Commander, 375th Communications Group 

• Director, Legislative Affairs, United States Cyber Command 

• Commander, 2nd Communications Squadron 

• Executive Officer, Office of Warfighting Integration 

• Congressional Fellow for Senator Ben Nelson (Nebraska) 

• Fellow, Center for a New American Security 

With digital security at its core, Marc’s experience within both the public and private sectors spans 

executive leadership, digital transformation, artificial intelligence, machine learning, robotics, 

governance, and legislative affairs, among many other areas. Marc maintains the prestigious credentials, 

CompTIA Advanced Security Practitioner (CASP+), Certified Information Systems Security Professional 

(CISSP), Certified Information Security Manager (CISM), as well as Project Management Professional 

(PMP), and Masters’ Degrees in both National Security Strategy and Management Information Systems. 

Marc can be reached on the Silent Quadrant website, LinkedIn or email marc@silentquadrant.com. 

(Source attribution: Silent Quadrant) 



How to strengthen cyber resilience with Unified BCDR 

By Joe Noonan, General Manager, Unitrends and Spanning 

Cybercrime and hybrid work environments prompted by the pandemic have significantly impacted the 

way organizations protect and store their data. Data is living in multiple places, and backups now must 

protect data centers, endpoints, multiple clouds and SaaS. More than ever, IT professionals need to 

incorporate unified business continuity and disaster recovery (BCDR) plans into their cyber resilience 

strategy to protect the organizations they serve. 

Cyber resilience goes beyond firewall and patching. It refers to how well an organization responds to 

cyber threats and involves a strategy that accounts for planning, detecting, defending and responding in 

case of an attack. There is also a clear process in place for recovery and business continuity. 

It is difficult for IT professionals to find time for cyber resilience planning when they’re juggling so many 

other responsibilities. But not having a strategy in place can be disastrous for an organization. 

Terms to Know 

When it comes to BCDR, there are two terms that will guide your cyber resilience strategy – recovery 

time objective (RTO) and recovery point objective (RPO). RTO is the amount of time it will take to have 

the business back online. RPO refers to how much data an organization can afford to lose as it pertains 

to time or amount of information. The RPO for a bank, for example, would be close to zero because as 

soon as the system goes down, hundreds, even thousands of transactions can take place. A bank cannot 

afford to lose this information and it would be difficult to recover if the IT environment is non-operational. 

One way to think about RPO is the more difficult it is to recover data, or create it from scratch, the shorter 

RPO an organization will need to have. Once both RTO and RPO are established, it’s time to look for a 

unified BCDR tool. 



What to look for in a solution 

Cybercriminals are becoming more cunning, driving the need for backup and recovery. A successful 

backup can eliminate the impact of a cyberattack. Cybercriminals know this so they look for alternate 

ways to disable, encrypt and delete those backups. An efficient unified BCDR solution is built on hardened 

Linux – not Windows – so it is not as vulnerable. Another way to fend off cyber criminals is by storing 

offsite data in an immutable format, which makes it untouchable and prevents attackers from making 

changes to it. 

Additionally, there are innovative backup appliances that can protect data wherever it lives. Today, there 

are appliances that provide powerful data protection and fit in your pocket! These solutions are perfect 

for small-office settings or even home offices since they do not require a server rack. They are extremely 

quiet and come with built-in software tests recoverability right on the box. This ensures data will be 

available whenever needed. 

AI saves time 

Organizations should look for solutions that use artificial intelligence (AI) and machine-learning to identify 

suspicious activity and alert administrators to possible ransomware before it spreads. AI has multiple 

benefits, among them, allowing IT professionals to cut wasted time on false alerts and backup 

remediation by up to 50%. An AI-powered assistant can think the way a technician does, prioritizing 

issues in the most critical systems so your actual technicians can focus on what matters most. 

Another thing to keep in mind when considering a unified BCDR solution is opting for tools that include 

anti-phishing options to protect against credential compromise and account takeover attacks. People are 

the first line of defense, and they may accidentally put an organization at risk if they lack security training. 

An effective tool maximizes productivity 

A unified BCDR solution should offer a single view of the entire data landscape, so technicians do not 

have to move between multiple systems. This saves them time and decreases room for error. Another 

way a BCDR tool can maximize productivity is through automation. Technicians can spend more than a 

quarter of their day monitoring, managing and troubleshooting backups. Automated solutions proactively 

fix common problems in the backup environment, therefore pulling double duty by saving technicians 

time and securing the environment. 

Don’t let compliance fall through the cracks 

Some organizations operate in highly regulated industries such as government or healthcare, which 

mandate how data must be secured. Regardless of the industry, most companies must adhere to 

compliance standards, especially if they want to be approved for cyber insurance. Part of a cyber 

resilience plan includes policies around data retention and automated backups to guarantee compliance. 

Organizations must be prepared to properly store, archive and recover compliance data as a proactive 

measure. 



A BCDR solution with automated disaster recovery (DR) testing capabilities also helps with executing 

service level agreements (SLA). It allows organizations to schedule a time and specify the systems that 

need to be tested and then takes care of it automatically. If a test identifies an SLA cannot be completed, 

adjustments can be made, and tests run again to check if the changes worked. This type of testing 

protects against unplanned downtime. 

Regardless of where data lives, a unified BCDR solution can help IT professionals reinforce their 

organization’s cyber resilience, free up time to focus on more important tasks, adhere to compliance 

regulations and ensure SLAs are met. 


Joe Noonan is the General Manager of Unitrends and Spanning. Joe 

has spent over 18 years delivering hardware and software technology 

solutions for virtualization, cloud, data protection, and disaster 

recovery. He has worked for Unitrends since 2010 driving its software 

product strategy for data protection, recovery automation, and cloud 

disaster recovery and migration. Joe has also held roles in developing 

technology alliances and is now the GM for the backup and DR suite at 

Kaseya, which includes Unitrends, Spanning and Kaseya-branded 

backup solutions. Joe can be reached at unitrends.com/contact. 



3 Cybersecurity Certainties for 2022 

By Bill Moore, XONA 

As businesses transitioned to hybrid work models in 2021, critical integrations between IT and OT 

technologies introduced new vulnerabilities that threat actors exploited with shocking frequency and 

effectiveness. 

This was especially true for manufacturers, energy producers, and utilities, which increasingly rely on 

remote operations capacity to empower distributed teams to engage physical infrastructure from 

anywhere in the world. As a result, many organizations experienced an ICS/OT cybersecurity incident in 

the past year, costing companies millions of dollars in recovery and opportunity costs. 

With everything from ransomware attacks to data breaches becoming more prevalent and impactful, it’s 

even more important that those charged with protecting critical infrastructure enhance their defensive 

postures to meet the moment. As they reflect on their cyber readiness and plan for the year ahead, here 

are three cybersecurity certainties that should guide their decision-making processes. 



1. Cybersecurity Incidents Will Become More Expensive 

Cybercrime is big business, collectively netting more than $1.5 trillion annually, making it more valuable 

than many of the biggest companies in the world. Money is the main motivator for today’s threat actors, 

who often view cybercrime as a low-risk, high-reward financial opportunity. 

Therefore, companies shouldn’t be surprised that cybersecurity incidents are becoming more expensive. 

Most notably, ransomware payments are soaring. In 2018, the average ransomware payment 

approached $7,000. By 2020, many companies were paying more than $200,000. This year, the average 

ransomware payment increased by 518 percent, a shocking surge reflecting digital infrastructure’s 

centrality for many companies' operational continuity. 

At the same time, the cost of a data breach reached a record high in 2021, surpassing $4 million for the 

first time. With cybersecurity insurance premiums similarly increasing, rapidly, companies are left with 

little recourse for mitigating the cost of a cybersecurity incident. 

While companies may be tempted to rely on previously purchased IT-focused cybersecurity products, 

the rising costs of failure are a reminder that investing in an OT-specific cybersecurity solution is an 

investment with tremendous returns. 

2. Failure to Secure Digital Infrastructure Will Have Real-world Implications 

In 2021, cybersecurity failures interfered with manufacturing operations, exposed sensitive data, and 

eroded brand reputation. Cybersecurity incidents will have even more heightened real-world implications 

that put people at risk in the year ahead. 

For example, looking to leverage access to company networks, ransomware gangs are exfiltrating 

company data, raising the stakes for victims while increasing their leverage to extract high payouts. This 

trend will continue in 2022, compounding the consequences of a cybersecurity incident. 

Most importantly, as manufacturers, energy producers, and utilities continue integrating IT and OT 

systems, cybersecurity incidents put public safety on the line. A 2021 event in Oldsmar, Florida, where a 

threat actor capitalized on an IT vulnerability to access OT capabilities in an attempt to poison the city’s 

water supply, is emblematic of the challenges many companies and municipalities face. 

This year, cybercriminals demonstrated the capacity to instigate fear, uncertainty, and chaos, causing 

long gas lines, production shortages, and close encounters that make it clear that companies need to 

prepare for the failure to secure digital infrastructure to have real-world implications in 2022. 



3. Threat Actors Will Continue to Evolve 

Cybercriminals are agile, always ready to adapt to exploit new vulnerabilities and circumstances to 

maximize impact. 

For instance, in November 2021, the Federal Bureau of Investigation (FBI) released a memo to 

companies completing “time-sensitive financial events,” noting that threat actors are targeting these 

organizations with ransomware attacks, looking to capitalize on the high-stakes, urgent nature of their 

work to extract timely payments. 

It’s likely that cybercriminals will look to exploit manufacturers, energy producers, and utilities in the same 

way. However, this tactical adjustment is a reminder that threat actors are continually evolving, and 

companies need to change too. 

Especially as companies continue to adopt experimental workplace arrangements, they need to be more 

mindful than ever of the ways these changes expose their digital infrastructure to evolving threat trends. 

Cybersecurity Risks May Be Likely, But the Prepared Are More Likely to Succeed 

Effective cybersecurity practices don’t happen by accident. They are the result of careful assessments, 

intentional planning, and successful implementation. 

The past year was uniquely challenging as threat actors too often gained the upper hand, exploiting new 

vulnerabilities in IT and OT integrations to wreak havoc among critical infrastructure. Their continued 

success isn’t inevitable, making today the right time to prepare for tomorrow’s challenges. 


Bill Moore is the CEO and Founder, XONA, providers of a unique 

“zero-trust” user access platform especially tailored for remote 

Operational Technology (OT) sites. Bill is currently working with 

global power, oil and gas, and manufacturing customers to reduce 

their remote operations costs and cyber risks. Bill brings more 

than 20 years’ experience in security and the high-tech industry, 

including positions in sales, marketing, engineering and 

operations. 



Is XDR The Right Solution for Today’s Security Threats? 

Defining XDR’s Role in the Security Stack 

By Steve Garrison, VP Marketing, Stellar Cyber 

XDR and Open XR are two of the latest buzzwords in the cybersecurity tools market, but there are many 

definitions of XDR and several approaches to delivering it. Let’s clear the air a little. 

In general, cybersecurity products use preventive physical and software measures to protect the network 

and its assets from unauthorized access, modification, destruction, and misuse. These products typically 

protect specific assets on the network: 

• Firewalls: prevent unauthorized users from accessing the network by allowing or denying traffic. 

• Anti-Virus/Malware software: protects network endpoints and servers from becoming infected 

by damaging software that can corrupt files, export sensitive data, or perform other malicious 

activities. 

• Application Security: systems look for and block vulnerability points in application software. 

• Network Access Control: systems manage access permissions for authorized users and 

devices, preventing unauthorized users from gaining access. 

• User Behavior Analytics: solutions monitor user activity, baseline normal behavior, and alert on 

activities that deviate from normal activity. 

• Network Traffic Analysis: Network Detection and Response (NTA/NDR) products analyze 

network traffic, look for abnormal patterns that can indicate attacks, and act based on the results. 

Network traffic does not lie and contains strategic data for threat detection. 

• Cloud Security: solutions protect resources in the cloud. 

• Intrusion Prevention Systems (IPS): monitor for and block attacks from outside users or 

processes that get past the firewall. 

• Security Information and Event Management (SIEM): SIEM products collect data from various 

device logs on the network and can monitor for anomalies. Traffic-based NTA/NDR products 



complement SIEMs by analyzing logs and acting. In fact, NTA/NDR is critical to advancing 

visibility beyond logs. 

As you can see, there’s a lot to protect in a network, and a lot of approaches to protecting it. But rather 

than having a dozen or more point solutions (each with its own interface console) to manage, wouldn’t it 

be easier, faster, and more efficient to have just one? That’s where XDR / Open XDR comes in. 

Definitions of XDR 

Initial definitions of XDR – eXtended or Everything Detection and Response – envisioned it as a single 

platform that unifies detection and response across the entire security kill chain. The idea is that instead 

of manning a dozen or more separate security consoles to monitor and protect the network, XDR unifies 

the telemetry from those tools and presents it in a single dashboard. The more advanced products not 

only unify the data, but also correlate and analyze it automatically to present a prioritized list of threats 

with recommendations about how to neutralize them. 

So how does the market define XDR, specifically? That depends on who you ask. According to Rik 

Turner, a lead analyst at Omdia who coined the XDR acronym, XDR is “a single, stand-alone solution 

that offers integrated threat detection and response capabilities.” To meet Omdia’s criteria to be classified 

as a “comprehensive” XDR solution, a product must offer threat detection and response functionality 

across endpoints, networks, and cloud computing environments. 

Gartner’s definition is similar in that it points to features such as alert and incident correlation, built-in 

automation, multiple streams of telemetry, multiple forms of detections (built-in detections), and multiple 

methods of response. However, Gartner requires XDR to be achieved through consolidating multiple 

proprietary, vendor-specific security products. 

Forrester’s definition of XDR requires the platform to be anchored around an EDR. It defines Native XDR 

as EDR integrating with a vendor’s own security tools; Hybrid XDR as EDR integrating with third-party 

security tools; a SAP (Security Analytics Platform) as a platform without built-in EDR, but with built-in 

NAV and SOAR with third-party integrations; and SSA (Standalone Security Analytics) as those platforms 

that rely solely on third-party tools for telemetry sources and responses. 

Open XDR 

Open XDR was initially created by Stellar Cyber with the same features Gartner mentions, except that 

not all the security products/components have to be from the same vendor. Instead, the platform is open 

and integrates with third-party security tools. Some components are built-in, and others are added 

through deep third-party integrations. 

The Open XDR moniker was later picked up by vendors who purely rely on a wide ecosystem of thirdparty 

tools for telemetry sources and response, but who don’t offer any built-in components. 



How Open XDR Helps 

Open XDR addresses a key reality in organizational cybersecurity infrastructures, which is that 

companies have already invested heavily in security tools, and they don’t want to have to abandon those 

investments to adopt XDR. Rather, Open XDR allows companies to leverage these existing investments 

while making them more valuable by automatically correlating their data with data from other tools and 

sensors. 

In addition, the more advanced Open XDR platforms leverage AI and machine learning to cut down on 

analysts’ “alert fatigue.” Instead of managing thousands of alerts from a dozen or more tools, XDR 

combines related alerts into higher-level incidents and automatically dismisses many alerts based on 

what it “learns” to be normal behavior in any given environment. 

Given the rising tide of cybersecurity attacks affecting every type of organization, combined with a global 

shortage of cybersecurity analysts and high analyst turnover rates and burnout, any solution that 

improves protection along with analyst productivity is welcome indeed. That’s the real promise of XDR. 


Steve can be reached online at sgarrison@stellarcyber.ai and at our 

company website http://stellarcyber.ai. 



Why the Future of Threat Detection and Prevention is 

Unified Security and Risk Analytics 

Why True AI/ML Capabilities are Essential for Next-Gen Risk Analytics 

By Sanjay Raja, VP of Product Marketing at Gurucul 

As cloud adoption continues to grow and remote work becomes the new normal, security teams are 

facing increased challenges with decreased visibility and a larger influx of security event data. As 

ransomware attacks continues to rise (i.e., recent SonicWall data showed 148% increase through Q3’21), 

SecOps teams are struggling to identify attacks before damage is done. As a result, they’re chasing 

solutions that accelerate detection and response, while increasing operational efficiencies. 

Unfortunately, in many cases vendor claims only provided minimal improvements that are not keeping 

pace with the today’s threat actors. Traditional SIEMs and Endpoint-focused XDR are not fulfilling the 

promise of reducing the burden on understaffed security teams. The volume of alerts and false positives 

make it an uphill battle. For organizations wanting to reduce cyber risk across the on-prem, cloud, and 

remote infrastructures commonly supported today, security teams need to leverage unified data 

collection, a multitude of analytics, non-rule-based Machine Learning (ML) and Artificial Intelligence (AI), 

consolidated investigation interfaces, and targeted automation for faster response. 



A very small set of next-gen SIEM solutions are innovating through more unified security and risk 

analytics capabilities that are crucial for success today. In this article, I’d like to explore why the future of 

threat detection and response is stemming from these new advancements. 

SIEM was initially designed primarily for log collection and storage for compliance, then evolved to include 

the correlation of more log data sources for threat detection. Over time that functionality increased to 

integrate log, network, and endpoint data into a single location and match it up with security events. This 

helped analysts investigate commonalities or groups of related events. And as rules were developed 

around these related events, the SIEM could help to detect known threats. 

Then came the rise of the terms like Machine Learning and Artificial Intelligence (ML/AI) – offering the 

promise of a silver bullet to solve threat detection and response. However, these terms were commonly 

misused and in reality were just rule-based analytics engines that would conditionally gather more data 

for greater context. However, as attackers stayed hidden inside the network longer, rule-based analytics 

often failed to correlate seemingly disparate events across time and continued to focus on known attacks. 

As a result, new, unknown, and emerging attacks and variants were easily able to avoid detection. 

Furthermore, SIEM were also traditionally plagued by the lack of cloud-native offerings that were built to 

handle both cloud and hybrid infrastructures equally. 

Today, newer advancements in SIEM are focused in several areas designed to make it the primary 

platform for the security operations center (SOC). This includes security monitoring, improved threat 

detection, and playbooks to drive faster response. Many EDR, XDR and SIEM solutions that claim to use 

ML/AI continue to use rule-based engines with finite models, patterns and signatures that are not updated 

fast enough when new attacks are discovered. 

However, there are next-gen SIEM solutions incorporating unified security and risk analytics that are 

taking the extra step to deliver out-of-the-box advanced data modeling across cloud, user, network, asset, 

endpoint, and log telemetry. The few that offer true ML/AI can automatically detect new, unknown, and 

emerging attacks, including subtle variants. Along with an understanding of user access and entitlements, 

behavioral modeling, and risk metrics, the end goal of next generation SIEM is to streamline every facet 

of the SOC. This includes reducing noise and false positives, prioritizing which IoCs need to be 

investigated, consolidating data for easier investigations, and providing a high confidence, low-risk 

automated response to prevent a successful attack. 

What does that mean? Let’s look at the key elements of unified security and risk analytics in a nextgeneration 

SIEM. 

• Unified Correlation, Continuous Risk Profiling and Behavioral Anomaly Detection – A Nextgeneration 

SIEM must unify data collection across the entire infrastructure, on-prem, cloud and 

remote, by gathering endpoint, log, user, access, entity/asset, network, and other data to provide 

greater context. With risk profiling applied to abnormal behaviors, a behavior-based risk can be 

calculated to elevate which events are truly relevant for investigation, or can even be used to 

determine an immediate threat with conviction. This shrinks the noise created by false positives 

and provides more context to enable a much more targeted response, ideally before an attack 

campaign starts to establish itself. 



• Identity and Access Analytics – Next-gen SIEM uses Identity Analytics (IdA) leveraging data 

science that monitors for and identifies risky access controls, entitlements, user behaviors, and 

associated abnormal or deviant activity. These types of advanced analytics data can also serve 

key indicators for provisioning, de-provisioning, authentication, and privileged access 

management by IAM teams. IdA surpasses human capabilities by leveraging machine learning 

models to define, review and confirm accounts and entitlements for access, and works with risk 

analytics to prioritize suspicious activity as more malicious. 

• Cross-Channel Fraud Prevention – Next-gen SIEM offers modern fraud detection capabilities with 

the ability to link data from a multitude of sources to provide a contextual view of what’s happening 

in the environment. Such platforms highlight anomalous transactions based on historic user and 

community profiles so analysts can initiate investigations or execute automated remediation 

actions. It analyzes online and offline activity, including public records, contact center interactions, 

point of sale transactions, ATM transactions, and more. It mines and normalizes data and then 

creates a risk score for fraud and abuse which can be used for real-time decision making. 

The ability to combine these elements to best suit the needs of an organization offer SecOps power and 

flexibility when protecting users and the business from data exfiltration, cyber fraud, privilege access 

abuse, account compromise and more – using behavior and context. As a result, teams can prioritize 

risks and alerts, quickly investigate problems, automate risk response, have a comprehensive view of 

case management, conduct contextual natural language search and more, all consolidated into a single 

management console. 

As the consolidation of security capabilities continues, providers are working to layer on more capabilities 

to further unify security, including UEBA, SOAR and XDR. They’re also working to provide better security 

and to lower capital and operational requirements, including scaling, training, management, and 

maintenance. In addition, security operations teams have long invested and been focused on external 

threats. This has led to a lack of monitoring for insider threats. As part of the foundation of a successful 

security program, teams must monitor for both external and internal threats. And a mature UEBA set of 

capabilities should be incorporated to fully protect the organization. 

What questions should you be asking today about your SIEM or to your SIEM provider? 

• How is the SIEM platform delivered? The ability to run as a collection of services entirely within 

the cloud makes it ideal for risk analysis of security data. Organizations have the advantage of 

aggregating and analyzing data from worldwide sources in a single application instance. These 

platforms must also scale (both up and down) to accommodate varying workloads. Furthermore, 

a cloud-native solution is often easier to maintain over time since the vendor can perform 

upgrades quickly, and in real-time. 

• Do they offer open analytics and allow teams to easily modify and build customer ML models? 

Open analytics are critical for security teams to be able to customize their ML models to suit their 

specific needs or build their own models. It’s important to understand exactly what goes into a 

model to be confident in its output. With black box analytics, results must be taken on faith since 

nobody knows how the answers are obtained, or if the results are valid. 



• What are my options for data lake? Where and how data is stored is a critical factor in the flexibility, 

speed, quality, and cost of security data processing, ingestion, and storage. Open choice of big 

data offers major economic advantages over traditional data warehouses for scaling to terabytes 

or petabytes. It’s imperative that a SIEM platform works with what you already have or plan to 

purchase versus being locked into a proprietary vendor data lake. 

• What does the risk modeling approach look like? Look for a platform that offers self-learning, selftraining, 

and contextually aware algorithms that score every transaction as they’re evaluated in 

near real time. This requires a comprehensive risk engine that performs continuous risk scoring 

and can provide real time risk prioritized alerts for incident analysis. The risk scoring framework 

needs to roll up risk scores from multiple contributing elements (with the ability to deliver 

normalized user and entity risk scores). As a result, a finite number of targeted response actions 

can be defined that are both targeted and driven by high-fidelity automation, and thereby 

accelerating threat response. 

SIEM is not just about ingesting data sources. To empower security teams these solutions must deliver 

a variety of capabilities. This includes providing actionable context of the ingested data, reducing noise, 

and identifying and prioritizing the right events associated with an attack. It also means delivering highly 

accurate and targeted investigation capabilities with confirmation of the attack and high-confidence 

automated responses. Finally, these solutions need to thwart the successful detonation of ransomware 

or the execution of the main attack purpose (corruption, disruption, or theft). 

A next-generation SIEM with unified security and risk analytics should be the core of a successful security 

operations program. Security teams must evaluate innovative technologies that continue to improve and 

consolidate analytical capabilities to provide a more usable platform that also improves the ROI of the 

SOC program. 


Sanjay Raja brings over 20 years of experience in building, marketing 

and selling cyber security and networking solutions to enterprises, 

medium-to-small business, and managed service providers. 

Previously, Sanjay was VP of Marketing at Prevailion, a cyber 

intelligence startup. Sanjay has also several successful leadership 

roles in Marketing, Product Strategy, Alliances and Engineering at 

Digital Defense (acquired by Help Systems), Lumeta (acquired by 

Firemon), RSA (Netwitness), Cisco Systems, HP Enterprise 

Security, Crossbeam Systems, Arbor Networks, Top Layer 

Networks, Caw Networks (acquired by Spirent Communications), 

Nexsi Systems, 3Com, and Cabletron Systems. Sanjay holds a 

B.S.EE and an MBA from Worcester Polytechnic Institute. 

Sanjay can be reached online at our company website https://gurucul.com 



Tips And Trends for OT Cybersecurity In 2022: More 

SOAR, Cyber Hygiene And Renewed Compliance 

By Peter Lund, Vice President of Product Management at OT security company Industrial 

Defender 

As of February 2022, we’re already witnessing an increased focus on OT cybersecurity — and for good 

reason. The Biden Administration has announced a new plan to secure U.S. water systems from 

cyberattacks, an unfortunate signal that bad actors are targeting utilities and threatening what Americans 

typically view as guarantees. Water, gas, and electricity are all at risk of being contaminated, interfered 

with, or even halted, as was the case with the Colonial Pipeline ransomware attack. 

Despite the imminent threats, I predict the below trends will help security professionals protect OT 

systems this year: 

Reinforcing today’s standards of security 

In 2022, we’ll see traditional managed security service providers offer OT services to stay at the forefront 

of the industry. This trend is already apparent with Deloitte's recent acquisition of OT security provider 

aeSolutions. 



Additionally, we’ll witness the return to basic hygiene and reliance on preventative controls over threat 

intelligence. Threat intelligence is a go-to strategy for many in the industry. However, knowing what bad 

actors exist has little benefit for enterprises if they don't know if the doors and windows (firewalls and 

remote access) of their organization are locked. I would go as far as saying is many organizations still 

don't know how many doors and windows they have. Taking a step back, 2022 will welcome a renewed 

focus on basic hygiene. 

Introducing OT cybersecurity's 2022 innovations 

Security Orchestration, Automation and Response (SOAR) is standard practice in IT. As the year 

continues onward, we'll see more OT cybersecurity experts lean on these guidelines within their own 

practice. 

Additionally, OT passive monitoring solutions will need to expand active data collection capabilities. Many 

enterprises rely on outdated monitoring solutions that don't account for real-time data collection. To better 

manage OT assets, it will be crucial to expand data collection capabilities. 

Finally, Software Bills of Materials (SBOMs) will remain trendy, but adoption will lag because of OEMs. If 

the ongoing log4j vulnerability saga has taught us anything, it’s that SBOMs are not optional. 

Unfortunately, until we get buy-in from the major OEMs that supply the hardware and software that keep 

the lights on, customers and security vendors will be behind the eight-ball when it comes to data accuracy 

and integrity. Hopefully log4j will be a catalyst to get the industry to agree on a standard for publishing 

and sharing SBOM data. 

Focusing on the big picture 

As alternative energy sources gain prominence, we'll see an increased focus on OT security for 

renewable energy sources, by and large renewables have been able to fly under the radar when it comes 

to regulations like NERC as well. As we become more and more reliant on renewables we need to ensure 

that they are protected, hopefully before a catastrophic event causes a widespread outage. 

As more industries work to stay compliant, the U.S. government will simultaneously double down on the 

NIST Cybersecurity Framework for standard cybersecurity controls. In 2022, we can expect NIST to 

continue to provide additional updates and recommendations as it aims to standardize cybersecurity 

controls. The NIST Cybersecurity Framework is essential for enterprises looking to check its 

cybersecurity boxes. 

What’s next? 

Organizations have reason to be wary of cyberattacks in 2022, but security professionals can breathe a 

sigh of relief when tackling the year with a strategic, three-pronged approach. Enterprises must revisit 

basic hygiene measures, adopt the latest and greatest tools to stay protected, and remain focused on 



the big picture of what’s going on across the United States and in the industry as a whole. Bad actors are 

out to cause disruption, but organizations can stay protected with these tips and trends in mind. 


Peter has a strong technical and business background with over 15 

years of experience working with and for IT and OT product companies. 

Over the last five years, Peter was instrumental in bringing new features 

to the market for Industrial Defender. In addition to his product 

management role, he utilizes a wide range of experience in application 

development, systems engineering and marketing. Prior to working with 

Industrial Defender, Peter held roles at Dell EMC, Schneider Electric 

and KVH Industries. 



Top 10 Reasons Cyber Defense Firms Should Hire 

Veterans 

Technology expert and former military intelligence officer shares insight on the valuable skills 

that veterans can bring to the cybersecurity industry 

By Bryon Kroger, Founder of Rise8 

Following the onset of the global pandemic, the number of data records compromised by cyberattacks 

more than doubled from the year prior, from some 15,432 in 2019 to over 37,000 in 2020. Last year, in 

2021, malicious cyberattacks remained a present threat as hackers attacked the Colonial Pipeline with 

ransomware, and CISA director Jen Easterly noted a massive flaw in Apache’s Log4j logging library that 

potentially left hundreds of millions of user devices vulnerable. 

Unfortunately, as the real and present threat of additional attacks and vulnerabilities continues to 

increase, and the technology used in successful attacks and data breaches becomes more sophisticated, 

the cybersecurity industry remains heavily understaffed. According to the National Initiative for 



Cybersecurity Education, the global shortage of qualified cybersecurity personnel is approaching nearly 

3 million. 

With such a massive shortage of workers, cybersecurity leaders and professionals should look to hire 

one sector of the US workforce where applicants are not only in high demand, but also where many are 

already certified or qualified in cybersecurity—veterans. In this article, I will list my top 10 reasons and 

explain why firms should hire veterans to address critical gaps in their workforce and cybersecurity 

defenses. 

1. Veterans are accustomed to the responsibilities of leadership 

Whether it’s the lessons learned from the first week of boot camp, the first night of a field operation, or 

the morning before giving a briefing, military service trains veterans from day 1 to understand the 

importance of leadership. In the realm of cybersecurity, it is often the quality of leaders that determines 

a firm’s ability to react and respond to potential threats (or present ones) in a timely manner. In the 

military, strong leadership could spell the difference between life or death. For cybersecurity firms, hiring 

veterans with leadership experience could spell the difference between overcoming and blocking a 

distinct threat, or allowing it to breach their (or their clients’) private data. 

2. Most Vets are comfortable in fast-paced environments 

If there is one word that sums up the active-duty lifestyle, it’s “intensity.” During their time in the military, 

veterans learn how to adapt to and become comfortable with ever-changing fast-paced environments, 

often with the high-stakes factor of civilians involved as some form of collateral. In cyber defense, the 

high-stakes game transitions to one of veterans protecting themselves, their team, as well as civilians 

from malicious digital attacks. As such, veterans are already able to place themselves in a mindset that 

makes them a prime candidate for the cyber defense industry. Additionally, veterans may be better adept 

at navigating their peers through potential cyber crises and emerging victorious once a threat is 

addressed and nullified. 

3. Veterans value and respect constructive feedback 

In many field operations during their time in active duty service, one luxury many veterans are not able 

to find is the ability to try again if their operation results in failure. However, trial and error is at the 

foundation of cyber defense; being able to learn what a threat is as well as how to best assess it and 

work around it is at the core of cybersecurity. Knowing this, many veterans in the cyber defense industry 

will find their mentors and/or leaders offering constructive feedback and criticism of their performance, 

spurring them to do better next time against the next inevitable threat, regardless of when or where it 

occurs. 



4. Teamwork and individual responsibility is at the heart of military training 

The ability to get the job done no matter work, whether individually or as part of a team, is a mindset 

almost every veteran is trained to possess. As a result, veterans inherently hold stronger feelings of 

personal accountability and accomplishment regarding the success of their mission. Being able to 

operate as an individual professional that is part of a team equipped to handle outside threats — in which 

each individual is accountable for specific metrics of success — is at the heart of both military and cyber 

defense training. In the event that a cyber defense firm faces a crisis, veterans are one demographic of 

employees best apt to help that firm navigate the intricacies of such an occurrence. 

5. Veterans find purpose in delivering meaningful results 

Along with teamwork and leadership, the mindset of completing a mission no matter what also helps 

drives veterans towards delivering impactful results that their service provides others. In the realm of 

cybersecurity and cyber defense, those results could mean the difference between a firm’s longevity and 

continued success or its failure if it faces a substantial digital threat. Veterans in the industry are able to 

clearly understand how their performance directly impacts not only their team, leaders, and others around 

them, but also outside individuals with a stake in the success of their mission. Having this results-oriented 

mindset is what helps make veterans such valuable workers to the cyber defense firms that employ them. 

6. Vets are mission driven 

Whenever an active-duty veteran is instructed on what their mission means for the bigger picture, it helps 

instill a sense of purpose. For veterans in cyber defense and cybersecurity, that purpose is derived from 

the additional layers of digital protection their work and expertise provide others. When a veteran in cyber 

defense understands their purpose is to uphold the integrity of private data and information, they dedicate 

themselves to upholding that purpose, providing the firms who employ them and their clients with 

additional means of protecting their data, which provides over-arching value to the cyber defense industry 

as a whole 

7. Dependability is vital both in military and cybersecurity service 

Veterans are taught to understand that any individual or service — no matter how vital — is only as 

valuable as it is dependable; including themselves. For instance, if a core technology a veteran relies on 

to conduct their daily tasks becomes unreliable, or a newer/better technology emerges, veterans are 

taught to seek out the reliability and value it could bring to their service. LIkewise, dependability is crucial 

to the ongoing success of firms within the cyber defense industry, as their services rely upon an ability to 

protect and bolster the defenses of vulnerable users and data. 



8. Vets understand the emphasis of structure and clarity 

Without a clearly defined structure, no organization will be able to achieve success or maintain that 

success in the long run. Structure, however, is one of the core building blocks that military service helps 

instill in veterans, and many veterans seek out that structure in the private sector after their military 

service formally concludes. Therefore, many veterans will find themselves thriving in a role at a cyber 

defense firm that offers them a similar sense of structure, as well as clarity regarding their purpose within 

the organization. Through finding these, veterans are inherently able to rely upon their military training to 

continue providing value to the firms they work for. 

9. Vets are focused on the impact of driving meaningful change 

If you ask a room full of veterans why they initially decided to join the military, most of the responses you 

receive are bound to fall along the lines of their desire to be a part of meaningful, positive change in the 

world. That meaningful change is precisely what the cybersecurity industry seeks to provide its clients in 

the face of an ever-growing and ever-changing digital landscape. In transitioning to cyber defense roles, 

veterans are able to carry that focus on driving impactful change into meaningful work in the private 

sector, leaning on their military training and background to provide a positive service that protects 

everyday people. 

10. Veterans are taught how to combat threats and take risks 

At its heart, military service teaches veterans how to react to threats of virtually any degree and respond 

to them accordingly. In the realm of cyber defense, those threats are as numerous as they are varied in 

their potential intensity. Additionally, veterans understand that responding to threats in a timely and 

responsible manner can entail the need to take risks—another commonality shared in cybersecurity. 

Veterans who seek to transition their skills into the private cyber defense sector are valuable to the firms 

which might employ them since they already possess this mindset; they know the importance of their 

skills and the purpose they serve in protecting others. Because veterans are inherently trained on how to 

combat and overcome threats, even in high-risk situations, this makes them a valuable pool of candidates 

for the greater cybersecurity industry. 


Bryon Kroger is the founder of Rise8, which places the bureaucracy of 

the US military and the technological innovations of Silicon Valley in the 

same realm. As a veteran of the US Air Force, and co-founder of the 

DoD’s first software factory Kessel Run, Kroger is bridging the gap 

between the archaic practices of govtech and the speed that Silicon 

Valley startups are known for. Bryon can be reached online at 

bryon@rise8.com and at our company website https://rise8.us/. 



5 Reasons Organizations Need Comprehensive AD 

Security Across Cloud and On-Prem 

Why Organizations Need to Secure Directory Services in a Hybrid Deployment from 

Attack Paths 

By Justin Kohler, Director of BloodHound Enterprise at SpecterOps 

Microsoft Active Directory is one of the most common identity and access management platforms in the 

world, which unfortunately makes it a prime target for attackers. Attack Paths in Active Directory (AD) 

can give attackers nearly unlimited access to the rest of the network, allowing them to steal sensitive 

information and deploy malware while avoiding detection. Like many other things in security, the task of 

securing AD gets more complex as organizations move workloads to the cloud. The public cloud 

providers have their own IAM infrastructure (Azure AD & Azure Resource Manager in Azure, IAM and 

AWS Organizations in Amazon Web Services, etc.) that organizations need to defend along with onpremises 

AD. Hybrid environments allow attacks to move from on-premises AD to the cloud or in reverse, 

making use of weak spots in both. Comprehensive protection is the best way to ensure the organization’s 

sensitive data remains safe. 



Here are five reasons that organizations need to secure directory services in a hybrid deployment. 

1. As cloud use grows, attackers are following the data 

In October 2021, Microsoft reported that Azure and other cloud services grew 50% year over year in Q4 

2021 and have grown between 47% and 62% every quarter since Q2 2020. The Covid-19 pandemic 

accelerated the shift to the cloud across many industries, and the momentum hasn’t slowed down. As 

data has moved to the cloud, malware has followed. A survey of CISOs conducted by IDC in mid-2021 

found that 98% of respondents suffered at least one cloud data breach in the previous 18 months as 

opposed to 79% in 2020. There’s every reason to believe that adversaries will continue to target the cloud 

aggressively in 2022. Security and cloud teams should ensure they are not leaving gaps that attackers 

can exploit in their identity and access management infrastructure that make it easier for adversaries to 

target them. 

2. The rapid rate of change in the cloud creates uncertainty and risk 

Cloud platforms are still being actively developed, which means the underlying software changes 

frequently, Cloud products and tools get merged with other products, removed, or overhauled on a regular 

basis. This volatility increases security risk because it prevents security experts, whether they work inhouse, 

for a service provider or as a consultant, from understanding the cloud platform in detail. Every 

time something changes, security pros need to re-learn how it works, what its weaknesses are and how 

to protect it. Until they do, they’re more likely to make mistakes, overlook security gaps or implement 

insecure misconfigurations. Since cloud platforms are relatively new compared to on-premises software, 

the talent pool and library of third-party resources for securing them are small to start with. These factors 

make the cloud especially risky, and forces organizations to continuously revise their cloud security 

policies - increasing the changes something will slip through the cracks. 

For comparison, Microsoft Active Directory has been used for identity and access management onpremises 

for two decades. There are a huge number of AD admins that understand the software inside 

and out and an enormous library of third-party resources to help them do their job quickly and safely. 

While many organizations still struggle to secure AD on-premises, AD security in the cloud has additional 

barriers to security that make it even more important that security and cloud teams take it seriously. 

3. The cloud has a larger attack surface and authentication is more complex than 

on-premises 

Cloud authentication systems are easier for attackers to exploit in some ways. First, they simply have a 

larger attack surface. These systems are exposed to the internet by default, where on-premises AD is 

closed to the internet by default. With on-premises AD, adversaries first needed access to the network 

through a user’s credentials. In the cloud, they don’t even need that. 

The systems that assign permissions to specific users or groups in the major cloud platforms also tend 

to be more complex than they are in on-premises AD. For example, Azure AD uses at least three separate 



systems to manage identity and access: Azure Active Directory, Azure Resource Manager, and the Azure 

API Apps permissions system. Unfortunately, these systems can often conflict and make it unclear which 

system is the source of truth. This makes it more difficult for security teams to audit who has access to 

valuable systems, which in turn makes it harder for them to find and close down Attack Paths. 

The more difficult it is to assign permissions, the more likely that Cloud or AD engineers will give blanket 

permissions to large groups of users or give a problem user admin access to just make everything work. 

After all, their main task is to ensure employees have access to the systems they need to do their jobs. 

This complexity creates additional attack paths and undermines the expertise of security and Identity 

Access Management engineers. 

4. Attacks can move from Azure to on-prem AD 

Attack Paths in AD don’t just stay on-premise or in the cloud; they can cross between environments. For 

example, adversaries can move laterally from on-premise AD to Azure AD, escalate privilege within 

Azure, and then move back from Azure to on-premise. They can do this by abusing Microsoft Endpoint 

Manager to move laterally from an Azure tenant to an on-prem AD domain. This abuse becomes possible 

when Windows devices have been Hybrid-Joined to both the Azure tenant and the on-prem Active 

Directory domain. This attack can be carried out by Azure tenant authenticated user — no special 

privileges or roles needed. Abusing one of the three endpoint management systems to execute 

PowerShell scripts on hybrid-joined devices requires either the “Global Admin” or “Intune Administrator” 

roles. This is why it’s vital to protect Active Directory both on-premises and in the cloud - because both 

of them give attackers a way in. 

5. Attack Paths open orgs up to dangerous attacks like ransomware 

Attack Paths are a way for adversaries to get powerful access that lets them steal sensitive data, deploy 

ransomware or other malware, achieve persistence in the network or add backdoors that will allow them 

to instantly re-gain privileged access in the future. An adversary that is well versed in attacking AD (and 

most adversaries are) can gain privileges and move freely across Attack Paths leaving minimal risk of 

discovery from defenders, achieve persistence, and gain the keys to the kingdom. Ransomware is a 

particularly active threat at the moment; approximately 37% of global organizations said they were the 

victim of some form of ransomware attack in 2021, according to IDC's "2021 Ransomware Study." The 

FBI's Internet Crime Complaint Center received 62% more ransomware reports year-over-year in the first 

half of 2021. To reduce their vulnerability to all these attacks and stop problems like ransomware at their 

source, organizations should work on eliminating the Attack Paths in their AD environment. 

Identity and access management on-premises and in the cloud are two sides of the same coin. 

Organizations with a hybrid infrastructure model must protect both in order to keep their users and data 

safe. 




Justin Kohler is the director for the BloodHound Enterprise product 

line at SpecterOps. He is an operations expert who has over a decade 

of experience in project and program development. After beginning 

his career in the US Air Force, he worked for several consulting firms 

focused on process and workflow optimization and held positions at 

Microsoft and Gigamon. He enjoys building and leading teams 

focused on customer delivery at Fortune 500 companies. 

Justin can be reached online at @JustinKohler10 and at our company 

website https://bloodhoundenterprise.io/ 



Directed Analytics - The Future of Data Management 

By Simon Rolph, CEO & Founder of Such Sweet Thunder 

The world as we know it has changed - it’s undisputed. Industries of all kinds face a wholly 

different landscape compared to 18 months ago, and the data industry is no exception. With 

each step we take into this new environment, new technologies are being developed to fit unique 

business needs, ultimately improving our capabilities. 

The data analytics industry has proliferated in recent years, with the global market expected to 

value $132.9 billion by 2026, a nearly 500% growth from its valuation of $23 billion in 2019. As 

an evolution of data analytics, directed data analytics is an essential step in making efficient and 

accurate business decisions. 

Defining directed analytics 

In comparison to traditional data analytics, directed data analytics offers rapid information about 

new trends in the market. This allows companies to make data-driven decisions faster, reducing 

the delay between analysis and action. Ultimately, data has a short life span, and in today’s fastmoving 

world it is vital to act on data as quickly as possible. 



Not only this, directed data analytics means companies can stay on top of a continuous and 

increasing stream of data, allowing more extensive databases to be built whilst allowing for 

analysis on a wider scale. 

directed data analytics aims to move on from the digital dashboard approach that has been a 

core part of the industry for so long. Whilst dashboards are fit for the purpose they were created 

for, businesses are now looking for solutions that are fluid and fast-changing. Dashboards can’t 

provide the speed to keep up with the rapid onslaught of data that exists in the modern world. 

Similarly, when dashboards first emerged, they weren’t just a big step forward for data 

management - they were also a significant advance for MIS (Management Information Systems) 

and EIS (Executive Information Systems). However, they haven’t yet evolved sufficiently to 

continue to be efficient and effective in this area. 

Being directed in a competitive landscape 

Directed data analytics offers the next generation of data reporting, providing a multitude of data 

in a short period, displayed in a customised way that is fit for the user and company, and 

compiling the data into a broader industry context in order to visualise long-term trends and 

patterns. This approach is crucial for businesses to remain competitive and stay ahead; with 

industries changing at a rapid pace and global events happening on an unprecedented scale. 

Providing feedback on product performance, marketing strategies and customer experience, 

directed analytics is fundamental for businesses in today’s climate. Without this crucial, timely 

information, leaders cannot confidently make decisions that will allow them to improve 

performance, profitability and employee satisfaction. 

The future of data analysis 

Many companies have the data analysis tools and infrastructure they need, but the analysis fails 

to have a more comprehensive business impact due to red tape and lack of agility. Data can 

often remain stuck in dashboards, reports aren’t circulated to the relevant people, and crucial 

insights don’t reach senior decision-makers. 

The distinction here is that the technology is widely available and often already implemented; 

however, it is the corresponding data analysis that fails to have an impact. It’s what the data 

means that needs to be communicated, not the data itself. 



Directed analytics allow these insights to become a part of everyday workflows. Integrating 

insights into a business’ existing workspaces and tools means that users don’t need to access 

specific dashboards or applications to find the data and then analyse it themselves. The future 

of directed analytics will mean that employees can ask questions and get simple, straightforward 

answers grounded in data, allowing them to work seamlessly, and make smarter decisions at a 

faster rate. 

In order to progress, the directed data analytics industry needs to become almost invisible; so 

seamlessly integrated and providing insights so effortlessly that it causes no disruption to 

business’ daily operations. 


Simon Rolph, CEO & Founder of Such Sweet Thunder. Simon is the 

founder of data analytics firm, Such Sweet Thunder, and has been 

CEO since its inception in 2007. As an experienced interim software 

engineer, business analyst and IT project manager, specialising in 

Data Management and Analysis projects, Simon has over 25 years 

of successfully delivering complex, high-value cross sector projects 

and programmes for ‘Blue Chip’ internationally renowned 

organisations. 

Simon’s goal as CEO of Sweet Thunder is an aim to create a great 

environment for people to work delivering simple solutions to complex 

problems that make a tangible difference for our clients. 

Simon can be reached at our company website https://www.sweetthunder.co.uk/ 



Phishing Techniques in Disguise: What to Look for And 

Why You Should 

By By Rotem Shemesh, Lead Product Marketing Manager, Security Solutions, at Datto 

Phishing is a familiar concept to cybersecurity professionals - and hackers. According to a recent study, 

phishing attacks are the method of choice of cyber criminals attempting to infiltrate an organization. Why? 

Because they are easy to deploy and the opportunity for human error when clicking on a phishing email 

is high. 

When many of us hear the term “phishing” we may picture an obvious spam email that came from an 

easily recognizable fake email address. But it isn’t always that simple to spot a phishing attempt. It’s 

important to educate organizations on ways to avoid falling victim to phishing attempts, including how to 

identify the different shapes they can come in. Recently, Datto SaaS Defense detected a threat that was 

disguised as a communication hosted on a trusted domain, which enabled the attackers to operate below 

the radar of detection. 

New technique bypasses security detection 

This new phishing technique included two key elements that made it impossible for most security 

solutions to detect. The attack leveraged Adobe InDesign hosting reputation to hide a malicious link in 

an inframe. With the goal of harvesting users’ credentials, the attack was sent via email to lure users into 

clicking a link to access a shared document. The link directed people to a fake webpage designed using 



InDesign and uploaded to indd.adobe.com, a legitimate URL. Hosting a phishing attack in a known URL 

is not uncommon, but this was the first time we saw it done in InDesign. The InDesign domain also has 

certain characteristics that enabled the bad actors to conceal the malware; the link was hidden in an 

image (something that is possible in InDesign) and therefore was not identified as a URL when scanned 

by many security solutions. This masking technique enables attackers to avoid raising suspicions and 

bypass many email detection measures. 

This was the first time this type of technique was confirmed as a phishing attack; luckily, it was uncovered 

before causing serious damage. But, this new type of threat shows just how constant - and dangerous - 

the evolution of the cybersecurity landscape is. Cyber criminals are, unfortunately, usually one step 

ahead of their targets, and it’s critical to stay up to date on the latest techniques being used to best protect 

yourself and your organization. To build a strong cyber detection and prevention plan against phishing 

attempts, there are many steps companies can, and should take. 

Prepare for the worst 

So, what are companies or security-based solutions supposed to do when faced with a tricky challenge 

like this one? 

The first step is to ensure your organization has the most up-to-date and advanced security protections 

in place. Basic email security is not enough - it’s critical to have a security platform in place that can 

detect more advanced and emerging phishing techniques, especially the ones that have not yet been 

discovered or even developed. It’s also more important than ever that organizations adopt an assumed 

breach mentality: plan for when a cyber attack will happen, not if. Remote work and increased use of 

cloud-based SaaS platforms are essentially invitations to bad actors. As useful as these technologies 

are, it opens up gaps for malware to enter a system when you least expect it. 

Implementing security solutions to help with detection and prevention are important, but it’s even more 

necessary to develop cyber resilience in your company. A strong cybersecurity approach is one that 

starts with an assumed breach mentality within an organization, and ends with building a cyber resilience 

foundation. Cyber resilience is not a product or attitude, but rather an ongoing journey with an evolving 

mindset to grow as new threats and technologies continue to emerge. Together with an assumed-breach, 

cyber-resilient culture, your company will not only be prepared for the next vulnerability around the corner, 

but also will have the ability to respond and quickly recover from an adverse cyber event. 

In an ever-changing digital environment, security can no longer afford to be afterthought. It is the 

responsibility of each organization to ensure that when a threat emerges, they are able to minimize the 

risk to prevent the attack from growing and wreaking havoc on themselves or others, such as their 

customers. It is too easy for cyber attacks to quickly spread and have a ripple effect that can impact 

thousands. As dangerous cyber criminals become smarter, we must too, and take the proper steps to 

fight back. 




Rotem Shemesh is the Lead Product Marketing Manager for 

Security Solutions at Datto and plays a significant role in 

expanding and positioning Datto’s cybersecurity offerings. She 

was the head of marketing at BitDam and was responsible for all 

marketing and Go-to-Market efforts for 3 years. At BitDam, when 

it was a small cybersecurity start-up, she established the 

company’s marketing efforts from the ground up and was 

instrumental in the company’s success over the years, as well as 

the effective merge with Datto. Building BitDam’s marketing 

strategy, messaging and brand, as well as driving demand 

generation, communications, and channel marketing, she 

successfully positioned the company as a disruptive 

cybersecurity startup well recognized by the market, analysts, journalists, and other industry players. 

Rotem can be reached online at @ShemeshRotem and at our company website Datto.com 



Are You Prepared for the New Normal of Jekyll and Hyde 

Data? 

An organization’s data and secrets are simultaneously its greatest assets and its greatest 

risks. 

By Howard Ting, CEO, Cyberhaven 

Recently Twitch suffered a devastating hack that exposed its most sensitive data and intellectual property 

including source code, unreleased product information, streamer earnings, and more. For security teams 

and enterprise leaders, this attack should make the hair on the back of their necks stand up. This is a 

worst-case scenario breach, designed to cause maximum disruption, and yet, there wasn’t any regulated 

data in sight. 

The attack was all about exposing the IP and trade secrets of the business itself. Recent ransomware 

attacks have followed a similar blueprint by threatening to expose an organization’s secrets. This changes 

how an organization must view the risk to its data. While a traditional ransomware attack can be 

measured in downtime, when secrets are published, the damage is permanent. Data risk must now be 

viewed in truly strategic terms, not just operational. 

Coincidentally, this was the same week that Facebook was once again scrambling to contain the fallout 

from leaked internal documents and information. These events require organizations to reassess how 

they use and protect their most sensitive data. It isn’t enough to simply quarantine away PCI or HIPAAregulated 

data and call it a day. Virtually all enterprise data is now in play when it comes to risk. Yet at 

the same time, data is being shared more than ever before, and collaboration is an essential part of 



modern work. Organizations must be ready to navigate this apparent paradox to get the most out of their 

data while minimizing the risk. 

The Two Faces of Enterprise Data 

An organization’s data and secrets are simultaneously its greatest assets and its greatest risks. On its 

good side, data is the oxygen that keeps the enterprise alive and lets it thrive. And like oxygen, data 

needs to move and be consumed so that users can collaborate and create. And today this sharing occurs 

across a constantly evolving suite of applications and services including sanctioned enterprise apps as 

well as personal use apps. 

Yet all this sharing and collaboration opens the door to loss, misuse, or abuse of that data and can 

transform data from Jekyll to Hyde. Viewed from the perspective of risk, data is less of a life-giving oxygen 

and more like a self-spreading, self-replicating virus. Every user that downloads sensitive data could 

potentially make a copy. Data could be copy/pasted into another file, uploaded to a personal cloud, or 

shared via chat, personal email, or countless other methods. Every data access can turn into a number 

of unseen derivatives, each with its own potential for loss or misuse. 

Focus on the Data Actions 

So which is it? Is our data oxygen or a toxic virus? The answer is that it is both. The difference between 

data being nourishing or toxic depends on the actions and context surrounding it. The good or bad rests 

in how the data moves, is modified, and shared. Just as importantly, we need to know the data’s history. 

Where did the data come from? What user or app created it and how has it changed? So not only do we 

need to know the actions surrounding a piece of data, we need to know its lineage. 

The Way Forward 

Organizations need a new approach to data security that can provide this lineage and resolve the Jekyll 

and Hyde problem by passively watching how data is created, modified, and shared. Every action must 

be tracked and correlated to build a complete history of every piece of data. This opens up a far more 

powerful approach to securing data that lets organizations do the following: 

• Secure Any Type of Data - Any data can be traced and analyzed without the need for signatures 

or tagging. This lets organizations protect virtually any type of IP or content based on its actual 

value to the enterprise. Source code, ML models, financial projections, and product designs can 

all easily be protected equally. 

• Safely Enable Work and Collaboration - Users need to share and collaborate to do work without 

losing control. Policies can align with business processes to define how data can be shared and 

with whom while preventing oversharing or misuse. 



• Find Unseen Risk - The hardest part of security is often to control the “unknown unknowns”. 

Enterprises need a tool that automatically and continuously traces all data, which can find 

sensitive data in places the security team didn’t even know to look. 

In the end, data doesn’t have to be treated as Jekyll or Hyde. Instead, security policies can automatically 

follow the true value to the enterprise and adapt to how it is actually being used. 


Howard Ting is the CEO of Cyberhaven. Howard Ting joined 

Cyberhaven as CEO in June 2020. In the past decade, Howard has 

played a critical role in scaling Palo Alto Networks and Nutanix from 

initial sales to over $1B in revenue, generating massive value for 

customers, employees, and shareholders. Howard has also served 

in GTM and product roles at Redis Labs, Zscaler, Microsoft, and 

RSA Security. Howard can be reached on Twitter and at our 

company website https://www.cyberhaven.com/. 



How To Defend Railway Subsystems from Targeted 

Cyber-Attacks 

By Michael Cheng, Director at TXOne Networks & C. Max. Farrell, Senior Technical Marketing 

Specialist at TXOne Networks 

Railways are a critical part of every nation’s vital system. Maintaining the constant operation of railway 

systems requires protection from many threats, and disruption can harshly impact a nation’s society, 

economy, and culture. As the critical industry of railways continues to grow, the risk of cyber-attacks has 

risen sharply. 

This creates a need for powerful cybersecurity solutions that can be rapidly and conveniently integrated 

into routine railway operations to safeguard these critical networks and systems. In addition, these 

solutions should be resource efficient and transmit data fast enough to keep up with commuter traffic and 

to accommodate the distributed nature of modern railway technologies. 

The vulnerable architecture of railway assets 

Cyber attacks on national utilities and transport networks have increased massively recently, but they are 

by no means new. Back in 2015, security specialists set up a realistic simulated rail network at the CeBIT 

trade fair in Hannover and put it online to see how much attention it would attract from hackers. Over its 

6-week runtime, 2,745,267 cyber attacks were documented, and in “about 10 percent of the attacks” 



intruders were able to gain control over simulated assets. 1 Would-be attackers’ knowledge of railway 

systems has progressed even further in the seven years since this experiment. 

On the one hand the distributed network architecture of the railway infrastructure allows incredible 

adaptability and for the use of a wide variety of modular assets. On the other hand, many of these assets 

are no longer up-to-date or patchable. So, the fast-changing nature of cyber threats clashes with/comes 

up against the long service life and diversity of equipment, making the enforcement of security policies 

daunting. The same high-connectivity pathways that increase accessibility for trusted railroad engineers 

also increase accessibility for malicious intruders, which is why specially designed cybersecurity 

appliances and software can be so essential. 

Every system needs individual protection 

Each rail subsystem is a different set of assets with its own individual cybersecurity requirements. Every 

rail subsystem application classified as security-relevant has been systematically type-tested and 

secured according to the relevant certifications before leaving the factory. However, the downside of 

certifications is that they introduce general patterns into defenses that hackers can learn to anticipate 

and exploit. Defenses for critical services need to go beyond the bare minimum necessary to meet 

certifications or regulations and include protections that give hackers a hard time. Furthermore, the 

ongoing support of dedicated security researchers is necessary to adapt these defenses against new 

cyber threats. 

User-friendly tailored solutions 

Cybersecurity begins with education of the staff, but the busy day-to-day work of railway personnel rarely 

leaves space for that. Thus, all defensive solutions must be as failsafe and streamlined as possible to 

promote ease of use. Ideally railway subsystems need appliances that have the necessary protocol 

sensitivity to check network traffic for suspicious actions and deny unusual or unlikely behavior. Such 

appliances have the further benefit of significantly reducing the likelihood of human error. 

Each subsystem is dependent on solutions created to meet its specific needs. TXOne Networks suggests 

an OT zero trust approach to securing operational environments, which includes three phases: 

segmenting networks, scanning inbound and mobile assets with a portable rapid-scan device, and 

securing endpoints with defensive solutions tailored to the endpoint’s type (legacy or modernized). 

Stop intruders and isolate malware 

Traditional intrusion prevention systems (IPSes) were mere filtering systems, which are no longer 

adequate protection for critical infrastructure networks. Instead, modernized solutions like TXOne’s Edge 

series of next-generation IPSes and firewalls bring more sophisticated protection to assets at the station 

and wayside. Edge series defenses, based on the OT zero trust methodology, detect suspicious behavior 

1 

Vlad Gostomelsky, “Securing the Railroads from Cyberattacks”, Mass Transit Magazine, Dec 17 2019 



on legitimate accounts or from legitimate devices, put a virtual patching “shield” around legacy assets 

that cannot be patched or replaced, and segment networks so that they’re much more defensible. 

The access points (APs) that a train uses for mesh or roaming are often running with limited or hardly 

any security, enabling intruders to potentially affect the signal control system. An EdgeIPS solution is 

perfect for deployment between the AP and its switch, preventing attackers from accessing or affecting 

the network. 

Safeguarding mobile and stand-alone assets 

One common way dangerous threats get into OT environments is devices brought on-site by vendors or 

maintenance experts. That is why, in addition to routine scans of deployed technology, security experts 

recommend using dedicated mobile security devices for pre-scans of new devices before they are 

deployed on the network. Such a device can be used to set up a checkpoint where all laptops and other 

devices brought on-site are scanned. This requires a solution with the ability to conduct quick scans 

without the need for software installations so that it can be used for checkpoint scans as well as for 

sensitive equipment that cannot accept installations. 

How to protect fixed-use and legacy assets 

For fixed-use systems such as ticket vending machines and on-board computers, a trust list-based ICS 

endpoint protection application is the ideal solution. Even if malware finds its way into a company’s 

working hardware, it cannot be executed because of the trust list-based lockdown. For example, 

applications, configurations, data, and USB devices are all locked down with a trust list. It excludes all 

unlisted applications from running and unlisted users cannot make changes to data or configurations. 

Only administrator-approved USB devices can connect to the device, and only an administrator can grant 

a device one-time permission to connect. 

Conclusion 

In today’s world bad actors and criminal organizations prefer to conduct their attacks over the internet 

from the comfort of their computer chairs – which makes them even more dangerous. To secure daily 

operations and maintain passenger confidence, computation must be protected from disruption while 

maintaining maximum availability, with no aspect of the exchange using more time or resources than 

necessary. This is why specially designed cybersecurity appliances and software are so essential to the 

protection of railway subsystems. 

Additional information can be found at www.txone-networks.com and https://www.txonenetworks.com/white-papers/content/securing-autonomous-mobile-robots 



About the Authors 

Michael Cheng is a director at TXOne Networks with 20 years of experience 

in global product management, software development, quality assurance, 

and cybersecurity for IT, OT, and ICS environments. He holds an ISA/IEC 

62443 Cybersecurity Expert certification. 

Michael Cheng can be reached online at michael_cheng@txonenetworks.com 

or at contact@txone-networks.com 

C. Max Farrell is a senior technical marketing specialist for TXOne 

Networks, where he has worked from a background in cybersecurity, 

technology, and business since 2019. He conducts research related to 

industry-critical technology, economy, and culture. 

C. Max Farrell can be reached online at max_farrell@txonenetworks.com 

or at contact@txone-networks.com 



Biggest Cyber Trend in 2022 

You Can’t Fix Stupid 

By Guy Rosefelt, CPO, Sangfor Technologies 

Stop me if you have heard this one: a customer is working late at night, been a long day, and very tired. 

Customer needs to clear a few remaining emails including one from the CEO. Without thinking about it, 

customer opens the email from the CEO, barely skims it and opens the attached Word document. Just 

as the Word doc opens, customer realizes the email looks a bit odd and then it hits, it is a phishing email. 

Laptop infected. 

Sound familiar? That just happened to my customer yesterday. And he knows better but was tired and 

on autopilot. We spent an hour online trying to figure out how bad the infection was and if he should wipe 

out his system and reimage since he had just done a full backup the week before. We decided to err on 

the side of caution and wipe and restore. 

The moral of the story is anti-phishing will never be 100% successful. The best security products are only 

ninety-nine point something successful, but even at that rate with the number of emails received in an 

organization daily, a few are going to get through. And someone will click on one. My customer is normally 

very diligent, but he slipped. Worse, there are a few employees in every company that do not really check 

to see if emails are suspicious and will open them anyway. 



Why am I rehashing this old trope? Because Barracuda Networks reported a 521% increase in phishing 

emails using COVID-19 Omicron variant to entice victims between October 2021 and January 2022. 

People looking for home testing kits were prime targets and easy prey. Webroot reported a 440% 

increase in May 2021. And more will keep coming. 

“So, Guy,” you may ask, “how can you save us from phishing?” Well, I cannot, and no one else can 

either. What we need to do is bite the bullet and shift our strategy from trying to block everything to 

assuming we are already compromised, breached, hacked, etc. Once you start from that viewpoint, it 

does not matter that you cannot fix stupid, you just have to deal with the aftermath. Your focus is now on 

threat hunting, looking for signs of compromise. Do you have tools that can watch low and slow network 

behavior that are indications of stealth scanning? Can you identify regular bursty encrypted traffic being 

sent someplace out on the internet that might be data being exfiltrated? Can you track system resource 

utilization for signs of cryptomining or other malicious behavior? 

What makes looking for these kinds of behavior difficult is they are all AI-based. That’s right, attackers 

have learned to weaponize artificial intelligence (AI) into advanced persistent threats (APTs) and other 

malware payloads. The malicious software installed has become so much smarter than you think. It will 

look for specific targets, domains, even countries before it decides to activate. It can hide inside legitimate 

processes running in memory, evading security scans. In fact, it can disable security software running on 

systems without you knowing about it. 

There is a powerful batch script available now called Defeat-Defender that can shut down all Windows 

Defender processes silently. The best part is Defeat-Defender can masquerade as a legitimate process, 

evading the new Windows Tamper Protection functionality. All from opening an infected Word document. 



I see heads shaking in despair and a few of you getting ready to jump out of your office windows (you 

realize some of you work in the basement…). But there is a strategy that can help you through this dark 

and difficult time. You need to do 4 extremely simple and painless things: 



1. Look for and minimize attack surfaces 

Conduct external and internal attack surface assessments to find ways for the attack malware to breach. 

Look for signs that those surfaces were exploited. Then work to close those holes. 

2. Deploy AI-based detection and response 

You need to use AI to combat AI, but not just any AI. Security tools that employ broad-based AI will not 

find the signs of stealthy activity or APTs. Purpose-built AI models designed to identify very specific 

behaviors are needed, such as looking for enormous amounts of abnormal DNS requests going to 

malicious domains or finding short periods of bursty HTTPs traffic during off hours; both are indications 

of data exfiltration. 

3. Improve security system synergy 

All security products have a sphere of influence covering their own security domain. But the domains do 

not overlap causing gaps that AI-enabled APTs can exploit. Having security products share data realtime 

and coordinate responses can close those gaps. 

4. Augment security operations and resources by using security services 

Face it, you do not have enough time, staff, or resources to go into threat hunting mode. And if you are 

breached and under attack, can you really do incident response (IR)? Even the security teams in the 

largest organizations are resource limited. Leverage your VAR or security vendor to provide resources 

to backfill your team, help conduct assessments and IR, and do managed detection and response. Think 

of it as a home security monitoring service available 24 hours a day; that is there when the breach occurs 

during off-hours. 



It isn’t possible to block everything 100% and combating stupid makes it even harder. Since you can’t fix 

stupid, these 4 things can minimize and contain the damage caused. More importantly, thinking like an 

attacker will help you find signs if you were attacked and close off any holes and vulnerabilities that 

attackers will use. 


Guy Rosefelt, Chief Product Officer, Sangfor Technologies. Guy is 

Chief Product Officer for Sangfor Technologies. He has over 20 years’ 

experience (though some say it is one year’s experience twenty times) 

in application and network security, kicking it off with 10 years in the 

U.S. Air Force, reaching rank of captain. After his time in the USAF 

building the first fiber to the desktop LAN and other things you would 

find in Tom Clancy novels, Guy worked at NGAF, SIEM, WAF and 

CASB startups as well as big-name brands like Imperva and Citrix. He 

has spoken at numerous conferences around the world and in people's 

living rooms, written articles about the coming Internet Apocalypse, and 

even managed to occasionally lead teams that designed and built 

security stuff. Guy is thrilled to be in his current position at Sangfor -- partly because he was promised 

there would always be Coke Zero in the breakroom. His favorite cake is German Chocolate. 

Guy can be reached online at guy.rosefelt@sangfor.com or on Twitter at @otto38dd and at our company 

website https://www.sangfor.com/en . 



On The Frontline in The War Against Hackers 

By Damien Fortune, Chief Operations Officer of Secured Communications 

In the wake of a global shift toward remote work, crime is moving from physical space to cyberspace. 

Businesses are conducting more important and valuable business online than ever before, and 

accordingly, more valuable and sensitive information is being transmitted across insecure networks. This 

has presented bad actors with the incentive and opportunity to increase their focus on cybercrime and 

given the ever-increasing sophistication of cyber threats and access to robust computing power, 

cybersecurity companies have been tasked with evolving to better combat these emerging threats. 

Over the last decade, data breaches have surged, exposing sensitive information, and undermining 

customer confidence which is potentially devastating, especially for smaller businesses. Companies, now 

more than ever, need to know how to keep their data secure while maintaining a seamless and productive 

work environment. On the back of these trends, new protocols are emerging to provide additional layers 

of defense to corporate communications. 



One of the newest tools in the fight against cybercrime is Messaging Layer Security (MLS). This next 

generation end-to-end encryption (E2EE) security layer encrypts each individual message with a 

changing encryption key, allowing for Perfect Forward Secrecy (PFS) and Post-Compromise Security, 

meaning that if a message were ever intercepted and compromised, that message’s content would be 

the only thing exposed, as opposed to jeopardizing entire message chains or providing information that 

would enable further surveillance through man-in-the-middle attacks. Most communications platforms on 

the market today use older technology of transport layer security (TLS) technology, which does not 

provide similar layers of protection, and which is vulnerable to attacks from a variety of vectors. 

Alongside digital protection of content itself, tools to protect users are also advancing. Multi- 

Factor Authentication (MFA), which requires users to present multiple forms of proof of identity 

to access information, has become more prevalent. Traditionally, MFA asks for either something the 

user knows (such as a password); something they have (such as their device); and as the most secure 

option – who they are (biometrics using Touch ID or Face ID). 

Increasing technical sophistication and access to more computing power by those that choose to hack 

into business systems has made the migration to more-sophisticated tools inevitable. With modern 

workflows continuing to shift from outdated email systems in favor of messaging and collaboration-centric 

tools, we would expect MLS, MFA, and other tools to come to the forefront of cybersecurity suites in the 

near term. 


Damien Fortune is the Chief Operations Officer of Secured 

Communications, the leading global technology company specializing in 

ultra-secure, enterprise communications solutions that are trusted by 

businesses, public safety and counter terrorism professionals worldwide. 

His career began on Wall Street where he worked as a sell-side analyst 

covering energy and industrial equities. From there he transitioned into 

private equity as a portfolio manager and eventually into a role as 

CFO/COO of a portfolio company. 

Damien can be reached online at support@securedcommunications.com 

and at our company website http://www.securedcommunications.com. 



How to Fix Mid-Market Security Using Intelligent 

Automation and AI 

By Guy Moskowitz, CEO, Coro 

Market forces are working against medium-sized businesses, leaving companies that don’t have large, 

dedicated security teams and fat cyber security budgets exposed to cyber threats. When combined with 

the global pandemic and the fact that cyber criminals have expanded into mid-market targets, mediumsized 

companies face greater risk than ever, and it’s time IT leaders and the industry step up to take care 

of this gap. 

Three factors have arisen that have had dire consequences for medium-sized businesses: 

1. The cyber security industry has neglected the mid-market in its pursuit of enterprise-grade 

security solutions with proportional enterprise price tags. 

2. The global pandemic accelerated the trend toward remote work and adoption of cloud platforms, 

leaving many companies with much larger attack surfaces, and an out-of-date cybersecurity 

architecture. 

3. Due to commoditization of cyber attacks, cyber criminals turned their eyes toward the mid-market, 

which has proven to be less sophisticated and less funded in terms of cyber security. 



The Cyber Security Market Has Failed Medium-Sized Businesses 

The cyber security market has bifurcated into large, enterprise solutions and niche point solutions. Midmarket 

companies are stuck in an inhospitable middle, where they don’t have the budget and resources 

to purchase large enterprise solutions, but also have too much complexity and attack surface for point 

solutions to be effective in providing security. 

The high cost of implementing and operating security solutions severely impedes their adoption by midmarket 

companies. Companies with 1,500 and fewer employees often have limited cyber security 

budgets and very few dedicated security professionals – if they have any specialists at all. Hundreds of 

employees and thousands of endpoints create an attack surface that stretches IT teams to their limits. 

Mid-market companies are therefore forced to make bets on the most probable attack vectors to defend 

against, leaving the rest of the attack surface exposed. 

The Pandemic-Driven Shift Toward Remote Work Caught IT Departments Flat Footed 

Nobody was ready for large-scale remote work in 2020. Teams were not culturally prepared to conduct 

business online, office software wasn’t designed for remote work as its primary use case, and IT 

departments had mostly focused on on-site and VPN-style security. The shift to predominantly remote 

work in 2020 and 2021 disrupted every aspect of business and created huge opportunities for attackers 

seeking to exploit the relative naivete of the new cloud working environment. 

In Coro’s recent report analyzing mid-market cyber security, we found that while 50% of medium-sized 

companies had email malware protection in place in 2021, 88% of them had misconfigured their 

protection settings. Meanwhile, only 16% of mid-sized companies had email phishing protection in place, 

and 71% of them had misconfigured settings. Other attack vectors fared similarly or worse. This means 

many of the technologies deployed by IT teams, and especially the new ones deployed since the 

beginning of the pandemic to enable remote work, offer little actual protection against emerging classes 

of cyber threats. 

Cyber Criminals Are Turning Downstream for Easier Pickings 

A big score against a large enterprise is exciting for a cyber criminal, but so is the prospect of several 

smaller, easier scores. We observed this in practice in 2021 as attacks on medium-sized companies 

increased both in volume and in sophistication. 

Specifically, we saw that attacks on mid-market companies increased by 150% in the past two years. 

Moreover, these attacks are not just generic (AKA naive) attacks, but are increasingly tailored attacks for 



the particular victims being targeted by the hackers. Customized attacks against mid-market companies 

have expanded 4x in 2021. Insider threats, whether accidental or malicious, have also doubled in 2021, 

showing the greater role employees have played in cyber vulnerabilities during the pandemic. 

Closing the Mid-Market Cyber Security Gap with Intelligent Automation and AI 

Mid-market spending on cyber security was up in 2021 as companies began to feel the heat from cyber 

criminals testing their defenses. But most of the industry’s comprehensive cyber security solutions are 

aimed at large enterprise customers – and mid-market companies need options beyond stitching together 

piecemeal point solutions. 

The three challenges to mid-market cyber security remain: overly expensive and complicated solutions, 

greatly expanded attack surface driven by remote work, and increased attacks by hackers seeking to 

exploit the mid-market. To overcome these challenges, companies need affordable solutions that 

augment existing IT with built-in intelligence and non-disruptive security workflows. This is where 

automation and AI come in. 

As I said earlier, 88% of email malware solutions are misconfigured – and that doesn’t even account for 

cloud malware, Wi-Fi phishing, and a huge range of emerging attack vectors for which most mid-sized 

companies have no protections in place. Why should such misconfigurations and omissions leave a 

company exposed to cyber threats, especially when a single breach could paralyze a business or cause 

enough damage to close its doors forever? Where possible, the responsibility for effective cyber defense 

needs to be shifted off the shoulders of overstretched IT teams and onto machines. AI must be deployed 

to enable small teams with limited resources to effectively manage large and complex situations. Small 

companies must seek solutions that simplify the security experience: comprehensive, all-in-one solutions 

that are easy to deploy and easy to operate by way of intuitive UX design and AI automation. 

The truth is, most small and mid-sized companies don’t need dozens of security professionals to manage 

straightforward and common security tasks. Look for security solutions that instead make use of 

intelligent automation to reduce the load on IT and security teams. Intelligent automation can 

automatically block malware threats, prevent accidental or malicious data leakage, lock down rogue 

accounts, and prevent the majority of incoming attack attempts, all without human intervention. For the 

small percentage of issues that AI and intelligent automation can’t resolve, a concise and clear notification 

can be sent to administrators that can be resolved quickly and easily. 

Even in this rapidly evolving cyber climate, the cost and complexity of security can be managed, and 

escalating cyber threats can be controlled. Comprehensive cyber security can and should be fully 

accessible to mid-sized companies. It’s time for mid-market IT leaders reconsider the standard point 



solutions and seek comprehensive, AI-enabled software with built-in intelligence, designed specifically 

for their needs: elegant, non-disruptive security within a single, efficient platform. 


Guy Moskowitz is the CEO of Coro, one of the fastest growing 

security solutions for the mid-market, providing all-in-one protection 

that empowers organizations to defend against malware, 

ransomware, phishing, and bots across devices, users, and cloud 

applications. Guy can be reached online at (LinkedIn and Twitter) and 

at our company website https://www.coro.net/ 



5 Ways Cybersecurity Will Change In 2022 

By Jaime Coreano, Vice President of Sales – Flexxon 

The annual cost of cybercrime is set to hit $10.5 trillion by 2025. The losses caused by theft, fraud and 

embezzlement are compounded by the disruption that follows. Forensic investigations, restoration and 

deletion of hacked data and systems, lost productivity and, inevitably, reputational harm all add to the 

bill. 

Of course, cybercrime is a shape-shifting enemy that quickly adapts to its surroundings. As more of our 

national, corporate and personal business goes digital, new threats emerge and priorities shift. 

Fore-warned is fore-armed, however! So, to ensure we have the right cybersecurity technologies in place 

and carry out meaningful techstack reviews, here are the top five cybersecurity trends that X-PHY has 

identified for 2022. 



#1: Firmware level attacks will increase 

The much-cited Security Signals Report published by Microsoft in March 2021 noted that at least 80 

percent of enterprises in major economies had suffered at least one attempted firmware attack in the 

previous two years. 

Firmware attacks are daunting precisely because firmware sits ‘below’ the operating system, where the 

most common and familiar tools for detecting and quarantining malware cannot see them. But until now, 

firmware threats have not been treated seriously enough by enterprise security teams. As the Security 

Signals Report tells us, only 29 percent of security budgets were allocated to protect firmware. 

That has to change. 

There are many ways that firmware attacks can be launched against network devices and cause untold 

amounts of damage. Equally, there are plenty of basic housekeeping and security steps that can 

eliminate a number of potential vulnerabilities. AI-enabled security at the firmware level for example, 

allows real-time data protection against all sorts of software-based malware, ransomware, and viruses 

without human intervention. 

#2: More firms will be subject to an inside job 

The measures security professionals take to narrow the attack surface are based on the simple idea that 

the threat is ‘out there.’ But this focus on preventing and detecting external attacks can create a significant 

blind spot: the threat from inside. 

Whether from malicious intent or clumsy accident, trusted employees and partners can cause more 

damage than ever before. New ways of working and greater digital engagement change the nature of the 

company network and its assets. According to Ponemon Institute’s 2022 Cost of Insider Threats: Global 

Report the incident rate is up by 44 percent in the past two years, with costs per incident now at $15.38 

million. There is little sign that this is slowing down. 

In this environment, the zero-trust model – which leaves no room for protocol, courtesy or respect for 

seniority – treats every insider with suspicion. That means proper, multi-factor authentication for every 

access to every system or service, plus monitoring, logging and effective pattern detection to detect any 

anomalous insider behavior. It may be an uncomfortable idea for many, but it is a necessary one. 



#3: Supply chains will be the big ransomware target 

In July 2021, a medical management services provider in New York experienced a ransomware attack 

that affected more than 1.2 million individuals – one of the largest breaches of health data reported to the 

federal regulators in 2021. 

We are all familiar with the threat of ransomware. What is changing is the number of cyberattacks – like 

this one – that target trusted third-party vendors who offer services or software that are vital to the supply 

chain, but which attack agents regard as softer targets. 

IT decision-makers believe that these kinds of supply chain attacks are to become one of the biggest 

threats to their organizations in the coming year. But most have not vetted either their current or 

prospective suppliers in the past 12 months. 

To stay ahead of it, now is the time for organisations to put a response strategy into place. Until they do, 

this will remain an attractive target. 

#4: Increased risk for SMBs 

The world has changed but the age-old mantra still applies: attack agents will always go for the easiest 

target. That is what is driving the growth in supply chain attacks – and is also behind the increasing 

frequency of attacks on SMBs. 

In its 2020 Internet Crime Report, the FBI recorded 791,790 complaints of suspected internet crime 

among small businesses (300,000 more than in 2019), and total losses of more than $4.2 billion. 

SMBs may not have the resources or expertise to protect themselves adequately, but they still have 

valuable information residing within their systems. That’s why they are subject to growing numbers of 

targeted and complex attacks. 

In addition, the recent mass shift toward remote and hybrid working practices has seen people’s private 

and professional lives becoming intertwined, often resulting in a less than diligent approach to 

cybersecurity. With that, SMBs have experienced a jump in cyberattacks as a result of human error. In 

fact, human error is responsible for a staggering 95 percent of data breaches, an issue that has only 

been heightened by the effects of the pandemic. 

As such, it has become clear that just like everyone else, SMBs need robust cybersecurity that includes 

all layers, from software to the physical and everything in between. 

Enter, AI-infused cybersecurity solutions. AI has the power to reduce human intervention, allowing data 

to be secured without the need for extensive knowledge or training. 



#5: Vulnerabilities in critical Infrastructure will be recognized 

At the other end of the scale is critical national infrastructure, which is increasingly digitalized but reliant 

on security measures for control systems that were developed before data, sensors, and networking were 

embedded in core control systems. 

Critical infrastructure is no more immune to the natural laws of cybersecurity than any other sector of the 

economy: surges in technological development create the perfect environment for cyber crime to flourish, 

and the targets with the highest value but weakest security will be top of the list. 

An attack on just the building management system of just one New York City office block via a connected 

vending machine caused damage estimated at $350m. The economic impact of a severe cyber-attack 

on the US power-grid could be at least $240bn. 

But the motive to hit critical infrastructure isn’t just financial. It can be political too. Hacktivists, terrorists 

and foreign agents see energy grids, health systems, and transport logistics, as useful bargaining tools. 

Intelligent, bullet-proof solutions are needed, ideally a zero-trust architecture with AI-embedded cybersecure 

SSD as the last line of defense. 

This is X-PHY’s final, unofficial, prediction for 2022. Offense is getting smarter. So will the defense. This 

is the year that zero-trust architecture becomes the lens through which all cybersecurity solutions are 

viewed. 


Jaime Coreano is Vice President of Sales at Flexxon. As a Sales 

and Business Development executive with 25 years of experience 

in semiconductors, electronic components and cybersecurity, his 

vision and strategy have greatly impacted the success of his clients 

in the Americas. Most recently, he has been involved in emerging 

Cyber Security solutions based on hardware level AI based 

protection against ransomware, data cloning and physical attacks. 

our company website https://www.flexxon.com/ 



Executive Order Instructs Certain Organizations to 

Improve Their Cybersecurity Stance 

Financial Institutions Should Boost Their Efforts to Thwart Cyberattacks 

By Bob Thibodeaux, Chief Information Security Officer, DefenseStorm 

Consumer data is one of the most valuable assets for organizations around the world. In fact, it’s been 

said that consumer data is as good as gold. 

And like gold, data is a commodity. However, companies profiting by accessing and storing this data 

have the responsibility to keep it safe. Protecting data has even become a consumer expectation thanks 

to breaches such as Equifax in 2017 (which recently finalized a settlement of up to $425 million) and 

LinkedIn and Facebook just last year. 

Today, however, companies don’t just put consumer interest on the line when building their cybersecurity. 

They can now face new, severe legal action. 



Implementing legislation in hopes to minimize damage 

The Biden administration recently issued Binding Operational Directive 22-01, requiring most federal 

agencies to patch hundreds of cybersecurity vulnerabilities considered major risks for damaging 

intrusions including data breaches or compromise of government computer systems. 

Specifically, “Organizations of all sizes, including the federal government, must protect against malicious 

cyber actors who seek to infiltrate our systems, compromise our data, and endanger American lives,” 

DHS Secretary Alejandro Mayorkas said in a statement alongside the directive. The new order “requires 

federal civilian departments and agencies to protect against critical known vulnerabilities, which will 

reduce the risk of malicious intrusion and increase our collective cybersecurity.” 

What this boils down to is federal institutions, banks, credit unions and fintechs nationwide must find ways 

to comply with these new cybersecurity standards and mandates. But how? What if you are already 

behind the 8 ball? What can be done not only to improve but catch up? 

Meeting challenge with opportunity 

While the new government mandate might seem an insurmountable challenge to all but the big 

corporations, it isn’t. Rather, it’s an opportunity to shore up security and thwart cyberattacks and data 

breaches. 

Financial institutions everywhere already abide by considerable cybersecurity, privacy and information 

security requirements. Further, many have adopted the National Institute of Standards and Technology’s 

(NIST) Cybersecurity Framework as their main cyber risk management tool. But financial institutions that 

haven’t met those standards could take the order as an impetus to do so and improve their cybersecurity 

posture and make improvements in the maturity of their risk management program. 

Perhaps, too, federal institutions will view the order as a reason to enact zero-trust policies, procedures, 

and relevant technologies. The order mandates executive branch agencies to create zero-trust 

environments. 

Putting cybersecurity best practices in place 

Whether a bank, credit union or fintech adopts a zero-trust model or not, it’s wise to consider these best 

practices to increase cybersecurity: 

• Proactively monitor total cyber exposure. Consider partnering with a built-for-banking 

company that provides 24/7, real-time cybersecurity and cyber compliance and sends alerts of 

any anomalies. 



• Stay ahead of fraud. Fraud costs U.S. financial institutions $35 billion a year. Choose a 

cybersecurity provider that can integrate Information Security and the Bank Secrecy Act (BSA) – 

also known as the Anti-Money Laundering (AML) law and Fraud departments in a unified platform 

to prevent losses and protect account holders from the growing threat of fraud. 

• Extend internal cyber teams and expertise with highly skilled and trained security experts. 

Not every financial institution has the resources to adequately monitor and protect their networks, 

particularly outside of “banking hours.” As such, many partner with a certified cybersecurity 

provider that monitors and investigates alerts and provides around-the-clock protection that aligns 

with a company’s specific escalation process. By being that “extra set of eyes,” financial 

institutions can focus on their core business. 

• Keep up to date with compliance. Choosing a cybersecurity provider that also provides cyber 

compliance makes it simple and seamless for financial institutions to stay up to date, even though 

regulatory requirements seem to be always changing. The right provider allows financial 

institutions to leverage an always-on policy and control engine to make sure when compliance 

requirements change, organizations can comply. 

• Provide ongoing cybersecurity education. An organization is only as secure as its weakest 

link. Therefore, employee education should be a top priority. Employees should understand how 

to do things like choose passwords wisely and know how to detect phishing attacks – and what 

to do when a questionable email comes their way. 

Leveraging a trusted cybersecurity partner 

The current administration has prioritized cybersecurity as a national security threat. The mandate aside, 

cybersecurity should be a priority for everyone and every business. 

Financial organizations failing to address cybersecurity could face major damage that includes monetary 

loss, legal consequences, and reputational damage – leading to a loss of customers. 

Keep in mind, financial institutions face more than 70 million cyber events a day. And most small- to midsized 

financial institutions simply don’t have the staff to manage the volume of incidents that can be 

generated by these events, particularly those occurring after hours. 

An experienced cybersecurity provider can help ensure financial institutions are threat-ready and secure. 

The right one can consolidate data from all sources and without volume limits – providing real-time 

visibility into the entire network. It can eliminate false positives and prioritize events so you can address 

the threats that matter the most. 

Because here’s the thing: There are two types of organizations – those that have suffered a data breach 

and those that will. 

And like the price of gold that keeps rising, so, too will the cost of falling prey to a cyber breach. 




Bob Thibodeaux, Chief Information Security Officer at 

DefenseStorm, has more than 20 years of experience as a senior 

security expert and highly accomplished IT executive and 

engineer. Through leadership positions managing IT departments 

and programs, technology operations and data center operations, 

Bob has driven innovative process improvements, disaster 

recovery programs, information security strategies, and audit and 

compliance improvements. He has been responsible for incident 

response, risk management and penetration testing for 

community-focused banks, credit unions and high-tech companies 

across the United States. Bob is a Certified Information Systems 

Security Professional, Digital Forensics Examiner and GIAC 

Penetration Tester. Bob holds a degree in Business and 

Management from the University of Maryland and is a retired 

USAF Senior Master Sergeant. Bob can be reached online at our 

company website https://www.defensestorm.com/. 



Too Hot to Handle:The case for Zero Trust and SASE 

By Jonathan Lee, Senior Product Manager, Menlo Security 

In security today we often see the continued reliance on legacy systems and solutions. 

As cybercriminals have evolved their methods, the security adopted by firms has been unable to keep 

up with a mindset that is focused on detection and response – and criminals know this. 

The recent shift of data, users and applications to the cloud has made the browser the primary place of 

work. Yet when it comes to the cloud, those same on-prem security measures that are still heavily relied 

upon today are no longer adequate. 

To capitalise on this new landscape, threat actors are targeting web browsers with a category of threats, 

termed Highly Evasive Adaptive Threats (HEAT) that bypass traditional security defences. 

HEAT attacks make web browsers the primary attack vector, deploying various methods to evade 

multiple layers of detection in legacy security stacks. This allows them to bypass traditional web security 

protection and leverage the standard capabilities of modern web browsers to deliver malware or 

compromise credentials. 

In its analysis of almost 500,000 malicious domains, Menlo Security Labs discovered that 69% of these 

websites used HEAT tactics to deliver malware. These attacks allow bad actors to deliver malicious 



content to the endpoint by adapting to the targeted environment. Since July of last year, our research 

team has seen a 224% increase in HEAT attacks. 

Given that many of us now spend around three-quarters of our day using a web browser, it’s an obvious 

target. 

HEAT attacks leverage one or more of the following core techniques that bypass legacy network security 

defences: 

1. Evades both static and dynamic content inspection: HEAT attacks evade both signature and 

behavioural analysis engines to deliver malicious payloads to the victim using innovative techniques, 

such as HTML Smuggling. This technique was used by Nobelium the hacking group behind the 

SolarWinds ransomware attack. In a recent case, dubbed ISOMorph, the campaign used the popular 

Discord messaging app to host malicious payloads. Menlo Labs identified over 27,000 malware attacks, 

which were delivered using HTML Smuggling within the last 90 days. 

2. Evades malicious link analysis: These threats evade malicious link analysis engines traditionally 

implemented in the email path where links can be analysed before arriving at the user. 

3. Evades offline categorisation and threat detection: HEAT attacks evade web categorisation by 

delivering malware from benign websites, either by compromising them, or patiently creating new ones. 

Referred to as Good2Bad websites. Menlo Labs has been tracking an active threat campaign dubbed 

SolarMarker, which employs SEO poisoning. The campaign started by compromising a large set of low 

popularity websites that had been categorised as benign, infecting these websites with malicious content. 

Good2Bad websites have increased 137% year-over-year from 2020 to 2021. 

4. Evades HTTP Traffic Inspection: In a HEAT attack, malicious content such as browser exploits, 

crypto-mining code, phishing kit code and images impersonating known brands’ logos is generated by 

JavaScript in the browser by its rendering engine, making any detection technique useless. The top three 

brands impersonated in phishing attacks are Microsoft, PayPal, and Amazon. A new phishing website 

imitating one of these brands is created every 1.7 minutes. 

The case for Zero Trust and SASE 

Be it file inspections performed by SWG anti-virus engines and sandboxes, network and HTTP-level 

inspections, malicious link analysis, offline domain analysis, or indicator of compromise (IOC) feeds, 

many legacy defences are rendered near useless when confronted with these evasive techniques. 

A significant part of the challenge lies in the fact that HEAT characteristics equally have genuine uses. 

Therefore, they cannot simply be blocked at the function level. Rather, they need to be prevented. 

To achieve this, a shift in mindset and an updated security posture is required. Trying to overcome the 

challenges of web security with endpoint security creates a square peg in a round hole scenario – it 

simply does not guarantee protection. 



Critically, endpoint security only detects a threat once it is written to the file system, at which point a 

network will likely have been compromised already. Further, it is not able to protect unmanaged devices, 

while also harbouring a high chance of inundating the security operations centre (SOC) with too many 

alerts. 

In dealing with HEAT, prevention is the best policy. Not only can it help to alleviate pressures on 

endpoints, but it can also make the already challenging lives of SOC teams much easier, creating a more 

sustainable environment of investigation, escalation and resolution. 

This shift begins with a thorough review of existing security policies. Those that still remain built around 

a central policy pillar of detection and response need to be adapted and enhanced so they are fit for 

purpose in the modern work environment. 

A Zero Trust approach, backed by the Secure Access Service Edge (SASE) framework, which 

feature key security technology components will cater to today’s remote and hybrid workforces. SASE 

ensures security is built around users, core applications and company data at the edge by converging 

connectivity and security stacks. No longer are security stacks on the outside looking in; they are 

integrated within the cloud. 

In the face of HEAT, organisations should focus on three key tenets to limit their susceptibility to these 

types of attacks: shifting from a detection to a prevention mindset, stopping threats before they hit the 

endpoint, and incorporating advanced anti-phishing and isolation capabilities. 

For more information on HEAT: Too Hot to Handle. 


Jonathan Lee, Senior Product Manager, Menlo Security. 

Jonathan Lee serves as a trusted advisor to enterprise customers, 

and works closely with analysts and industry experts to identify 

market needs and requirements, and establish Menlo Security as 

a thought leader in the Secure Web Gateway (SWG) and Secure 

Access Service Edge (SASE) space. Jonathan previously worked 

for ProofPoint and Websense. As an industry expert, commentator 

and speaker, Jonathan is well versed in data protection, threat 

analysis, networking, Internet isolation technologies, and clouddelivered 

security. 

Jonathan can be reached online at @Menlosecurity and at our 

company website: https://www.menlosecurity.com/ 



Lessons Learned: In the Principle Of “Least Privilege,” 

Where Do Companies Fall Short? 

By Raj Dodhiawala, President, Remediant 

Lateral movement using compromised admin credentials is integral to almost all ransomware 

and malware attacks today. Specifically exploiting privilege sprawl—or the always-on, alwaysavailable 

administrative access to servers, workstations, and laptops—has become a lucrative 

opportunity for cyber attackers, allowing them to significantly increase their rate of success with 

stolen credentials and elevated privileges and, due to implicit trust between systems, the ease 

of damaging lateral movement. According to Verizon’s 2021 DBIR report, 74% of cyber-attacks 

are caused by privilege misuse or compromise, and for every cybersecurity team, that 

administrative access sprawl and high risk of lateral movement pose as serious, everyday 

threats to their resilience to cyberattacks. 



To prevent lateral movement attacks resulting from stolen and misused privilege access, 

information security teams are increasingly embracing the Principle of Least Privilege (PoLP), 

which NIST defines as “the principle that users and programs should only have the necessary 

privileges to complete their tasks.” It states that for any user or program that needs elevated 

privileges to complete its task or function, IT teams must enable the least amount of privilege, 

no more and no less, to get the job done. This directly emphasizes authorization -- meaning that 

escalated user privileges must only be allowed to match the computing goals of the task at hand. 

While the benefits of PoLP are obvious, there are several challenges that can often get in the 

way of achieving them – whether due to the complexity of implementation or the inability to adapt 

ingrained processes. For example, unlike Linux’s sudoers subsystem, Windows systems do not 

provide granular controls for the tasks an administrative user can or cannot perform. Group 

Policies also only go so far, especially since interactions between multiple policies may negate 

affects to achieve granular control. It’s actually quite common for an enterprise’s Active Directory 

to have Nested Groups, Domain Admins and Backup Admins, and all other privilege groups 

containing broad, obfuscated and over-permissioned configurations that either contradict or 

cancel out any least privileged controls in place. 

One of the biggest issues with PoLP is that time is not explicitly called out as a privilege, and 

thus is simply not considered at all when conferring least privileges. Let’s go back to the alwayson, 

always-available administrative access, but now, the access is constrained to the least 

computing privileges required for the task at hand. The fact that all systems have standing 

privileges defeats the goal of granular control, because an administrator on one system labeled 

trustworthy can, per convenience or with malintent, administer all other systems they have 

standing privileges on, effectively making the principle of least privilege null and void. 

The first step in addressing time is through what Gartner calls Zero Standing Privilege (ZSP), or 

the removal of all standing privileges and the implementation of Just-In-Time administration 

(JITA). First, ZSP removes the privilege sprawl. Then, JITA, bolstered by multi-factor 

authentication (MFA), selectively elevates privileges to the specific system that requires 

attention, exactly when the administration is needed, and for just the right amount of time 

necessary to complete the task. If cyber thieves (or insiders) were to get a foothold on a system, 

the window of opportunity to steal admin credentials would be significantly narrowed, and most 

importantly, they wouldn’t find a plethora of administrative access available to exploit and use to 

move laterally within the organization. 



By combing the Principle of Least Privilege with Zero Standing Privilege and Just-In-Time 

administration, companies ensure: 

• Measurable reduction of attack surfaces by reducing privilege sprawl, making it less likely, 

if not impossible, to hack additional privileged credentials 

• The prevention of lateral movement, due to the absence of persistent admin accounts on 

other systems; if a privilege credential attack does occur, it is contained to a single system 

• Further reduction of risk by using MFA and on-demand, real-time provisioning and 

deprovisioning of access as and when required for the task at hand 

• Protection from insider threats by reducing the likelihood and impact of employee 

negligence or intended error by leveraging unnecessary access 

• More effective incident response actions by removing admin accounts during an event, 

stopping any ongoing incident from installing malware on other systems or proliferating 

on the network 

• Collectively, these benefits enable governance of privilege and increase maturation 

toward Zero Trust 

While the Principle of Least Privilege is an important starting point for organizations, it remains 

incomplete or is weakened by ignoring the element of time. The practice of Zero Standing 

Privilege and Just-In-Time administration adds the time-based protective layer companies need 

at entry points and to prevent lateral movement malicious actors use to readily attack and breach 

their systems today. 


Raj Dodhiawala, President, Remediant, Inc. Raj Dodhiawala 

has over 30 years of experience in enterprise software and 

cybersecurity, primarily focused on bringing disruptive 

enterprise products to new markets. Currently serving as 

President of Remediant, he is bringing focus, agility and 

collaboration across sales, marketing, finance and operations 

and leading the company through its next phase of growth. 

Raj Dodhiawala can be reached online (LinkedIn,) and at our 

company website, https://www.remediant.com 



Redefining Resilience in The New World of Work 

By Andrew Lawton, CEO of Reskube Ltd 

We are entering a new world of work. The Covid-19 pandemic has accelerated the move towards hybrid 

and remote working which was already gaining momentum before the world went into lockdown. From 

one-man-bands to international institutions, workplace and home boundaries have begun to disintegrate. 

From Wall Street to Hong Kong to the City of London, traders are now investing millions of dollars and 

making complex financial decisions from their homes. Equally, lawyers, journalists, broadcasters, and 

workforces across pretty much every sector have had to adjust to forced changes in the way they work, 

and are now doing critical work remotely. 

Even though pandemic restrictions worldwide are easing, home working – either as part of a fully remote 

or hybrid model – is here to stay. But while the likes of monitors, keyboards, stable internet and power 

connection, and IT infrastructures were all material mainstays in an office environment, recreating this in 

our own homes is less straightforward. This represents a risk to business everywhere. 



New risks 

The scale of this problem is eye-opening. Research by Reskube has found that 64% of people in the UK 

who have worked from home in the last year have suffered from an internet or power outage in that time. 

That equates to an estimated 12 million people. Of that, we are finding that 5% of home workers in the 

UK are doing time critical or high value work. That equates to roughly 470 million hours a year where any 

sort of outage would have a severe impact. 

The vast majority of home workers do not currently have a setup that is comparable to their office 

environment. This exposes them to potential security risks as they seek other forms of connection to 

continue working during an outage. This may include connecting to unstable and unvalidated Wi-Fi 

sources. 

Consider a critical worker who is working from home. Imagine that their Wi-Fi connection goes down and 

they are either unable to perform their job, or forced to rely on an unsecure connection to continue. This 

could not only have severe knock-on effects for their productivity, but also representing operational, 

financial, and potentially regulatory risks to the business if security is compromised. 

For IT teams, managing disparate hybrid workforces is proving enough of a challenge as is. These issues 

on top are a further headache they could do without. 

What needs to be done? 

Working from home is here to stay, meaning that businesses face growing risks to their operations as 

power and network outages threaten critical and day-to-day work. 

Up until now, ensuring security and resilience for remote workers has tended to be an afterthought, or 

something that only comes to attention following an outage or security breach. This need not and should 

not be the case. 

A home resilience solution is essential for businesses where workers are undertaking time and mission 

critical work at home, as well as those who rely on a seamless connection for productivity and IT security. 

Alongside laptop, phone and broadband, now is the time for businesses to look at implementing new 

measures to guarantee connectivity for remote workers. This will enable them to take back control of their 

productivity and deliver their best work, uninterrupted. 

The good news is there are solutions available on the market today. Adopting such a solution will reduce 

the risk of interruptions to the delivery of critical business services or of cybersecurity breaches that could 

negatively impact organizations financially, operationally or reputationally. At the same time, it can also 

boost productivity and wellbeing across the wider hybrid workforce. I urge businesses and individuals to 

explore resilient solutions to minimize the risk to their operations from the new world of remote work. 




Andrew Lawton is CEO of Reskube Ltd. Andrew has 

successfully built and lead businesses for 25 years, with senior 

positions held at large companies such as HP and IBM, as well 

as smaller, fast growing companies including Safetynet, 

Guardian and Internet Security Systems (ISS). 

Andrew has a passion for leading high-growth technology 

businesses in the B2B Services, Software, IT, networking, 

telecom, and internet security industries, as well as a strong 

track-record for launching new business initiatives and 

organisations resulting in aggressive growth. 

Andrew Lawton can be reached online here and at the Reskube 

company website https://reskube.com/. 

















































CyberDefense.TV now has 200 hotseat interviews and growing… 

Market leaders, innovators, CEO hot seat interviews and much more. 

A division of Cyber Defense Media Group and sister to Cyber Defense Magazine. 



Free Monthly Cyber Defense eMagazine Via Email 

Enjoy our monthly electronic editions of our Magazines for FREE. 

This magazine is by and for ethical information security professionals with a twist on innovative consumer 

products and privacy issues on top of best practices for IT security and Regulatory Compliance. Our 

mission is to share cutting edge knowledge, real world stories and independent lab reviews on the best 

ideas, products and services in the information technology industry. Our monthly Cyber Defense e- 

Magazines will also keep you up to speed on what’s happening in the cyber-crime and cyber warfare 

arena plus we’ll inform you as next generation and innovative technology vendors have news worthy of 

sharing with you – so enjoy. You get all of this for FREE, always, for our electronic editions. Click here 

to sign up today and within moments, you’ll receive your first email from us with an archive of our 

newsletters along with this month’s newsletter. 

By signing up, you’ll always be in the loop with CDM. 

Copyright (C) 2022, Cyber Defense Magazine, a division of CYBER DEFENSE MEDIA GROUP (STEVEN G. 

SAMUELS LLC. d/b/a) 276 Fifth Avenue, Suite 704, New York, NY 10001, Toll Free (USA): 1-833-844-9468 d/b/a 

CyberDefenseAwards.com, CyberDefenseConferences.com, CyberDefenseMagazine.com, 

CyberDefenseNewswire.com, CyberDefenseProfessionals.com, CyberDefenseRadio.com,and 

CyberDefenseTV.com, is a Limited Liability Corporation (LLC) originally incorporated in the United States of 

America. Our Tax ID (EIN) is: 45-4188465, Cyber Defense Magazine® is a registered trademark of Cyber 

Defense Media Group. EIN: 454-18-8465, DUNS# 078358935. All rights reserved worldwide. 


All rights reserved worldwide. Copyright © 2022, Cyber Defense Magazine. All rights reserved. No part of this 

newsletter may be used or reproduced by any means, graphic, electronic, or mechanical, including photocopying, 

recording, taping or by any information storage retrieval system without the written permission of the publisher 

except in the case of brief quotations embodied in critical articles and reviews. Because of the dynamic nature of 

the Internet, any Web addresses or links contained in this newsletter may have changed since publication and may 

no longer be valid. The views expressed in this work are solely those of the author and do not necessarily reflect 

the views of the publisher, and the publisher hereby disclaims any responsibility for them. Send us great content 

and we’ll post it in the magazine for free, subject to editorial approval and layout. Email us at 



276 Fifth Avenue, Suite 704, New York, NY 1000 

EIN: 454-18-8465, DUNS# 078358935. 

All rights reserved worldwide. 


www.cyberdefensemagazine.com 

NEW YORK (US HQ), LONDON (UK/EU), HONG KONG (ASIA) 

Cyber Defense Magazine - Cyber Defense eMagazine rev. date: 03/01/2022 



Books by our Publisher: https://www.amazon.com/Cryptoconomy-Bitcoins-Blockchains-Bad-Guys-ebook/dp/B07KPNS9NH 

(with others coming soon...) 

10 Years in The Making… 

Thank You to our Loyal Subscribers! 

We've Completely Rebuilt CyberDefenseMagazine.com - Please Let Us Know What You Think. It's mobile 

and tablet friendly and superfast. We hope you like it. In addition, we're past the five nines of 7x24x365 

uptime as we continue to scale with improved Web App Firewalls, Content Deliver Networks (CDNs) 

around the Globe, Faster and More Secure DNS and CyberDefenseMagazine.com up and running as an 

array of live mirror sites and our new B2C consumer magazine CyberSecurityMagazine.com. Millions of 

monthly readers and new platforms coming…starting with www.cyberdefenseconferences.com this 

month…

Cyber Defense eMagazine March Edition for 2022

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?