In recent years, CASB solutions have become part of broader secure access service edge (SASE) technology as edge and cloud security risks have expanded to include all threats outside the network perimeter, including edge computing, IoT, mobile, cloud, web, email and more.

But an organization looking to protect itself from SaaS application and shadow IT risks still has much to gain from a standalone CASB. We’ve surveyed the CASB market to provide our recommendations for the top CASB vendors, along with buying guidance for those in the market for a CASB solution.

Table of Contents

• Broadcom Symantec CloudSoc CASB: Best for compliance
• Censornet:Best for reporting
• Forcepoint: Best for risk analysis
• iBoss: Best for zero trust
• Lookout: Best for protecting highly sensitive data
• Skyhigh Security CASB: Best for access controls
• Microsoft Defender for Cloud Apps: Best for Windows environments
• Netskope: Best for security integrations
• Palo Alto Networks Next-Gen CASB: Best for Prisma Cloud and Palo Alto NGFW customers
• Proofpoint: Best for employee protection
• 5 Features of CASB Solutions
• Why Do You Need a CASB?
• CASB Benefits
• Best Practices for Implementing CASB
• How to Choose the Best CASB
• 3 Types of CASB Deployment
• Frequently Asked Questions (FAQs)
• How We Evaluated CASB Solutions
• Bottom Line: CASB Solutions

Broadcom

Best for compliance

Broadcom’s solution for addressing visibility into cloud application security is the Symantec CloudSOC CASB. Big cybersecurity acquisitions of Blue Coat Systems and Symantec in the last decade provided the roots of Broadcom’s CASB offerings. Paired with the Symantec cloud data loss prevention (DLP) solution, the Symantec DLP Cloud includes CASB Audit, CASB for SaaS and IaaS, and CASB Gateway.

Pricing

Contact Broadcom’s sales team for pricing details or find an official distributor or consulting services partner.

Key features

• Deep content inspection and context analysis for visibility into how sensitive data travels
• API-based inline deployment for fast risk scoring, behavioral analysis, and detection
• Continuous monitoring of unsanctioned applications, malware, and security policies
• Central policy engine for controlling how users and apps access and use data

Pros

• Multiple deployment routes, including endpoints, agentless, web, proxy chaining, and unified authentication
• Compliance focus for organizations with strict data protection needs

Cons

• No free trial
• Limited support contact options

Censornet

Best for reporting

A part of the vendor’s Autonomous Security Engine (ASE) solution, Censornet Cloud Access Security Broker comes integrated with adaptive multi-factor authentication, email security, and web security. Censornet’s CASB also offers Identity as a Service (IDaaS) for secure user authentication.

Censornet offers extensive reporting capabilities, including pre-built trend reports. Users can download and email reports to other members of the organization or to customers. Multiple report views allow security teams to report by device, threat level, user, and other views.

Pricing

The email security plan starts at £1.70 per user/month. The web security and antivirus plan starts at £2.30 per user/month. The CASB plan starts at £2.50 per user/month. To receive an exact quote for your business, contact the sales team.

Key features

• Risk assessment, rating, and categorization for cloud applications
• Granular policy-setting control by user, role, device, network, and function
• Audit reports with multiple criteria, including app class, risk level, and threat type
• Security awareness training product

Pros

• Multiple customers have praised the technical support team
• Extensive reporting options
• Free trial

Cons

• Might take time for inexperienced teams to fully customize 

Read more about application security

Forcepoint

Best for risk analysis

Forcepoint’s CASB products focus on protecting sensitive data and critical applications. Forcepoint’s cloud audit and protection capabilities are designed for real-time activity monitoring and analytics. Forcepoint has added to its CASB offerings with technology acquisitions from Imperva and Bitglass.

It uses malware engines from CrowdStrike and Bitdefender to halt malware that’s transferred between users to SaaS applications.

Pricing

Forcepoint offers a demo to potential customers. Contact its sales team for a specific quote for your enterprise.

Key features

• Native user behavioral analysis for profiling app risks and business impact
• Customizable and advanced risk metrics for evaluating cloud app threat posture
• Interoperability with Identity-as-a-Service (IDaaS) partners like Okta, Ping, and Centrify
• MFA for user identification

Pros

• Detects unmanaged SaaS solutions being used by employees and allows admins to block those applications
• Integrates CASB data in Common Event Format, a security logging system, for existing SIEM environments
• Integrates with other Forcepoint solutions, including web security and NGFW

Cons

• Customer support is priced as an add-on

iBoss

Best for zero trust

iBoss offers CASB as a product in the Application and Data Discovery capabilities of its zero trust platform. iBoss restricts data transfers in corporate systems, redirecting file uploads and other transfers to company accounts if a user tries to send business data to a personal account. iBoss’s CASB offerings are particularly useful for social media and Google and Microsoft cloud applications. The product is well rated by users and analysts alike.

Pricing

iBoss has three zero trust plans, only one of which includes both inline and out-of-band API CASB features (Zero Trust Complete). The least expensive plan requires add-on pricing for both of the CASB features, while the median plan requires add-on pricing for out-of-band API CASB.

Key features

• Out-of-band deployment options via APIs from MS365, Google, and Box
• Policy management based on users, groups, and information accessed for data security
• Native integration with Microsoft Azure, Office 365, and Microsoft Defender for Cloud Apps
• Policy-based application controls for social media sites like Facebook, Twitter, and LinkedIn

Pros

• Easy-to-use dashboard displaying usage and application data
• Highly useful for Office 365 and Google applications

Cons

• iBoss doesn’t have a standalone CASB, and users must pay additional fees for CASB functionality in some plans.

Lookout

Best for protecting highly sensitive data

Bolstered by the acquisition of CipherCloud, Lookout boasts a number of advanced CASB features like DLP, UEBA, zero trust, and integrated endpoint security. Users can scan historical cloud data to find open file shares and unprotected information. Lookout analyzes encrypted traffic from approved applications as well as unapproved ones and detects application activity even from administrators for potential malicious activity. Another highlight is digital rights management, which allows security teams to encrypt data and limit access to that data based on which applications and services are permitted to see it.

Pricing

Lookout offers a CASB buyer’s guide for customers who want to learn more about the Secure Cloud Access product. To receive an exact quote from Lookout, contact the sales team.

Key features

• Digital rights management
• Integration with enterprise mobility management (EMM) solutions for endpoint policies
• Context-aware tags, including user, group, location, device type, OS, and behavior
• Notifications when application users access and share sensitive data

Pros

• Built-in user and entity behavior analytics (UEBA) assessing traffic, devices, and users
• Data protection that integrates with company email accounts and identifies potential anomalies when emailing sensitive information

Cons

• Customers must pay for an additional support program to receive technical support. Note that you must pay for at least the second plan, Premium, to get 24/7 support.

Skyhigh Security CASB

Best for access controls

Skyhigh Security’s CASB solution supports data loss prevention policies and blocks attempts to download corporate information to employees’ personal devices. Skyhigh uses both forward and reverse proxy for inline deployment. It provides integrations via API for a variety of business applications, including Slack, Zoom, and GitHub, as well as multiple identity and access management tools. Skyhigh — which comprises McAfee’s former cloud business — includes the CASB tool as part of its SASE platform.

Pricing

Skyhigh offers a demo for potential customers. It has three plans: Essential, Advanced, and Complete. Note that the Essential plan doesn’t have endpoint data loss prevention. To receive an exact quote, contact Skyhigh’s sales team.

Key features

• Central policy engine with options for templates, importing, and custom policy creation
• Integrations with existing security software like SIEM, secure web gateways (SWG), NGFWs, and EMM
• User behavior analytics to identify potential insider threats
• Shadow IT Cloud Registry, which assesses potential risks for cloud applications that employees might want to use

Pros

• Gives customers access to 261-point risk assessments and ratings of pertinent cloud applications
• Offers highly granular access policies based on IP address, location, activity, and other criteria
• Detects malicious or negligent behavior with machine learning

Cons

• No free trial 
• Might be challenging for inexperienced analysts to fully learn because of its granular policies and advanced risk assessments

Microsoft Defender for Cloud Apps

Best for Windows environments

Microsoft Defender for Cloud Apps addresses DLP, compliance, discovery, access and other security functions across business environments like social media, SaaS apps, and email. Office 365 is, of course, a particularly strong use case.

Defender for Cloud Apps supports blocking downloads on untrusted devices. Admins can also label files based on the sensitivity of the data in the file, creating protective rules that limit how the data can be accessed and shared.

Pricing

Note that unlike most of Microsoft’s security solutions, Defender for Cloud Apps doesn’t have a free trial specific to its product. Contact Microsoft’s sales team for further pricing information.

Key features

• Add-on application governance for OAuth-enabled apps in Azure’s Active Directory instance
• Central view of cloud security configuration gaps with remediation recommendations
• Download blocking for untrusted devices 

Pros

• Provides real-time controls for remediating threat behavior identified at access points
• Over 90 risk factors and 26,000+ available app risk and business assessments
• Good choice for Microsoft cloud environments

Cons

• Limited third-party SaaS integrations
• No free trial

Netskope

Best for security integrations

Netskope has long been a leader in CASB technology, with continuous security assessment and compliance. The company has also packaged together a number of offerings as a SASE solution. Highlights of the CASB solution include the Cloud Exchange for tech integrations, including third-party security solutions like EDR and SIEM, and malware blocking for both email and storage service.

Pricing

Potential customers can request a demo from Netskope and request an executive briefing to create specific business solutions custom to their organization. For exact pricing, contact the sales team.

Key features

• Encryption at rest or managed in real time with certified FIPS 140-2 Level 3 key management systems
• Integrations with productivity, SSO, cloud storage, EMM, and security applications
• Dashboard aggregating all traffic, users, and devices for SaaS, IaaS, and web activities
• Role-based access control for administrator, analyst, and other privileged user roles

Pros

• Netskope offers regular technical account management sessions for customers
• Access to 40 threat intelligence feeds informing the detection of anomalous behavior

Cons

• No free trial
• 24/7 support and phone call customer service is only available through additional cost

Palo Alto Networks Next-Gen CASB

Best for Prisma Cloud and Palo Alto NGFW customers

Palo Alto Networks has brought its considerable security expertise to bear on the CASB and SaaS protection market with an offering that includes SaaS monitoring, compliance, DLP and threat protection. Palo Alto’s SaaS Security and Enterprise DLP products combine to create the CASB. The Next-Generation CASB also has strong integrations with Palo Alto firewalls and access solutions, making it a good choice for businesses that already use Palo Alto security products.

Pricing

The Next-Gen CASB has a lengthy free trial for potential buyers. Contact Palo Alto’s sales team for an enterprise-specific quote.

Key features

• Advanced DLP functionality via deep learning, NLP, and optical character recognition (OCR)
• Activity monitoring through scans of traffic, ports, protocols, HTTP/S, FTP, and PrivateVPN
• Built-in data security reporting for compliance auditing such as GDPR
• Application controls for setting risk attributes and policy

Pros

• Native integration with PAN’s VM-Series, NGFW, and Prisma Access solutions
• 60-day free trial for the Next-Gen CASB solution

Cons

• May be challenging for smaller, less experienced teams to learn and implement

Proofpoint

Best for employee protection

Enterprise cybersecurity company Proofpoint’s CASB is a user- and DLP-focused solution for revealing shadow IT activity and managing the use of third-party SaaS applications. Proofpoint offers multiple security integrations and helps teams identify the employees most likely to be attacked. It’s a good choice for businesses that want to closely track their organization’s biggest targets.

Pricing

The CASB solution has a live demo available for potential customers. Contact sales to receive a specific quote.

Key features

• More than 46,000 apps categorized by type and risk attributes 
• Identify VAPs (Very Attacked People) and set appropriate privileges for sensitive access
• Deployment integrations with SOAR, IAM, and cloud-service APIs
• Continuous DLP controls and policies across endpoints, web, email, and cloud applications

Pros

• Threat detection is based on user-specific contextual data
• API integration options with multiple other enterprise solutions, including SOAR, SIEM, and ticketing tools
• Free trial

Cons

• Administration could be more straightforward for using multiple Proofpoint solutions in one organization.   

5 Features of CASB Solutions

CASBs play the critical role of enforcing enterprise security policies for accessing cloud services. The following security features included in CASB solutions are important for businesses that use multiple cloud applications, have remote employees, and need to improve their compliance posture.

Authentication, authorization, and SSO

Correctly identifying users’ identities and making sure they’re actually permitted to use an application helps organizations decrease cyberattacks that come from unauthorized access. Authentication differs from authorization — while authentication reveals a user’s identity, authorization allows them to enter and use. Single sign-on technologies provide authentication for an organization’s set of cloud applications. When a user logs in to the SSO platform, they can securely access all applications for that session with one click.

Malware detection and prevention

Malware is one of the biggest threats to enterprises’ day-to-day operations. CASB solutions detect anomalies across cloud applications that could indicate the presence of malware or malicious activity. Examples of anomalies include an attempt to download customer data from Salesforce at a strange time or unfamiliar files that are randomly shared with employees’ Google accounts. CASBs alert security admins to this behavior so they can identify and halt potential threats. 

Device profiling

Security teams need to know what their organizations’ devices are doing. Device profiling compiles data for each device, like behavioral data (like device traffic) and specification data (like device operating system). This helps teams create a comprehensive view of the device and its presence and behavior on networks, whether company or home networks. Device profiling makes it easier for security teams to identify device-specific threats. 

Logs and alerts

CASB logs track and store data from behavior within the cloud environment. These logs should provide device, user, and application information that can be used to detect and identify threats. Alerts notify security teams when a potential threat has been identified within the cloud environment. Alerts should happen instantaneously to give personnel time to mitigate the threat before it spreads or causes more damage. 

Encryption and tokenization

Encryption protects data as it’s stored in cloud solutions and transmitted between them. Encrypting data shields the information from any user who attempts to view it without the decryption key. Tokenization shields employee or user data from view by using symbols, or tokens, to represent personally identifiable information. 

Why Do You Need a CASB?

The explosion in internet-enabled technology has created a reliance on digital advancements like cloud computing. However, the increase in internet-accessible resources comes with the inherent security risks posed by the worldwide web. Enterprise firewalls, web gateways (SWGs), and web application firewalls (WAF) all strengthen organizations’ security posture, but they fail to offer cloud-specific security.

Also Read: Cloud-based security: SECaaS

Protecting applications

Data and applications are moving away from private data centers and leaving behind a stack of on-premises security solutions that offer network visibility, access, data loss prevention (DLP), threat protection, and breach logging. The cloud’s introduction of SaaS products has moved data from private, on-premises DCs to cloud-based operations. 

Similarly, users have widely adopted cloud applications because accessing these tools outside of work and remotely is easier than ever. The added risk to applications and data on the network edge makes tools like CASB essential for cloud-based security.

Also Read: SaaS Security Risks: It’s the Users, Stupid

Remote work and BYOD

The consequence of cloud and mobile proliferation means data and users live beyond the on-premises security infrastructure. Where legacy security systems could effectively monitor local network traffic, CASBs have taken the mantle of monitoring and authenticating access in the cloud.

As organizations have adopted remote work and permitted personal devices (BYOD) for staff, the cloud offers open access to unmanaged or unsanctioned devices that the user can authenticate. This makes data vulnerable because it lives in the pertinent cloud applications and can be downloaded with little effort. Without a CASB in place, struggling to identify all access points is a significant roadblock to improving security.

Auditing network applications

Outside of every IT department lives unsanctioned technology known as shadow IT. Wandering personnel using unsanctioned tools pose a security risk to the organization. IT departments evaluate the network security posture, pertinent configurations, and user training needed to deploy the product best before implementing applications. 

Without these steps and close attention to detail, employees could be agreeing to terms of use and downloading applications that are in direct conflict with the organization’s internal or compliance standards. CASB solutions help decrease the effects of shadow IT.

Also Read: Remote Work Security: Priorities & Projects

CASB Benefits

CASB solutions aren’t a one-size-fits-all product. SaaS applications today have specialized APIs that require a compatible CASB to protect the application’s specific traffic. Enterprise organizations can have a suite of CASB solutions to cover the network’s cloud application traffic. 

While CASB products don’t provide perfectly comprehensive security for all cloud systems, they’re a beneficial tool for managing access to business applications. Consider the benefits and limitations of CASB tools before implementing one in your organization’s security infrastructure. 

CASBs control cloud application and data access by combining a variety of security policy enforcement requirements. They can manage single sign-on, logging, authentication and authorization, device profiling, encryption, and tokenization. They can detect, alert, and prevent malware attacks. Benefits of deploying a CASB include: 

• Restricting unauthorized access
• Identifying account takeovers
• Uncovering shadow cloud IT
• Preventing cloud data loss
• Managing internal and external data access controls
• Recording an audit trail of risky behavior
• Identifying loud phishing and malware threats
• Continually monitoring for new cloud risks

Other benefits noted by industry adopters include reduced costs and increased agility, and outsourced hardware, engineers, and code development.

Also Read: Cloud Security Requires Visibility, Access Control: Security Research

Best Practices for Implementing CASB

A CASB is an unusual security solution in that it spans the cloud and on and off-premises users, so deployment can be tricky. For a successful rollout, keep the following best practices in mind.

1. Build visibility

The first step is to gain visibility into current cloud usage. This means diving into cloud application account usage and identifying activity by user, application, department, location, and devices used. Analyzing web traffic logs will offer a good reference point and will allow you to evaluate what enterprise or SMB CASB is appropriate. 

2. Forecast risk

The second step is to develop a cloud risk model based on the network’s standard usage patterns. Whether a hacker has gained access with leaked credentials or a former employee still has access to the organization’s cloud applications, these are both instances of risk that the network administrator must consider. 

Unsanctioned access can be dangerous when users have malicious intent and the ability to steal or delete critical data. Organizations can extend existing risk models or develop specialized risk models based on the needed security configurations.

3. Deploy the CASB

The third and final step involves applying the risk model to the current shadow cloud usage and deploying your CASB for action. With the risk model defined, the enterprise can enforce use policies across all cloud services. The IT team can assign risk scores and categorize cloud services for even more visibility into network services moving forward. When onboarding the CASB is complete, administrators can rest assured that their network and cloud infrastructure monitor traffic, protect against threats, fill the DLP gap, and ensure compliance with data privacy and security rules.

After deployment, network administrators and security analysts must give attention to CASB activity and ensure it’s functioning properly for its intended use. Many organizations start small on this process by integrating CASB for an initial application and analysis before integration across the network.

Read more about best business practices for cloud security.

How to Choose the Best CASB for Your Business

Cloud access security solutions aren’t typically one-size-fits-all. To successfully analyze CASBs and choose a suitable product for your organization, consider the following points.

Play to your strengths

Different security teams have varied skillsets, sizes, and levels of expertise. Choose a CASB that’s suitable for the security team that will be using it. An experienced and tenured team will likely benefit from a highly configurable solution, while a team of junior security personnel will want an easy-to-navigate interface and some out-of-the-box templates.

Know your budget

Narrow your list of potential CASBs down to a few choices and contact the sales team for each, getting a specific quote based on your business’s needs. Then analyze with your buying committee to determine which solution is the best combination of affordable and appropriate.

Keep integrations in mind

When shopping for a CASB, make sure the solutions you’re considering support all of the cloud applications that your business needs to protect. For example, if you want to monitor Slack access and behavior, look at CASB products that integrate with Slack.

Don’t forget customer support

Different security teams will need different levels of technical support from the vendor. Less experienced or small teams should select a CASB solution with highly rated, responsive customer support. Larger security teams with years of experience may not need quite as intensive technical services.

3 Types of CASB Deployment

There are three primary deployment methods for CASB solutions: forward proxies for inline deployment, reverse proxies for inline deployment, or APIs for out-of-band deployment.

Inline deployment: Forward proxies

A forward proxy is positioned closer to users and can proxy traffic to multiple cloud services. CASBs inspect cloud traffic for users and employ an SSL man-in-the-middle technique to steer traffic to the CASB forward proxy.

The downside of using a forward proxy is that each device accessing the proxy requires the installation of self-signed certificates. An excess of users can also cause latency. For relevant devices, traffic is redirected to PAC files, unique DNS configurations, third-party agents, advanced forwarding, chaining, or TAP mechanisms.

Inline deployment: Reverse proxies

A reverse proxy is positioned closer to the cloud application and can integrate with Identity-as-a-Service (IDaaS) and IAM solutions. It doesn’t require particular configuration or certificate installation. Reverse proxies receive requests from the cloud application, apply predefined security rules, and pass the user’s request.

Also Read: Application Security Vendor List

Out-of-band deployment: API-based

CASBs typically sit in the traffic path between users and cloud platforms; however, out-of-band deployment uses asynchronous APIs to do the job. APIs receive all cloud traffic from log events to the configuration state necessary to create and enforce the appropriate security policies. Out-of-band CASB deployment enables frictionless change for application behavior, north-south and east-west traffic coverage, and retrospective policy enforcement for data-at-rest and all new traffic.

Gartner points out that APIs’ development and their ability to offer real-time visibility and control could mean the end of proxy-based methods for deploying CASB.

Frequently Asked Questions (FAQs)

You might still have questions about using CASB solutions or need to provide further information to executive team members or a buying committee. These questions help explain the importance of CASB technology and the ways it’s different from other security solutions.

If I already have a firewall, do I need a CASB?

Whether you need a CASB depends on your business’s overall needs. Do you have a large number of cloud-based applications or many users? Are your employees constantly sharing files or accessing sensitive information? 

Regardless of whether you need a CASB, know that a firewall is not enough for most enterprises. You’ll at least need a next-generation firewall, and aside from that, it’s important to invest in a security solution that hunts for threats and vulnerabilities within your infrastructure. Because firewalls are at the perimeter of a network, server, or application, they won’t be able to halt an attack if it gets through the initial barrier.  

What is the difference between CASB and SIEM?

While CASB focuses specifically on cloud applications, SIEM can encompass a broader range of enterprise technology, including hardware. SIEM solutions typically generate events or alerts from cloud solutions as well as other on-premises environments. 

What is the difference between CASB and DLP?

DLP is often a single feature of advanced CASB solutions: CASB not only provides data loss prevention but also other capabilities under its umbrella. Data loss prevention is specifically designed to protect sensitive data from being leaked or stolen. While CASB solutions have features that shield data, that’s not the only goal of cloud access security software.  

What is the difference between CASB and SASE?

Both CASB and SASE protect cloud environments. However, SASE includes large-scale networking security for remote users and locations, while CASB usually covers just SaaS protection. SASE also requires more time to deploy, typically necessitating a full overhaul of existing network security infrastructure. CASB takes less time to implement.

How We Evaluated CASB Solutions

We evaluated a wide range of CASB vendors across multiple data points and product features to make it easier for you to make a thorough assessment of their features, strengths, and limitations. Independent tests, user reviews, vendor information, and analyst reports were among the sources used in our analysis.

Bottom Line: CASB Solutions

Cloud access security brokers help enterprises manage the wealth of cloud apps needed for everyday business operations. The more applications a company uses, the more vulnerable its security posture can be. CASBs help mitigate the threats that besiege cloud applications, including phishing attacks, unauthorized access, and malware. These top-of-the-industry solutions will help your organization become more aware of its cloud vulnerabilities and secure its most important applications.

Considering a variety of cloud solutions? Read about our picks for the top cloud security providers next.

Jenna Phipps contributed to this report.

The post Top 10 Cloud Access Security Broker (CASB) Solutions appeared first on eSecurity Planet.

Here are the top Twitter accounts to follow for the latest commentary, research, and much-needed humor in the ever-evolving information security space – followed by five accounts on the increasingly active Mastodon security community. Our review considered experience in enterprise cybersecurity, contributions to research and real-time developments, and Twitter-specific metrics like following and activity frequency.

See our picks for the top cybersecurity companies and startups

Aleksandra Doniec

@hasherezade
One of Europe’s top malware analysts thanks to her work for places like Malwarebytes, Aleksandra Doniec has provided a number of in-depth ransomware analyses and security tools throughout her career. Her contributions were significant enough to have her included in Forbes’ 2018 “30 Under 30 Europe” in the Technology category. Her private account offers a host of cybersecurity insights, particularly related to malware and ransomware, along with personal tweets. Her website also provides links to some of the useful cybersecurity tools and scripts she has created over the years, many of them open source.

Binni Shah

@binitamshah
Security enthusiast and Linux evangelist Binni Shah consistently offers valuable tutorials, guides, and insights for the cybersecurity community. Shah provides her expertise in hacking, software development, and kernel development and advocates for open source initiatives. This is an account to watch for developers working in Linux environments.

Bruce Schneier

@schneierblog
Security technologist Bruce Schneier was respected long before the launch of Twitter. His 1994 book detailing cryptographic algorithms (Applied Cryptography) was just the beginning of his contributions to technical perspectives on system design, cybersecurity, privacy, and more. His Twitter updates are short, newsy, and to the point. They include links to his blog posts, which expand on the mentioned topic.

Dave Kennedy

@HackingDave
Dave Kennedy started as a forensic analysis and cyber warfare specialist in the US Marine Corps before entering the enterprise space. Kennedy founded cybersecurity-focused TrustedSec and Binary Defense Systems and co-authored Metasploit: The Penetration Tester’s Guide. He retweets multiple experts’ posts on different security topics and also participates in industry conversations and events.

Eugene Kaspersky

@e_kaspersky
Russian software engineer Eugene Kaspersky’s frustration with the malware of the 80s and 90s led to the founding of antivirus and cybersecurity vendor Kaspersky Lab. Kaspersky currently serves as CEO and a distinguished cybersecurity expert in the international community. He discusses both consumer and business security on his Twitter feed and covers a wide variety of cybersecurity topics.

Eva Galperin

@evacide
Starting with her first desktop on a Unix machine at age 12, Eva Galperin’s contributions to cybersecurity include research on malware and privacy. Galperin is the current Director of Cybersecurity at the Electronic Frontier Foundation (EFF) and noted free speech advocate. Note that Galperin’s current Twitter discussions now center more around politics rather than cybersecurity.

Graham Cluley

@gcluley
Graham Cluley started as a videogame developer and antivirus programmer three decades ago before serving in senior roles at Sophos and McAfee. In recent years, Cluley has been well-known for his cybersecurity analysis, blog, and award-winning podcast Smashing Security. The podcast takes a lighter approach to major cybersecurity topics, for those who want a more humorous look at the industry.

Jason Haddix

@Jhaddix
Through tenures at Citrix, HP, and Bugcrowd, Jason Haddix offers his expertise in the areas of penetration testing, web application testing, static analysis, and more. Haddix continues to provide his insights on Twitter while occasionally appearing on podcasts. Consider following Haddix if you want to learn more about security testing news and trends.

Jeremiah Grossman

@jeremiahg
With deep industry experience, Jeremiah Grossman was the Information Security Officer for Yahoo!, founder and CTO of WhiteHat Security, and Chief of Security Strategy for SentinelOne. Grossman is an innovative industry leader. He currently works in security strategy at Tenable. Grossman’s tweets are short and straightforward, covering both enterprise tips and nationwide security news.

Marcus J. Carey

@marcusjcarey
Marcus J. Carey started his cybersecurity career assisting federal agencies with pen testing, incident response, and digital forensics. Two decades later, the information security expert is a distinguished author (Tribe of Hackers), entrepreneur, and speaker. Occasionally he posts security career information for those in the job field.

Maria Markstedter

@Fox0x01
As managing vulnerabilities in embedded systems become increasingly crucial to cybersecurity, Maria Markstedter offers her expertise as an independent security researcher and founder of Azeria Labs. Markstedter actively contributes to filling the infosec education gap.

Matthew Green

@matthew_d_green
Matthew Green is a renowned expert in cryptographic engineering. Green’s contributions to applied cryptography are profound, and his other research includes securing storage and payment systems. He is currently an Associate Professor at John Hopkins University.

Katie Moussouris

@k8em0
Katie Moussouris’ resume includes studying at MIT and Harvard, enterprise experience at Symantec and Microsoft, and years of promoting bug bounty programs and white hat hacking. Today, Moussouris is the founder and CEO of cybersecurity consultancy Luta Security.

Also read: Top Next-Generation Firewall (NGFW) Vendors

Kevin Mitnick

@kevinmitnick
Formerly on the FBI’s Most Wanted list, Kevin Mitnick is a crucial figure in the history of information security, including approaches to social engineering and penetration testing. Today, Mitnick operates his consultancy and serves as Chief Hacking Officer for KnowBe4. He also participates in educational sessions hosted by other major tech companies, covering cybersecurity topics.

Mikko Hyppönen

@mikko
Mikko Hyppönen is the veteran chief research officer of Finish cybersecurity company WithSecure. After three decades of experience analyzing and following the latest security threats, Hyppönen continues to offer his perspective on privacy, cybersecurity, and so-called “smart” devices.

Paul Asadoorian

@securityweekly
Once a penetration tester, Paul Asadoorian has been the founder and CEO of Security Weekly and host of a weekly show since 2005. Asadoorian has built a cybersecurity media force while also serving as a partner for Offensive Countermeasures. He is currently a security evangelist at Eclypsium.

Parisa Tabriz

@laparisa
Google’s Security Princess is Parisa Tabriz, one of the technology giant’s most esteemed hackers. Tabriz has led Google Chrome’s security since 2013, which extends to managing product, engineering, and UX today. Tabriz is a tireless advocate for ethical hacking.

Rachel Tobac

@RachelTobac
Three-time winner of DEF CON’s Social Engineering Capture the Flag Contest, Rachel Tobac is a hacker and CEO of SocialProof Security. Tobac’s expertise in social engineering and spreading awareness provides excellent insight into today’s sophisticated threats.

Robert M. Lee

@RobertMLee
Dragos founder and CEO Robert M. Lee started his career as a Cyber Warfare Operations Officer for the U.S. Air Force before building the SANS Institute’s first dedicated ICS monitoring courses. Lee continues to be a leading voice in the critical infrastructure cybersecurity space.

Runa Sandvik

@Runasand
Runa Sandvik was a hacker and early developer of the Tor network before her rise to senior director of information security for the New York Times. Today Sandvik is an independent researcher and consultant and advocate for strengthening freedom of the press and privacy. Her Twitter feed often addresses international security news.

Samy Kamkar

@Samykamkar
Hacker, researcher, and entrepreneur Samy Kamkar launched a unified communications company as a teen before setting off an XSS attack against MySpace. Lesson learned, Kamkar continues to test security integrity years later as co-founder and CSO of Openpath Security.

SwiftOnSecurity

@SwiftOnSecurity
The pseudonymous information security expert known as SwiftOnSecurity is a prominent voice in the universe of cybersecurity. They continually offer a balanced dose of genuine insight into systems and security with the funniest and hardest-hitting memes for SysAdmin.

Tavis Ormandy

@taviso
Tavis Ormandy is an ethical hacker and an information security engineer for Google Project Zero. Ormandy’s expertise includes vulnerability hunting, research, and software development with a bundle of GitHub contributions and published research. His tweets often discuss older technology or ask interactive questions of other experts.

Thaddeus Grugq

@thegrugq
Commonly known as just the Grugq, Thaddeus Grugq is a security researcher and hacker known for publications and commentary regarding forensic analysis, international espionage, and cybersecurity. In recent years, Grugq has talked openly about high-end exploit brokering.

Troy Hunt

@troyhunt
Troy Hunt is an Australian web security consultant and perhaps best known for his project Have I Been Pwned (HIBP), which helps users confirm if their data was compromised due to a breach. After 14 years of enterprise experience at Pfizer, Hunt offers his expertise in a weekly vlog. He’s also written infosec courses for Pluralsight.

Accounts to follow on Mastodon

Some popular security leaders have shifted their focus to Mastodon, an open source social media platform, in the wake of recent turmoil at Twitter. Mastodon’s infosec.exchange platform is specifically geared toward the security industry. Check out these accounts if you prefer not to use Twitter.

Brian Krebs

Brian Krebs still has a Twitter account (@krebsonsecurity), but he posts more regularly about security on Mastodon. He is known for his strong background in journalism, writing often about cybercrime.

Marcus Hutchins

Marcus Hutchins is a security researcher. He frequently posts about artificial intelligence, Twitter, and politics on his Mastodon feed.

Jake Williams

Jake Williams is a security researcher and IANS faculty member. He posts about a variety of international security topics, and also maintains a presence on Twitter.

Kevin Beaumont

Kevin Beaumont is a head of security operations in the United Kingdom. He has over 20 years of experience in the cybersecurity industry and also has a security-focused website, doublepulsar.com.

Lesley Carhart

IT industry veteran and former Hacker of the Year Lesley Carhart is another security researcher who has made the move to Mastodon. She consistently contributes to research and dialogue around incident response, digital forensics, industrial control system security, and more. Carhart is currently the Director of Incident Response at Dragos.

To learn more about security, read about our picks for the best cybersecurity podcasts.

Jenna Phipps updated this article on April 3, 2023.

The post Top 25 Cybersecurity Experts & Accounts to Follow on Twitter appeared first on eSecurity Planet.

In the race to offer comprehensive cybersecurity solutions, the product known as network detection and response (NDR) is a standalone solution as well as a central component of XDR.

Whereas older solutions like antivirus, firewalls, and endpoint detection and response (EDR) have long focused on threats at the network perimeter, the intent of NDR is to monitor and act on malicious threats within organization networks using artificial intelligence (AI) and machine learning (ML) analysis.

Edward Snowden and the NSA breach of 2013, as well as dozens of other nightmares, point to the growing threat of inside threats for a universe of IT environments. Today, both outsiders with the right social engineering skills and disgruntled personnel pose risks to sensitive data when network architectures fail to implement microsegmentation and advanced network traffic analysis (NTA).

This article looks at the top network detection and response solutions in the budding sector, what NDR is, and what to consider in a NDR solution.

Also see the Top Network Monitoring Tools

Top Network Detection and Response Solutions

• Bricata
• Cisco
• Darktrace
• Exeon
• Extrahop
• Gigamon
• Vectra

Cisco

Almost 40 years after its start in Silicon Valley, Cisco remains one of the top IT and cybersecurity solution providers in the world. The Cisco Secure portfolio is massive, including next-generation firewalls (NGFW), MFA, vulnerability management, and DDoS protection. Alongside analytics solutions for cloud, malware, and logs, Cisco acquisition of Lancope in 2015 led to the development of its NDR solution, Cisco Secure Network Analytics. Built to detect and act on network threats faster, Cisco SNA is deployable as a cloud-based service, virtual machine, or on-premises appliance.

Cisco Secure Network Analytics Features

• Detection for signature-less, insider, and encrypted malware threats.
• Group-based policy adoption and reports to audit and visualize communications.
• The AnyConnect Network Visibility Module (NVM) for endpoint telemetry data.
• Malware analysis without decryption for advanced encrypted threats.
• Integrations with Akamai, Exabeam, Google, LogRhythm, Radware, and Sumo Logic.

Darktrace

Celebrating a decade in 2023, Darktrace was one of the fastest growing cybersecurity startups with a more turbulent ride since its listing on the London Stock Exchange in 2019. The Darktrace stack of solutions covers hardening, detection, and response for hybrid IT environments, including the vendor’s NDR solution, Darktrace DETECT, for applications, email, zero trust, operational technology (OT), and more. Today, the Cambridge, UK-based company puts artificial intelligence first in its security services for over 7,400 businesses in 110 countries. 

Darktrace DETECT Features

• Self-learning AI to understand, secure, and optimize network interactions.
• Analyze thousands of metrics for known and unknown malware techniques.
• Integrations with AWS, Cisco, Fortinet, Microsoft, Okta, Rapid7, and ServiceNow.

ExtraHop Networks

Launched in 2007, ExtraHop’s success as a AI-based cybersecurity vendor led to its acquisition in July 2021 by Bain Capital for $900 million. Hailing from Seattle, Washington, the ExtraHop Reveal(x) 360 offers a unified threat intelligence platform for hybrid and multi-cloud IT environments. ExtraHop’s three core NDR solutions cover cloud security, network security, and IT operations. Whether it’s AWS, Google Cloud, or Azure, ExtraHop offers clients cloud-native security and comprehensive visibility into cloud workloads. 

ExtraHop Reveal(x) Features

• Monitor sensitive data and workloads to prevent data breaches.
• Detects lateral movement and software supply chain attacks and vulnerabilities.
• Behavior and rule-based analytics to detect and respond to known and unknown threats.
• Identify threats and unusual activity faster to respond and remediate vulnerabilities.
• Integrations with Check Point, Citrix, CrowdStrike, IBM, Palo Alto Networks, and Splunk.

Vectra AI

Started in 2012, Vectra already stands out among the NDR marketplace, offering managed detection and response (MDR) and its threat detection and response platform. The San Jose-based company solutions span attack surfaces for all major cloud services, data centers, and Microsoft 365, with specialized threat management for ransomware, supply chain attacks, data breaches, and account compromise. Companies have plenty of integrations to choose from for tools like EDR, SIEM, threat intelligence, and Secure Access Service Edge (SASE).

Vectra Threat Detection and Response Platform Features

• Capture public cloud, SaaS, identity, network, and EDR data for analysis.
• Multiple AI modeling techniques to audit network workloads.
• Threat and risk prioritization to inform administrator action and investigation.
• Automated and manual response options for securing networks in real-time.
• Integration with AWS, Azure, Juniper, Pentera, SentinelOne, VMware, and Zscaler.

Bricata

Launched in 2014, Bricata is another vendor specializing in NDR capabilities and successful enough to catch the attention of OpenText, who acquired the Maryland based vendor in November 2021. While OpenText continues its acquisition spree (notably, acquiring Micro Focus this week), Bricata’s next-generation NDR platform continues to give security administrators visibility into user, device, system, and application behavior inside networks. In addition to real-time context and alerts, Bricata offers clients advanced forensics and threat hunting tools to make the most of investigations and remediation actions.

Bricata Next-Gen NDR Features

• Software-based and hardware agnostic with consumption-based pricing.
• Signature inspection, ML-based malware conviction, and anomaly detection.
• Automated analysis for threats with prioritized workflows to respond fast.
• Extract and store metadata for investigations and future use.
• Technology partners with Cylance, Elastic, Garland, OISF, Proofpoint, and Splunk.

Gigamon

Started in 2004, Gigamon has long been in the network visibility game with a portfolio today consisting of traffic intelligence and cloud, network, and data center visibility. Within its network security stack, Gigamon ThreatINSIGHT is the company’s cloud-based NDR solution for high-fidelity adversary detection and response. Evidence of Gigamon’s strength as an NDR solution includes being a connector for almost every other top NDR pick. Their larger technology alliance partners is extensive with 60 of the best vendors for managing network performance, vulnerabilities, and cloud infrastructure. Previously a publicly traded company (NYSE:GIMO), Gigamon was acquired by private equity for $1.6 billion in 2016.

Gigamon ThreatINSIGHT Features

• Inspection of encrypted traffic and lateral movement for any device, network, and flow.
• Omnisearch triage and investigation with up to 365 days of network metadata.
• Ongoing detection tuning and QA with the Gigamon Applied Threat Research (ATR) unit.
• Sensor and traffic diagnostics via the Gigamon technical success and SaaS Ops teams.
• Integrations with AWS, Cisco, CrowdStrike, FireEye, New Relic, Nutanix, and Riverbed.

Exeon Analytics

Another budding NDR vendor, Exeon offers advanced security analytics to protect IT and OT environments. Launched in 2016 from the campus of the Swiss Federal Institute of Technology, the Zurich-based company’s ExeonTrace seamlessly analyzes security-related log data from existing infrastructure. With comprehensive visibility, Exeon can help client’s identify data leaks, misconfigured devices, shadow IT, and unusual services. While Exeon mentions the ability to connect SIEM, EDR, and IDPS systems, the list of connectors wasn’t immediately available. 

ExeonTrace Features

• Fast deployment which doesn’t require sensors or agents.
• AI-based threat scoring to prioritize investigations.
• Insight-driven visualizations including a global map of traffic sources.
• Network log data analysis for lightweight solution vs. data-heavy traffic mirroring.

Honorable Mention NDR Solutions

What is Network Detection & Response?

Network detection and response (NDR) solutions complement tools like EDR and SIEM to analyze and detect malicious network traffic. In the next generation of network traffic analysis (NTA), NDR solutions offer AI and ML-based techniques to evaluate the latest signature-less attacks and unusual traffic patterns. When threats are detected, NDR solutions alert administrators to act or automate pre-configured preventative measures.

NDR Features

• Cognitive modeling to monitor and analyze tactics, techniques, and procedures (TTP).
• Real-time and historical view of traffic for investigating suspicious behavior.
• Context-driven visibility, advanced analytics, and IoC identification for threat hunting.
• Built-in advanced detection with ability to fine-tune configuration management.
• Integration with EDR, SIEM, SOAR, and other network security solutions.

Network Security and NDR

NDR is a complementary network security tool, joining a handful of other critical systems for an enterprise cybersecurity architecture:

• Cloud security
• Endpoint detection and response (EDR)
• Intrusion detection and prevention systems (IDPS)
• Network traffic analysis (NTA)
• Next-generation firewalls (NGFW)
• Security information and event management (SIEM)
• Security orchestration, automation, and response (SOAR)
• User and entity behavior analytics (UEBA)

In 2015, Gartner Research Director Anton Chuvakin introduced the conceptual framework for what would become the “SOC visibility triad”. In a 2020 retrospective, Chuvakin explains how logs (via SIEM), endpoint data (via EDR or XDR), and network data (via NTA and NDR) are critical to security visibility.

How to Choose a NDR Solution

As an emerging security solution, NDR shouldn’t be the first priority for companies building out their cybersecurity infrastructure. That said, the above network detection and response solutions offer plenty for enterprise organizations with well-established cybersecurity postures.

While NDR vendors offer opportunities to bundle other network security tools, including robust portfolios from vendors like Cisco and Sangfor, a top consideration remains ease of integration with existing security systems for SIEM and EDR. Because most organizations aren’t starting from scratch, NDR vendors must strive for interoperability with the leading network security products.

In a crowded marketplace of cybersecurity solutions, NDR is yet another that is on the rise. Only time will tell how niche an audience it will serve. Keep an eye on how the NDR sector evolves in the years to come and whether it survives as a standalone solution and market or gets absorbed by more comprehensive frameworks like XDR.

The post Top Network Detection & Response (NDR) Solutions appeared first on eSecurity Planet.

As the modern workforce becomes increasingly mobile and enterprises branch out and grow, software-defined wide area networks (SD-WAN) have become a popular choice in the evolution of networking.

By applying the benefits of software-defined networking (SDN) to traditional hardware-centric networks, SD-WAN offers enterprises improved flexibility, scalability, performance, and agility for today’s virtual, edge, branch and cloud IT environments. However, with all the benefits SD-WAN provides organizations, it also opens the door for a new set of security challenges.

This article looks at the security functionality of SD-WAN solutions and how to bolster SD-WAN cybersecurity. Jump ahead for a technical review on SD-WAN.

Jump to:

• What is SD-WAN?
• Traditional Networks vs Software-Defined Networks (SDN)
• SDN vs SD-WAN
• Security Challenges to SD-WAN
• SD-WAN Security Features and Capabilities
• Top 3 SD-WAN Security Best Practices
• SASE: SD-WAN and SSE
• SD-WAN: Securing Today’s Enterprise Networks

What is SD-WAN?

SD-WAN is a virtual architecture for managing a wide-area network covering distributed, hybrid IT environments typical for today’s enterprise organizations. 

Whereas traditional WANs backhauled all traffic to a central hub or data center, SD-WAN architectures increase the performance of on-premises services like SaaS applications with direct access to cloud platforms. This cloud-centric model offers administrators granular network management opportunities while leveraging the bandwidth and reducing the cost of service delivery.

Traditional Networks vs Software-Define Networks (SDN)

Veteran system administrators know traditional networks to be the physical hardware – switches, routers, and firewalls – connecting and controlling network traffic for an organization. The control plane (protocols and configuration) and the data plane (forwarding) are the same in conventional networks, giving administrators little flexibility other than physically reconfiguring or resetting network equipment.

Software-defined networks (SDN), by comparison, separate the control plane and data plane and give administrators the power to manage network configurations via a software application. The SDN approach makes the most of modern virtualization and remote network management capabilities and reduces unnecessary travel and deployment costs.

The basis for SDN is the OpenFlow standard, which allows an SDN controller to connect and manage switches and ports for network management.

Also read: Best Business Continuity Software

SDN vs SD-WAN

SD-WAN architectures are an example of SDN technology applied to geographically distant wide-area networks through broadband internet, multiprotocol label switching (MPLS), 4G/LTE, and 5G.

SDN refers explicitly to decoupling control and data planes within the core network, data center, or LAN. In contrast, SD-WAN is the application routing expanded to a distributed network of branch offices and users.

Security Challenges to SD-WAN

With SD-WAN architectures, branch employees and remote users connect to an enterprise network through a web of connected devices over the internet. This IT sprawl and surplus of endpoints add complexity to network security. Even one unsecured entry point can be problematic without proper segmentation.

While SD-WAN offerings come with out-of-the-box security features, this embedded security isn’t enough for securing enterprise workloads over a widely distributed network.

Administrators can first take inventory of the existing or prospective SD-WAN solution’s security functionality to determine additional security coverage. But the industry consensus by now is the Secure Access Service Edge (SASE), or the combination of SD-WAN with a set of network security tools that cover edge to cloud security.

The sections below look at standard security features of SD-WAN, followed by how organizations can bolster SD-WAN architectures with SASE and other solutions.

Also read: Top XDR Security Solutions

SD-WAN Security Features and Capabilities

Not every SD-WAN solution is equal, but they all come with some level of security functionality. Most have a handful of built-in security capabilities to offer foundational network security, including Internet Protocol Security (IPsec) virtual private networks (VPN), stateful firewalls, and essential threat detection and response.

Encrypting Data in Transit

With the boom in devices and users connecting to enterprise networks, the attack surface of transmitted data dramatically increases.

Many software-defined networking solutions (SDN) have built-in 128- and 256-bit AES encryption and IPsec-based VPN capabilities. These protected tunnels of information in transit prevent unauthorized access to the network and ensure ongoing compliance.

Segmenting Traffic

SD-WAN segmentation capabilities allow administrators to separate traffic according to application characteristics and network policies.

Segmenting out virtual networks within the SD-WAN’s overlay prohibits traffic from less secure locations, stopping any malware from compromising other segments with sensitive access or data. Administrators can develop a microsegmentation strategy and incorporate zero trust principles with this added flexibility relative to traditional networks.

Detecting and Responding to Threats

Many SD-WAN providers offer access to threat intelligence services that can automatically identify and mitigate common security threats. Many of these services use artificial intelligence and machine learning (AI and ML) to predict possible security breaches by identifying suspicious patterns in network traffic.

Read more: Best User & Entity Behavior Analytics (UEBA) Tools

Top 3 SD-WAN Security Best Practices

SD-WAN’s built-in security isn’t enough. It offers clients base protection, but enterprises need to take additional measures to identify increasingly advanced threats and execute remediation. Considering how expansive SD-WAN architectures can be, the next step is filling the gaps in coverage with appropriate security functionality.

Next-Generation Firewalls (NGFW) and FWaaS 

Most SD-WAN solutions come with a built-in firewall; however, these are typically stateful firewalls that only include packet filtering and Layer 3 protection. These firewalls may effectively restrict unauthorized access based on IP addresses and ports, but they do not provide the end-to-end coverage that branched-out enterprises require.

Next-generation firewalls (NGFW) are critical for enterprise network traffic. The latest firewalls offer advanced functionality, including:

• Intrusion detection and prevention systems (IDPS)
• Data loss prevention (DLP)
• Deep packet inspection (DPI)
• Sandboxing

Firewalls-as-a-Service (FWaaS) is the cloud-based NGFW ready to manage traffic at critical cloud access points. In the cloud-based security era, NGFW and FWaaS solutions are both vital in implementing microsegmentation.

Inspecting Web Traffic

Experienced administrators understand the importance of inspecting all network traffic. However, with TLS-encrypted traffic accounting for most traffic across the internet, it’s far more challenging to examine at scale. As a result, hackers often hide malware in SSL/TLS traffic, as they know it’s less likely to be discovered.

Fortunately, solutions are available that can intercept TLS communications between the server and the client. The traffic is then decrypted and inspected using antivirus scanning and web filtering. Once clear, the traffic gets forwarded to its destination.

Web application firewalls (WAF), secure web gateways (SWG), and cloud access security brokers (CASB) are all worthy considerations when protecting against web attacks.

Also read: How to Prevent Web Attacks Using Input Sanitization

Promptly Patching Systems

Threat actors are constantly looking for new ways to gain access to networks. For this reason, software and firmware providers often release updates and patches to thwart hackers’ attempts. Unfortunately, these updates don’t always occur automatically or at the frequency needed. 

It is vital administrators do not fall behind with updates, especially for popular applications and critical servers. Learn more about automating updates with eSP’s Best Patch Management Software and Tools.

Backups and a rigid backup strategy are another essential part of the network security puzzle, as they ensure lost data is recoverable when all else fails. Backups also offer additional flexibility in responding to increasing reality for organizations of all sizes – ransomware attacks. 

SASE: SD-WAN and SSE

SASE combines SD-WAN and the Secure Services Edge (SSE), or the tools enabling edge-to-cloud security for enterprise networks. Though there isn’t a definitive list of SSE tools, standard components include several of the above tools like FWaaS, SWG, and CASB, as well as:

• Advanced threat protection
• Bandwidth and application control
• Browser isolation
• Cloud security posture management (CSPM)
• Encryption and decryption
• Unified threat management (UTM)
• Zero trust network access (ZTNA)

Read more: Best Cybersecurity Software

SD-WAN: Securing Today’s Enterprise Networks

Many top SD-WAN vendors continue to adopt SASE capabilities to shore up client exposure in the budding secure SD-WAN market. Meanwhile, several network security companies are provisioning security appliances to support SD-WAN.

Things get tricky because of how all-encompassing the SD-WAN or SASE solution bundle is. Standalone SD-WAN solutions, as noted above, often offer a base level of protection, whereas SASE hits the gamut of edge-to-cloud security needs. Customers have plenty to consider between pure SD-WAN, pure SSE, and SASE vendors offering the faculties for both.

Many SD-WAN providers will tout their product as a comprehensive SDN and security solution. Still, too many variables left up to a single vendor can spell danger for an enterprise organization.

The combination of built-in security features, SASE functionality, and additional measures can help ensure an organization’s SD-WAN architecture remains safe from malware and data loss.

This article was originally written by Kyle Guercio on October 9, 2020, and updated by Sam Ingalls on May 19, 2022.

Read more: Top Cybersecurity Startups to Watch in 2022

The post How to Improve SD-WAN Security: 3 SD-WAN Best Practices appeared first on eSecurity Planet.

The development of software-defined wide area networking (SD-WAN) has given enterprise administrators flexibility akin to virtualization to manage distributed networks and users globally.

Wide area networks have come a long way over the decades, and the introduction of cloud, edge, and virtual workloads only adds to the complexity of managing modern networks. As organizations embrace hybrid IT environments, SD-WAN and the tools combine to form a Secure Access Service Edge (SASE) offering that gives organizations the latest capabilities for optimizing WANs and securing hybrid enterprise workloads.

The emergence of SD-WAN and SASE technologies bundled together has led many vendors to address both advanced routing and network security vendors for clients. Networking specialists like Cisco and HPE’s Aruba are moving deeper into security. Meanwhile, network security vendors like Fortinet and Palo Alto Networks are extending their networking capabilities.

This article looks at the top SD-WAN vendors for enterprise security and how each is addressing exposure through built-in security functionality or integrated capabilities.

Jump to:

• Top SD-WAN Solutions for Enterprise Cybersecurity
• Honorable Mention Secure SD-WAN Solutions
• What is an SD-WAN Solution?
• SD-WAN Solution Features
• How Does SD-WAN Work?
• SD WAN vs SASE
• How to Choose a Secure SD-WAN Solution

Top SD-WAN Solutions for Enterprise Cybersecurity

Aruba

Launched in 2002 and specializing in wireless networking, Aruba Networks’ success led to its acquisition by Hewlett-Packard in 2015. Already a leading SD-WAN pick, the HPE subsidiary boosted its market position with acquisitions of security vendor Cape Networks in 2018 and WAN specialist Silver Peak Systems in 2020.

The Aruba EdgeConnect Enterprise SD-WAN platform addresses several common problems for enterprise organizations, including WAN optimization, multi-cloud management, cloud application performance, and edge-to-cloud security. EdgeConnect Enterprise critically comes with firewall, segmentation, and application control capabilities. With Aruba, clients can also bundle SD-WAN coverage with the company’s security solutions for virtual private network (VPN), network access control (NAC), and unified threat management (UTM).

Features: Aruba EdgeConnect Enterprise SD-WAN

• Designed for zero trust and SASE security frameworks
• Identity-based intrusion detection and prevention (IDPS) and access control
• Automated integrations with leading cloud-hosted security vendors
• Integrated threat defense for DDoS, phishing, and ransomware attacks
• Insights into client devices with AI-based discovery and profiling techniques

Barracuda Networks

The first traditional cybersecurity vendor featured is Barracuda Networks, with consistent recognition for its email security, next-generation firewalls (NGFW), web application security, and backups. The vendor’s Secure SD-WAN product sits under Barracuda’s Network Protection solutions alongside zero trust access, industrial security for OT and IoT networks, and SASE.

The Barracuda CloudGen Firewall and Secure SD-WAN provide the expected benefits of software-defined networking with the vendor’s enterprise security capabilities. The CloudGen WAN is a global SASE service built on Azure; meanwhile, the CloudGen Firewall offers an advanced firewall for today’s hybrid workloads.

Features: Barracuda CloudGen Firewall and Secure SD-WAN

• Threat protection with malware scanning for web content, email, and file transfers
• Azure AD for two-factor authentication and directory services
• Intrusion prevention system for real-time network exposure management
• URL filtering for blocking malicious applications and web content from network resources
• Manage access control, privilege escalations, XSS attacks, and SQL injections

Cato Networks

The youngest secure SD-WAN pick is SASE technology vendor Cato Networks. In 2015, the co-founders behind Check Point, Imperva, and Incapsula started one of the hottest cybersecurity startups in recent years. The cloud-based company’s more extensive portfolio includes security as a service (SECaaS), secure remote access, and cloud infrastructure management to round out its SASE approach.

Administrators can deploy, configure, and monitor a range of network controls and traffic from the Cato Edge SD-WAN portal. Cato’s edge models include zero-touch deployment for instant operational status when connected to power and an IP address. With Cato’s cloud-based enterprise security solutions, clients can also stay in-house for firewall-as-a-service (FWaaS), cloud access security broker (CASB), secure web gateway (SWG), managed detection and response (MDR), and more.

Features: Cato Edge SD-WAN and SASE

• Deep packet inspection (DPI) engine with robust third-party library and ML algorithms
• Identity-aware network rules with policy-based routing and dynamic path selection
• Packet loss mitigation to guard against remote desktop and VoIP attacks
• Primary and secondary sockets via VRRP for seamless switching and high availability
• Advanced hunting of network and security events with Cato-hosted data warehouse

Cisco

Networking and IT giant Cisco is an undisputed leader in the secure SD-WAN solution space. Alongside its over 200 acquisitions in four decades, Cisco acquired SD-WAN market innovator Viptela in 2017 to cement its commitment to internet-based networking solutions. Cisco, like other vendors, recognizes securing SD-WAN means moving towards SASE for clients.

Cisco SD-WAN solutions are available as a subscription or on-premises SD-WAN routers. Through the company’s cloud security solution – Cisco Umbrella, formerly OpenDNS – clients can add coverage for FWaaS, CASB, and SWG capabilities. Administrators can quickly connect and establish an SD-WAN overlay fabric with the Cisco vManage console. 

Features: Cisco SD-WAN

• Built-in edge security, including encryption, URL filtering, and malware protection
• Cloud-agnostic branch connectivity, SaaS optimization, and IaaS integrations
• Application aware enterprise NGFW, Snort IPS, and malware sandboxing
• Microsegmentation and identity-based policy management
• Self-healing firmware to prevent exploitation of vulnerabilities

Fortinet

Veteran cybersecurity vendor Fortinet is an SD-WAN leader building off its existing network security portfolio to enable clients’ wide area networks. The Fortinet Secure SD-WAN solution contains many features to address hybrid deployment, routing, security, redundancy, and orchestration. The network security innovator’s NGFW, FortiGate, comes with FortiGuard threat intelligence at the center of it all.

Using an ASIC-accelerated platform, administrators can manage advanced routing, NGFW management, and application prioritization from Fortinet’s unified solution for SD-WAN. Fortinet’s range of product specifications is impressive, with solutions for private and public cloud, hub, and branch appliances for home offices, small and medium businesses, and enterprise organizations.

Features: Fortinet Secure SD-WAN

• Micro, macro, single task VDOM, and multi-VDOM segmentation options
• Anti-virus, web filtering, SSL inspection, and app control for web security
• Site-to-site dynamic VPN tunnels with a range of encryption algorithm support
• Forward error correction (FEC) for packet loss compensation and duplication
• RESTful API for zero touch provisioning, configuration, reporting, and integrations

Juniper Networks

Launched in 1996, Juniper Networks covers the gamut of networking hardware, but with the acquisition of NetScreen Technologies in 2004, the vendor also has almost two decades in the cybersecurity space. Juniper’s security portfolio includes firewalls and advanced threat protection (ATP). ATP has an extensive list of enterprise features, including threat intelligence, risk profiling, network access control, and malware sandboxing.

Through Juniper’s Session Smart Routers (SSR), clients get an SD-WAN powered by AI to manage routing and network security. Juniper’s FWaaS comes with the company’s Secure Edge solution and includes anti-malware, web filtering, and intrusion prevention systems (IPS). Administrators can also automate the design, deployment, and management of networks spanning hybrid IT environments with Juniper’s SDN solutions.

Features: Juniper Session Smart Routers and SASE

• Tenant-based security architecture for behavioral awareness in management
• Designed to meet Forrester and NIST’s zero trust principles
• Support for AES-256 encryption and HMAC-SHA-256 authentication
• Compliant with PCI DSS, ICSA, and FIPS 140-2
• Context-specific access control list (ACL) for authenticating users

Open Systems

Open Systems has over three decades of experience in the cybersecurity space and specializes in MDR, cloud security, and integrations for Microsoft security services. The award-winning channel partner helps clients assess and enable Microsoft security infrastructure through cloud or managed service offerings. 

Hailing from Zürich, Switzerland, Open Systems’ SD-WAN sits alongside the vendor’s complete SASE bundle, including network detection and response (NDR), cloud sandboxes, CASB, SWG, and ZTNA. All three of the cybersecurity vendor’s SASE service plans come with asset lifecycle management, architecture design and consulting, and SD-WAN, with the option to add a list of other tools.

Features: Open Systems Secure SD-WAN and SASE

• DNS filter for end-to-end web traffic protection, scanning, and authentication
• Application monitoring to act on network traffic usage and control bandwidth
• Automatic site-to-site encryption for all traffic and advanced routing
• SASE Atlas tool monitors and analyzes the real-time health of network connections
• Hybrid packet inspection for fast, efficient application matching for visibility

Palo Alto Networks

Founded in 2005, Palo Alto Networks is a leading network security provider whose reputation extends to its SD-WAN capabilities. The enterprise vendor’s solutions cover security operations, threat intelligence, zero trust networks, cloud security, and SASE.

Palo Alto Networks makes the list for its Prisma Access and SD-WAN solutions, bundled together to give administrators optimized networking and security capabilities for enterprise hybrid networks. Prisma Access SASE technologies, including SWG, CASB, FWaaS, and autonomous digital experience management (ADEM). Notable integrations for Prisma SD-WAN include AWS, Azure, Google Cloud Platform, Microsoft Teams, and ServiceNow.

Features: Palo Alto Networks Prisma Access and SD-WAN

• Cloud-based firewall offering URL filtering, sandboxing, and threat prevention
• Zero trust principles like continuous trust verification and least-privileged access
• Machine learning and static analysis to guard against web-based threats
• Analyze inline and API-based controls and contextual policies for SaaS apps
• Okyo Enterprise Edition for securing work-from-home employees

Versa Networks

Ten years after its launch, Versa Networks is a leader in SD-WAN technology as part of the vendor’s approach to SASE. Versa offers everything – endpoints, appliances, cloud gateways, and controllers – allowing enterprise organizations to deploy networks across on-premises, cloud, and hybrid IT environments. 

Versa’s list of SASE capabilities includes zero trust network access (ZTNA), CASB, FWaaS, remote browser isolation (RBI), and real-time analytics. With the boom in IoT devices and work-from-home connections, the Versa SASE solution builds security policies on identity, context, and communication sessions rather than the traditional, physical edge. 

Features: Versa SASE

• Deep packet inspection (DPI) engine recognizes over 3,600 applications automatically
• DNS Proxy with SD-WAN traffic steering, MP-BGP route exchange, and stateful HA
• Packet loss reduction via link avoidance, packet replication, and FEC
• Ongoing analysis and risk assessment of communication sessions
• Overlay encryption encapsulation options for VXLAN or MPLS/GRE and dynamic IPsec

VMware

The virtualization pioneer VMware continues to solidify its position as an enterprise IT infrastructure provider and a leader in the budding SD-WAN space. Within the vendor’s cloud and edge infrastructure solutions, organizations can evaluate VMware’s products for merging wide area networking, security, and processing from a central cloud console.

The VMware SD-WAN solution bundles the company’s network server gateways, enterprise edge appliances, and the SD-WAN Orchestrator to enable enterprise-wide management. VMware’s approach to SASE gives clients access to ZTNA, SWG, and CASB security tools. Administrators can also deploy virtual network functions (VNF) as VMs for typical network roles with VMware. 

Features: VMware SD-WAN and SASE

• Pre-defined or customizable policies for business network application prioritization
• Data loss prevention (DLP) and remote browser isolation (RBI) for web security
• Compliant and certification ready for PCI DSS 3.2
• Identity, location, and context-based approach for granting authorization
• AI and ML-based analytics and automation for engaging with network intelligence

Honorable Mention Secure SD-WAN Solutions

What is an SD-WAN Solution?

A software-defined wide-area network (SD-WAN) is the latest networking architecture to manage and optimize enterprise offices and networks across hybrid IT environments from a central cloud console. 

Unlike legacy WANs, which backhauled all traffic through a core network or data center, SD-WAN allows administrators to connect on-premises devices to SaaS applications and improve performance for local users. By separating the data and control plane, SD-WAN gives organizations more flexibility to optimize WANs and secure cloud, edge, and IoT networks.

Other foundational SD-WAN characteristics include support for dynamic path selection, multiple connection types (MPLS, Fiber, 4G LTE, and 5G), and third-party security integrations through a central interface.

SD-WAN Solution Features

• Central console offering configuration management over SD-WAN architecture
• IPsec and VPN for authentication and encryption of web packets
• Application awareness to track and control pertinent traffic and bandwidth
• Web traffic protection, including SSL inspections and URL filtering
• Aggregate connectivity for load balancing and reducing downtime
• Edge caching to optimize application performance
• Threat protection with standard anti-virus and threat detection

How Does SD-WAN Work?

SD-WAN solutions include pre-configured hardware appliances for edge networks, remote locations, branch offices, and data centers, and the software designed to connect and support SD-WAN capabilities.

Organizations can purchase the needed hardware for different WAN segments, plug those appliances in, and have almost instant access to configure network operations. Administrators can familiarize themselves with the SD-WAN systems and controls through the cloud console. Though most solutions come with some level of pre-configuration, additional changes to meet the specific organization’s networking and security requirements are essential.

SD-WAN vs SASE

SD-WAN predates the naming of the Secure Access Service Edge by a few years and is a declared component of SASE architectures. While SD-WAN addresses managing various distributions of WANs, advanced routing, and network optimization, SASE is a comprehensive IT service umbrella covering the latest hybrid network architectures.

SD-WAN plays a critical role as the software enabling the virtualization of distant hardware networks and advanced management capabilities. Other SASE components are what Gartner refers to as Security Service Edge (SSE).

The Security Service Edge (SSE)

Defined by Gartner as “a convergence of network security services delivered from a purpose-built cloud platform,” the SSE is a subset of SASE addressing everything outside of WAN edge infrastructure.

Standard security tools found within SSE frameworks include:

• Browser isolation
• Cloud access security broker (CASB)
• Cloud security posture management (CSPM)
• Data loss prevention (DLP)
• Data protection
• Encryption and decryption
• Firewall-as-a-Service (FWaaS)
• Secure web gateway (SWG)
• Zero trust network access (ZTNA)

How to Choose a Secure SD-WAN Solution

Given that SASE and SD-WAN are comprehensive solutions for enterprise networks, vendor choice is difficult. Relative to traditional networks, SASE components are largely software-defined, helping organizations reduce hardware costs while enabling advanced IT networking. Interested organizations can choose from several models with varying features for data center, branch, and office nodes – all of which can lead to a heavy initial investment.

Because SASE combines a swath of critical services for businesses and organizations, clients must have the utmost confidence in the vendor’s lineup of services for WAN edge infrastructure and security.

SASE is not a managed SOC solution, but it does put several eggs in one basket. There is no single answer for diversifying third-party vendors; however, the depth of SASE means organizations need to be vigilant in understanding the value added and any gaps in service. Though comprehensive, SASE remains a part of a more significant security architecture that includes endpoint detection and response (EDR) and XDR, network monitoring, security event information managers (SIEM), and risk management.

The post Top SD-WAN Solutions for Enterprise Security appeared first on eSecurity Planet.

Navigating the funding landscape takes time, preparation, and the innovative spirit to convince VC partners to invest in a new or unrecognized business opportunity. Achieving funding is no simple task, and cybersecurity entrepreneurs have a difficult path competing in a complex and competitive landscape.

Luckily for cybersecurity startups, there’s no shortage of interest in tomorrow’s next big security vendors. Investments in cybersecurity more than doubled from $12 billion to $29.5 billion in 2021, and growing concerns over data security, software supply chains, and ransomware suggest the market will remain strong through economic ups and downs.

This article looks at the top VCs in cybersecurity, a selection of investments, and considerations for entrepreneurs trying to develop an idea or scale a business.

Table of Contents

• Top Cybersecurity Venture Capital Firms
• Honorable Mention Cybersecurity VCs
• Top Company-Linked VCs in Cybersecurity
• Top Seed and Early Stage VCs in Cybersecurity
• What are Venture Capital Firms?
• How Do VC Firms Work?
• How to Land a Round of Funding
• Securing Data and Infrastructure is Hot

Top Cybersecurity Venture Capital Firms

Accel

Launched in 1983, Accel specializes in the growth stage and early funding opportunities, with an impressive investment portfolio in cybersecurity and beyond. Formerly known as Accel Partners, the Palo Alto-based company is a top-tier VC firm investing in consumer and enterprise solutions for segments like SaaS, fintech, hardware, media, and IT services. Accel’s largest presence is in the Bay Area with sizable teams in London and Bangalore.

Notable cybersecurity exits for the company include Forescout, Imperva, Webroot, Tenable, and Crowdstrike; and Accel’s other successful investments include Atlassian, Cloudera, Etsy, and Meta.

Accel Investments

AllegisCyber Capital

AllegisCyber Capital was founded in 1996 to serve the growing cyber business ecosystem. AllegisCyber’s expertise lies in addressing cybersecurity challenges, and its portfolio shows, focusing on seed and early-stage investments. Partnering with two other top VCs, the AllegisCyber platform engages entrepreneurs through the start-up foundry, DataTribe, and growth stage firm, NightDragon.

Notable cybersecurity exits for the company include E8 Security, IronPort, and Shape Security; and AllegisCyber’s other successful investments include Bracket Computing, Moki, Platfora, and Solera Networks.

AllegisCyber Investments

Andreessen Horowitz (a16z)

Andreessen Horowitz – abbreviated to a16z – is one of the world’s most active VC firms and specializes in biology and health, crypto, consumer, and enterprise sectors. Founded in 2009, a16z already has an extensive track record of success, investing in over 500 companies and producing 160 exits. In addition to being a leading investor, a16z offers a bundle of resources for interested entrepreneurs.

Notable cybersecurity exits for the company include Okta, CipherCloud, and SignalFx; and a16z’s other successful investments include Apptio, Asana, Box, PagerDuty, Intrinsic, and Stack Overflow.

a16z Investments

Bessemer Venture Partners

Over a century in the making, Bessemer Venture Partners is another top-tier VC firm boasting over 130 IPOs in the last 50 years. Specializing in seed and Series A opportunities, the San Francisco-based firm has an extensive consumer, enterprise, and healthcare investments portfolio. As a leading VC, BVP offers budding companies plenty to consider, with a set of roadmaps and tools for today’s technologies and market complexities.

Notable cybersecurity exits for the company include VeriSign, Auth0, PagerDuty, and Verodin; and BVP’s other successful investments include LinkedIn, Pinterest, Shopify, Twitch, and Yelp.

BVP Investments

Also read: Addressing Remote Desktop Attacks and Security

Evolution Equity Partners

Born from two board members of AVG Technologies, Evolution Equity Partners started in 2008 to help US and European-based entrepreneurs in cybersecurity, enterprise software, and consumer-enterprise crossover segments. Headquartered in NYC and Zurich, Switzerland, EEP has a smaller but impressive portfolio of companies. Evolution currently invests in companies between North America, Europe, and Israel, for seed up to growth stages.

Notable cybersecurity exits for the company include AVG Technologies, Cognitive Security, OpenDNS, and Carbon Black.

EEP Investments

Forgepoint Capital

Founded in 2015, Forgepoint Capital is another top-tier VC firm dedicated to securing the digital future through investments in transformative companies. The cloud and infrastructure software-focused company – spun off from veteran firm Trident Capital and previously known as Trident Capital Cybersecurity (TCC) until 2018 – leans towards early partnerships but serves every funding stage with a hands-on approach to working with entrepreneurs. Forgepoint’s investments typically range between $5 to $50 million per company.

Notable cybersecurity exits for the company include Area 1 Security, Attivo Networks, IronNet Cybersecurity, and Qualys.

Forgepoint Investments

Greylock Partners

Formed in 1965, Greylock Partners has a long history of investing in enterprise and consumer software for seed and early-stage and beyond. With a team of investors, functional specialists, and business operations consultants, Greylock offers entrepreneurs across business and IT sectors the resources to scale. Formerly located in Cambridge, Massachusetts, Greylock migrated headquarters to Menlo Park, California, in 2009.

Notable cybersecurity exits for the company include Okta, Palo Alto Networks, and Skyhigh; and Greylock’s other successful investments include Airbnb, Coinbase, Dropbox, Meta, Roblox, and Workday.

Greylock Partners Investments

Insight Partners

New York-based Insight Partners is a top VC firm serving international entrepreneurs across the spectrum of technology sectors. Insight’s portfolio goes beyond cybersecurity, serving IT verticals in data, fintech, healthcare, and logistics. Launched in 1995, Insight’s record includes more than 600 direct investments resulting in over 200 acquisitions and 100 strategic exits. Insight has a remarkable $90 billion in assets under management (AUM), and a combined $30 billion in capital commitments.

Notable cybersecurity exits for the company include BeyondTrust, Duck Creek Technologies, New Relic, and Tenable; and Insight’s other successful investments include Alibaba Group, BMC, Cvent, DocuSign, SolarWinds, Tumblr, and Twitter.

Insight Investments

Read more: Best Next-Generation Firewall (NGFW) Vendors

Kleiner Perkins

Menlo Park-based Kleiner Perkins is a seed, early-stage, and growth VC firm with a long list of successful exits in its 50-year history. Kleiner Perkins has proven to find market potential and emerging technologies through each decade. Over 900 investments later, the firm continues to target entrepreneurs in consumer, enterprise, hard tech, healthcare, and fintech segments.

Notable cybersecurity exits for the company include AppDynamics, Netscape, and Palo Alto Networks; and Kleiner Perkins’ other successful investments include Amazon, EA, Google, Square, Sun Microsystems, and Twitter.

Kleiner Perkins Investments

Lightspeed Venture Partners

In 1999, four investment professionals founded Lightspeed Ventures to serve entrepreneurs in enterprise and consumer markets. Lightspeed’s enterprise sectors beyond cybersecurity include big data, SaaS, crypto, and IT services. Two decades later, Lightspeed is a prominent VC with an international presence investing in companies across five continents and 16 IT solution sectors. Partnering with over 400 companies in its tenure, a third have been acquired or gone public.

Notable cybersecurity exits for the company include Avi Networks, Fireglass, and Zscaler; and Lightspeed’s other successful investments include Alooma, AppDynamics, Brocade, GrubHub, Masergy, MuleSoft, Nutanix, and Snap.

LVP Investments

New Enterprise Associates (NEA)

New Enterprises Associates, referred to as NEA, is another leading VC committed to IT entrepreneurs in technology and healthcare. Started in 1977, today, the firm boasts a bi-coastal presence, with priority offices in Menlo Park, San Francisco, New York, and Washington, DC. NEA’s long history includes working with more than 800 companies, over half of which are now public or acquired business units.

Notable cybersecurity exits for the company include Bitglass, Cleversafe, and Cloudflare; and NEA’s other successful investments include Acquia, BlueJeans, Coursera, MongoDB, NGINX, Pentaho, Robinhood, and Upwork.

NEA Investments

NightDragon

Named after the infamous string of nation-state cyber attacks during the late 2000s, NightDragon was established in 2016 by former McAfee CEO Dave DeWalt. With a portfolio dedicated to cybersecurity, safety, security, and privacy innovations, NightDragon has a smaller but impressive portfolio of exited and active companies in the security space.

Notable cybersecurity exits for the company include FireEye, ForgeRock, Forescout, Jask, Mandiant, McAfee, and PhantomCyber.

NightDragon Investments

Also read: Written IT Security Policies: Why You Need Them & How to Create Them

Norwest

With technology opportunities on the rise in the 1960s, Norwest Venture Partners started as a subsidiary of what is now Wells Fargo in Minneapolis, Minnesota. Sixty years later, Norwest calls Palo Alto and San Francisco home like many top VCs in cybersecurity. The company’s history includes over 600 company investments across consumer, enterprise, and healthcare segments in North America, India, and Israel.

Notable cybersecurity exits for the company include Agari, CyberX, FireEye, Fireglass, Galvanize, and KACE; and Norwest’s other successful investments include Apigee, BlueJeans, Brocade, LendingClub, Rackspace, Spotify, and Uber.

Norwest Investments

Paladin Capital Group

Since 2001, Paladin Capital Group has been a prominent VC serving businesses as a value-added partner in North America, Europe, South America, and Australia. Though Paladin has a smaller portfolio relative to other top contenders with 75 companies, the company has a substantial stack of strategic investments in technology, telecommunications, and more. In 2008, the Washington, DC-based firm made a prudent decision by shifting its focus to cybersecurity.

Notable cybersecurity exits for the company include CloudShield, Endgame, PhishMe, RiskSense, Trustwave, and White Ops; and Paladin’s other successful investments include Cogent, Good Technology, Initiate, QuantaLife, and VistaScape.

Paladin Investments

Redpoint Ventures

Investing in technology companies since 1999, Redpoint Ventures’ focus is on entrepreneurs in the application, blockchain, fintech, healthcare, and infrastructure sectors. Redpoint offers seed up to growth series funding with a knack for partnering with startup founders early. In all, Redpoint’s over 700 investments have led to almost 300 exits. Based in Menlo Park, California, the technology VC also has a growing funding presence in China. 

Notable cybersecurity exits for the company include Duo Security, Fortinet, and Caspida; and Redpoint’s other successful investments include Snowflake, Springpath, and Cloud.com.

Redpoint Investments

Sequoia Capital

Sequoia Capital is arguably the top VC in cybersecurity, with five decades of experience investing in some of the biggest names in IT. Outside the United States, Sequoia’s international presence includes funds specific to Israel, India, China, Southeast Asia, and Europe and serves companies across the enterprise, consumer, and technology-enabled solution sectors. From Apple and Atari to the latest in security solutions, Sequoia’s presence is undeniable.

Notable cybersecurity exits for the company include Barracuda Networks, Palo Alto Networks, and Skyhigh; and Sequoia’s other successful investments include Cisco, Google, LinkedIn, NVIDIA, Oracle, PayPal, Snowflake, and UiPath.

Sequoia Investments

Read more: How Hackers Use Reconnaissance – and How to Protect Against It

Shasta Ventures

Shasta Ventures specializes in early-stage investments with a robust portfolio covering consumers, hardware, computer vision, data intelligence, infrastructure, and SaaS. Started in 2004, Shasta offers its Elevate program to help founders navigate growth with proven go-to-market methodologies. The San Francisco-based VC has almost 100 active investments and 47 exits.

Notable cybersecurity exits for the company include SentinelOne, Skycure, Watchdog, and Zenrpise; and Shasta’s other successful investments include Anaplan, Lithium, Makara, Mint.com, Nest Labs, Spiceworks, and Taskrabbit.

Shasta Investments

Ten Eleven Ventures

One of the youngest VC firms to make the list, Ten Eleven Ventures started in 2014 to invest in the best and brightest cybersecurity entrepreneurs. With just over 30 investments, the upstart VC already has an impressive track record in identifying innovative security companies and helping partners reach their exit. The San Francisco-based firm includes a team of industry and startup leaders, and a joint investment alliance with private equity firm KKR.

Notable cybersecurity exits for the company include Black Horse, Cylance, Darktrace, Hexadite, Ionic, Jask, KnowBe4, Ping Identity, Revelock, Twistlock, and Verodin.

TenEleven Investments

Tiger Global Management

Almost twenty years after Tiger Global Management started its private equity business, the VC ranks among the most active investment firms globally. The New York-based company has an extensive presence in Asia and focuses on companies in the financial, consumer, software, and web sectors. Since 2003, Tiger Global Management has made over 900 investments with 120 exits.

Notable cybersecurity exits for the company include Crowdstrike and SentinelOne; and Tiger Global’s other successful investments include Alibaba, Block, GitLab, Glassdoor, LinkedIn, and Meta.

Tiger Global Investments

YL Ventures

Based in Tel Aviv and Silicon Valley, YL Ventures was launched in 2007 to bring cybersecurity innovation coming out of Israel to a global customer base. YL offers hands-on support for startup leaders in addition to an extensive network of cybersecurity industry leaders and CISOs. The Israeli security specialist boasts 23 investments with 11 exits; don’t miss the firm’s interactive map of the country’s cybersecurity startup space: CyberMap.

Notable cybersecurity exits for the company include Build Security, Hexadite, Medigate, and Seculert.

YL Ventures Investments

Also read: Top Cyber Insurance Companies

Honorable Mention Cybersecurity VCs

• Battery Ventures
• Data Collective Venture Capital (DCVC)
• Foundation Capital
• Gula Tech Adventures
• Index Ventures
• Jerusalem Venture Partners (JVP)
• Lytical Ventures
• RRE Ventures
• SoftBank
• Sorenson Ventures

Top Company-Linked VCs in Cybersecurity

• Capital One Ventures
• Cisco Investments
• Citi Ventures
• Dell Technologies Capital
• GV
• Intel Capital
• MassMutual Ventures
• Microsoft Ventures
• Salesforce Ventures
• Samsung Next

Top Seed and Early Stage VCs in Cybersecurity

• Acrew Capital
• Blumberg Capital
• Boldstart Ventures
• Charles River Ventures
• DataTribe
• Dreamit Ventures
• Floodgate
• General Catalyst
• Wing Venture Capital
• Y Combinator

What are Venture Capital Firms?

Venture capital (VC) firms are investment management companies dedicated to funding promising business opportunities for a specified amount of equity. With expertise in discovering talented entrepreneurs and developing business infrastructure, VCs raise exorbitant money, most often through private investors.

Venture capital firms play an essential role as engines for connecting ideas and business models with the funding necessary to develop new products and services and reach new audiences or communities.

Types of VC Funding

Though there is some variation in terminology, most entrepreneurs and VCs recognize the following breakdown in funding types and purposes.

• Pre-Seed: Initial funding from non-institutional investors.
• Seed: First funding stage where a VC receives an equity stake.
• Series A: Extended development funding to bolster the company’s business model.
• Series B: Additional financing to scale business infrastructure and market reach.
• Series C: Proven track record justifies additional funding for continued growth.
• Series D and E: Less frequent and strategic in addressing business growth trajectory.

Venture Capital vs Private Equity

Whereas most citizens, workers, and retirees hold some portion of the public stock market, private equity refers to equity investments made by private individuals and private equity firms. Private equity manages the entire lifecycle of private assets, from venture capital and growth equity to managed and leveraged buyouts.

Venture capital is a form of private equity focusing on early investing opportunities; meanwhile, notable private equity firms like Blackstone, KKR, and Thoma Bravo are known for post-IPO acquisitions.

Read more: How to Protect Company Data & Assets When Employees Leave

How Do VC Firms Work?

VC firms are often limited partnerships (LP) led by General Partners (GPs) and made up of a staff managing the VC fund. Through an existing or new network of investors known as Limited Partners (LP), VC funds can raise capital for investing in a general or domain-specific portfolio of companies.

Opening the Door to Outside Influence

Though funding sounds nice, many startup nightmares come to mind. When accepting VC funding, entrepreneurs are giving up some level of control over the present or future of their company. Equity is the most evident cost to bear. Still, the fine print of VC agreements could also mean additional control over a prospective Board of Directors, management, business model, and more.

VCs are ultimately accountable to the wishes of their GPs and LPs and not afraid to make decisions to their benefit. 

There’s a broad spectrum of just how active partners are in guiding or managing their investments. As VCs want their investments to succeed, hands-on partners may ask a lot of their invested companies. Founders and startup leaders can often feel the temperature and pressure rise.

Also read: Cybersecurity Outlook 2022: Third-Party, Ransomware, and AI Attacks Will Get Worse

How to Land a Round of Funding

Landing a funding round is no easy task and can take months, if not years, to achieve.

Business Model

Business models have long been the cornerstone for profiling a company commercially. By enumerating foundational business components like core operations, products and services, financing, and revenue sources, startup leaders can communicate their strategic plan for launching and growing a business in a single document or presentation.

Business Data

Data is king, and VCs only have an entrepreneur’s word to trust without it. With data offering insight into sales, KPIs, and growth rates, startup leaders can justify their funding with reliable data points. With a high failure rate, startups with existing business metrics to cite are in a superior position to earn funding.

Networking

Though an exceptional business model and data can’t hurt, they mean little without access to potential funding. Local funding opportunities and accelerator programs are convenient methods of initial financing for startups. At the same time, reaching firms like the above will mean existing connections or perseverance on top of an ironclad business plan.

With an extensive VC presence split between Silicon Valley and New York, it’s no surprise entrepreneurs lean toward starting their businesses in these locations. With proximity to multiple funding partners, opportunities to reach and earn funding are more accessible.

Timing

Timing is critical to market success in the competitive landscape, especially within the ever-evolving IT ecosystem. Go-to-market strategies are an essential indicator of investment potential, and the timing of a business’s funding proposal or launch can and does make the difference. VCs seek the most innovative and new opportunities with the rare allowance for a unique spin on traditional solutions.

Questions to Consider

• What is the economic viability of the company?
• How is the solution distinct in the cybersecurity industry? Proposition value
• What are the revenue model and product deployment strategy?
• Is the solution compatible with other popular applications and security systems?

Securing Data and Infrastructure is Hot

If the last couple of years is any indication, there is no shortage of funding for cybersecurity entrepreneurs. The above VCs and more continue to look for the latest emerging technologies across industries, and securing the next generation of IT infrastructure is hot.

Entrepreneurs with a worthwhile idea or business should consider how additional funding might further develop or expand their operation. With caution in mind, VCs can offer financial support and business and industry expertise to achieve meaningful growth and profit.

Read more: Cybersecurity Employment in 2022: Solving the Skills Gap

The post Top 20 Venture Capital (VC) Firms in Cybersecurity appeared first on eSecurity Planet.

In 2005, the open standard consortium OASIS released SAML 2.0 to broad appeal. As smart mobile devices boomed, so did the number of web applications and the need to address never-ending logins. SAML was essential to addressing this challenge and introduced single sign-on (SSO) as a reliable tool for individuals up to enterprise organizations. The other most common use of SAML is for federation networks between infrastructure not necessarily linked to web services.

This article looks at the SAML protocol, how it works, the involved parties, and where it fits in the evolution of identity and access management (IAM).

Table of Contents

• What is SAML?
• Service Providers and Identity Managers
• How Does SAML Work?
• Why is SAML Important?
• OAuth vs SAML
• IAM History: SAML in Context

What is SAML?

The Security Assertion Markup Language (SAML) manages transactions between web service providers and identity providers using the Extensible Markup Language (XML). These communications on the backend of username and password login processes ensure users get authenticated by the overarching identity manager and authorized to use the given web service(s).

Context: Authentication vs. Authorization

A foundational piece of the digital access puzzle is the difference between authentication and authorization. Authentication confirms user identity, and authorization grants specific rights to a web application, user, or device.

Read more: Best Privileged Access Management (PAM) Software

Service Providers and Identity Managers

Service providers and identity managers play a critical part in the federation process, allowing users access to specific data.

Service Providers

The exponential growth of applications serving consumer to enterprise IT needs and wants means a universe of service providers. Service providers are the organizations and web services offered to users through a valid request. Application and software developers are responsible for establishing the necessary backend database and protocol for storing and accepting user account credentials.

Popular service providers include top business application vendors like SAP, Microsoft, Oracle, Adobe, Google, and Salesforce.

Identity Managers

Identity managers offer organizations a system wherein a set of credentials can merge to become a federated identity for a specific user to access applications across platforms. Like directory services, organization administrators can control access to particular data with network user identity management.

Examples of popular enterprise identity provider systems include Microsoft and Azure Active Directory (AD), Lightweight Directory Protocol (LDAP), and Google Suite, while other vendors include Oracle, Okta, OneLogin, and Auth0.

Also read: Best Zero Trust Security Solutions

How Does SAML Work?

1. A user logs into the identity provider’s SSO.
2. The user submits a request for a privileged web page.
3. The service provider confirms user credentials with the identity provider.
4. The identity provider responds by validating the user.
5. The user accesses the web page requested.

Why is SAML Important?

Whereas web service providers have long played the role of identity managers, the emergence of identity providers offers users convenient access for storing credentials and, therefore, access to a list of accounts. SAML is the federated authentication and authorization process in this split of responsibilities, simplifying communication between parties.

Read more: How Machine Identities Can Imperil Enterprise Security

OAuth vs SAML

OAuth is also an example of a language web service providers use to communicate on behalf of users and applications, but they address different sides of the authorization-authentication coin.

SAML is a standard managing identity management and federation, including systems like SSO. OAuth is a pure authorization protocol that pairs with OpenID Connect (OIDC), which handles authentication.

SAML might be the more trusted and mature protocol of the two; however, OIDC is a newer authentication protocol designed for mobile and web applications. Another notable difference between the two languages is OAuth’s use of the JSON Web Token (JWT). While SAML uses XML, JWTs are more lightweight, self-contained, and include a digital signature for independent verification without the authorization server.

While SAML 2.0 remains widely in use, the growth of OAuth 2.0 paired with OIDC means it isn’t deployed nearly as much.

Learn more about OAuth 2.0 with OAuth: Our Guide to Industry Authorization.

IAM History: SAML in Context

In 2001, the Organization for the Advanced for Structured Information Standards (OASIS) began work on what would become an industry-first XML framework for exchanging authentication and authorization data. A year later, SAML 1.0 would become an official OASIS standard. In 2005, OASIS released 2.0, which gained widespread appeal for web developers and service providers by the end of the decade.

While SAML 2.0 led the way, the first two iterations of OIDC, OpenID, were released in 2006 and 2007 as alternative authentication protocols. The launch of OAuth 1.0 in 2010 and OAuth 2.0 two years later meant third parties had a deliberate protocol for authorizing secure, user-agent, delegated access. Rather than dealing with a separate protocol for authentication needs, the release of OpenID Connect in 2014 gave developers an added layer fulfilling initial access across accounts.

Despite the recent prevalence of OAuth and OIDC for authentication and authorization, SAML 2.0 remains a widely offered and used protocol for enterprise organizations.

Also read: Best Next-Generation Firewall (NGFW) Vendors

The post SAML: Still Going Strong After Two Decades appeared first on eSecurity Planet.

Recent years presented a torrent of research showing how vulnerable RDP systems are for organizations not taking additional cybersecurity precautions. Because RDP server hosts can access and manage remote devices, including sensitive clients, the threat posed by RDP attacks can’t be overstated. As remote desktop solutions are prevalent among IT and managed service providers (MSP), downstream clients can be at risk, as Kaseya experienced in 2021.

This article looks at the remote desktop protocol, how RDP attacks work, best practices for defense, the prevalence of RDP attacks today, and how remote desktop software vendors are securing their clients.

Table of Contents

• What is the Remote Desktop Protocol (RDP)?
• What are RDP Attacks?
• How Do RDP Attacks Work?
• Defending Against RDP Attacks
• Examples of Notable RDP Attacks
• Remote Desktop Software and Cybersecurity
• Secure Remote Desktop Solutions
• The Importance of Remote Monitoring and Management

What is the Remote Desktop Protocol (RDP)?

Available on Windows servers since the turn of the century, the remote desktop protocol (RDP) is Microsoft’s proprietary protocol for allowing an administrator to access and manage remote devices. RDP is widely popular for IT technical support and MSPs as it provides a host to take over a customer’s machine running client software for issue resolution and troubleshooting.

Though RDP is a Microsoft protocol, many commercial remote desktop software solutions offer added security capabilities for enterprise to SMB organizations.

What are RDP Attacks?

RDP attacks are attempts by threat actors to access a remote desktop host or client’s administrative privileges for reconnaissance, command and control, and lateral movement. With administrative control over a remote desktop system, perpetrators can do anything or access whatever data is available to the administrator or specific end-user. RDP attacks are often difficult to detect as no user input is necessary for the threat actor to get to work.

Read more: Best Network Monitoring Tools

How Do RDP Attacks Work?

Intrusion: Meddler-in-the-Middle and Brute Force Attacks

RDP intrusions are typically the result of two attacker methods: brute force authentication attempts or a meddler-in-the-middle (MITM) attack. Remote desktop software’s sensitive influence over other devices means identity and access management (IAM), password security, and multi-factor authentication are critical for risk management.

Reconnaissance

After obtaining the proper authentication credentials and gaining initial access to client devices, attackers have an incentive to navigate victim networks with caution. This reconnaissance period is a staple of the most sophisticated attacks as advanced persistent threats can evaluate their permissioned access, scan network activity, and attempt to escalate access.

Extended Stays and Attack Execution

Like in the case of SolarWinds in 2020, masked threat actors aren’t afraid to linger for months during reconnaissance. These stays can mean extended exposure to sensitive client data or proprietary information or enough time to parse through a managed service provider’s client network.

With lateral movement across a victim’s IT infrastructure, threat actors can escalate privileges, spread malware, extract data, and disrupt IT services as with ransomware attacks. As long as actors go undetected, the timing of attacks is on the perpetrator’s terms.

Also read: Best Internet Security Suites & Software

Defending Against RDP Attacks: Best Practices

• Multi-factor authentication and complex access credential requirements
• Establish account lockout policies for brute-force attempts
• Role-based access control (RBAC) for RDP consoles
• Firewall-based restrictions of RDP access
• Only allow connections with Network Level Authentication (NLA)
• Patch management for removing known vulnerabilities
• Virtual Private Network (VPN) for shielding client device traffic
• Close TCP Port 3389 for devices not using RDP
• Microsegmentation and zero trust network access models

Examples of Notable RDP Attacks

Calling into Robinhood

In November 2021, an unauthorized third party called a Robinhood customer support employee and, through social engineering, gained access to the company’s customer support systems. The online financial brokerage contained the intrusion, at which point the threat actor demanded an extortion payment. While no user financial information leaked, upwards of 5 million users’ email addresses and 2 million names were obtained.

SamSam Ransomware: Malware Specializing in RDP

Between 2016 and 2018, the malware strain SamSam made brute force RDP attacks an integral part of its attacks on several public organizations. By exploiting weak server vulnerabilities, the Iran-based hackers were able to gain access, move laterally, encrypt IT systems, and demand ransom payment.

Colorado Taken for a Ride

Two years after the attack on the Colorado transportation agency, the Colorado Sun revisited how SamSam infiltrated CDOT, the immediate aftermath, and the steps taken since to harden security. On a Sunday in February 2018, the Colorado CISO’s office set up a temporary server to test a new cloud-based business process. A few days later, IT systems started malfunctioning with ransom messages following.

The system administrator did not configure standard security controls when installing the server in question. Meanwhile, the suspect server was connected to the CDOT domain with an administrator account and the internet. As CISO Debbi Blyth put it, “The server was discovered almost immediately by the attackers.” After 40,000 attempts, SamSam had access to explore CDOT’s core network.

Read more: Compare the Top Threat Intelligence Platforms

Remote Desktop Software and Cybersecurity 

As remote desktop capabilities have grown beyond Microsoft’s protocol, a range of software vendors compete to meet the needs of the digital workplace generation. Remote desktop software enables clients to scale remote IT operations, integrate essential applications, and secure communications for clients and personnel.

Below are some of the foundational cybersecurity features and solutions offered by leading providers.

Remote Desktop Software Features

• Encrypted communication using TLS, RSA public-private key exchange, and AES 256
• Identity and access management and network access control, including SSO and MFA
• Session, video, and log management for routine and targeted audits
• Support for specific regulatory compliance and reporting requirements
• Reliable update cycle removing bugs and known vulnerabilities

Also read: Top Database Security Solutions

Secure Remote Desktop Solutions

• BeyondTrust
• Check Point
• ConnectWise
• N-able
• Splashtop

BeyondTrust

Cybersecurity company BeyondTrust specializes in privileged access management (PAM), cloud security, and secure remote access. For remote desktop software, BeyondTrust offers Remote Support for essential help desk capabilities and Privileged Remote Access to control, manage, and audit access to critical IT systems. 

In addition to granular role-based access control, BeyondTrust PRA creates audit trails and session forensics for compliance reporting. Additional security features include privileged password vaulting, cloud, and virtual infrastructure security, and integrations with existing security information and event managers (SIEM).

Check Point

Check Point is a veteran enterprise security vendor that integrates remote access capabilities into every next-generation firewall (NGFW). For the generation of remote work and operations, Check Point Remote Access VPN offers central management and policy administration for controlling access to corporate networks. 

The Remote Access VPN enables more robust security with the encryption of transmitted data, system compliance scanning, and multi-factor authentication. The SSL VPN Portal for web-based access and the IPsec VPN for corporate network access support Windows, macOS, iOS, and Android devices to ensure access and security across diverse IT environments.

Read more: Best Intrusion Detection and Prevention Systems | Guide to IDPS

ConnectWise

ConnectWise offers a portfolio of MSP solutions for remote monitoring, business management, integrated services, cybersecurity, and more. Under the company’s unified monitoring and management stack, ConnectWise Control is a secure remote access solution for MSPs, help desks, remote workers, and IT teams.

ConnectWise’s solution comes with a bundle of built-in security features and tools to give clients the necessary control over sensitive data. Internally, this means role-based access control, logging of videos and session activity, the option to self-host, server-level auditing, and AES-256 encryption for all transmitted data. Additional security features include IP login restrictions, session timeouts, 2FA, and account lockouts for brute force attacks.

N-able

N-able – formerly SolarWinds MSP between 2013 and 2021 – has over two decades of experience in integrated monitoring and management tools for enterprise organizations. N-able’s remote monitoring and management (RMM), ticketing, and remote access tools are familiar solutions to industry veterans, but it also extended its security capabilities over the last few years.

Partnering with SentinelOne, N-able launched its endpoint detection and response (EDR) and password management solutions in 2019. Other cybersecurity tools offered include DNS filtering, disk encryption, backups, and email security for Microsoft-oriented infrastructure. The N-central platform is the most comprehensive solution, bundling these capabilities in a single console managing hundreds of thousands of devices.

Splashtop

Splashtop is a dedicated remote access and support software company with on-premises and cloud-based solutions for individuals, small businesses, and enterprise organizations. 

Serving 30 million end-users and 200,000 businesses, Splashtop offers a swath of security features to meet the motley needs of private and public organizations managing sensitive data. Fit for clients with rigid regulatory requirements, Splashtop is SOC 2 and GDPR compliant and supports compliance reporting frameworks for HIPAA, PCI, FERPA, and ISO 27001. 

Essential security features include TLS 1.2 and AES 256-bit encryption, 2FA, session and activity logs, and authentication for devices and proxy servers. Enterprise Splashtop goes further for the most administrative control, offering SSO integration, scheduled remote access, group-based access control, and automatic user provisioning.

Also read: Top XDR Security Solutions | Extended Detection and Response

The Importance of Remote Monitoring and Management

While IT infrastructure continues to expand and remote operations for workers and critical systems become more acceptable, remote monitoring and management capabilities are essential to consider. Several top vendors of RMM solutions naturally include remote desktop software, integrations to leading third-party security systems, and added features to safeguard enterprise data.

RDP attacks remain a dangerous threat, so it’s paramount for organizations small and large using remote desktop systems to follow the above best practices and bolster security where necessary.

Read more: Secure Access for Remote Workers: RDP, VPN, & VDI

The post Addressing Remote Desktop Attacks and Security appeared first on eSecurity Planet.

Today’s advanced persistent threats might elect for more sophisticated methods like remote desktop protocol (RDP) attacks, but cryptanalytic attacks – the inspection of cryptographic systems for vulnerabilities – remain a legitimate concern in the landscape of cybersecurity threats.

Rainbow table attacks are an effective tactic for threat actors targeting password database vulnerabilities presenting inadequate privacy and security functionality. Practices like password salting and patching hash algorithms are crucial for combatting rainbow table attacks.

This article looks at rainbow table attacks, how rainbow tables work, best practices for defending against cryptanalytic attacks, and more.

Jump to:

• What are Cryptanalytic Attacks?
• What is a Rainbow Table?
• What is a Rainbow Table Attack?
• Defending Against Rainbow Table Attacks
• History of Rainbow Tables
• Are Rainbow Tables Still A Threat?

What are Cryptanalytic Attacks?

A cryptanalytic attack is one where unauthorized actors breach a cryptographic security system through exhaustive searches for information related to the encryption scheme. Cryptanalytic attacks target operating systems that purposely avoid storing passwords in plaintext – and, instead, store a cryptographic hash of the password.

Cryptanalysts or malicious actors can use basic information about the cryptographic scheme, plaintext, or ciphertext to decipher encrypted communications.

Cryptology: Cryptography vs Cryptanalysis

Cryptology is the computer science discipline concerning the secret storing and sharing of data. The development of cryptology has been critical to safeguarding data for government agencies, military units, companies, and today’s digital users. The study of codes divides into:

• Cryptography: the methodology and applications for encrypting data.
• Cryptanalysis: the processes and methods to break codes and decrypt messages.

What are Cryptanalysts?

Cryptanalysts are commonly responsible for penetration testing cryptographic systems like deriving plaintext from the ciphertext. Enterprises often hire cryptanalysts to develop encryption algorithms (ciphers) and analyze cryptographic security systems.

Read more: Best Internet Security Suites & Software

Common Types of Cryptanalytic Attacks

What is a Rainbow Table?

Rainbow tables are key-value tables of known hashes for a cryptographic security system. These pre-computed datasets allow a password-cracking actor to work backward from the ciphertext. Though this process can be time-consuming, the key-value table enables cryptanalysts and threat actors to execute a rainbow table attack.

What is a Rainbow Table Attack?

Rainbow table attacks expose cryptographic hash functions to breach authorized account access. Threat actors capable of obtaining an organization’s password database can use hash information for passwords to craft a rainbow table. From there, the rainbow table gives the hacker or cryptanalyst a map to decrypt password hashes.

Also read: Top Vulnerability Management Tools

Defending Against Rainbow Attacks

Moving Away from the Password

Multi-Factor Authentication

A critical feature offered by most services today for combatting password attacks is the ever-encouraged two-factor authentication (2FA) and multi-factor authentication (MFA). Going beyond just a password, 2FA and MFA add at least one more form of authentication and prevent standalone rainbow table attacks.

Passwordless Authentication

Passwordless authentication continues to be an important trend in the fight to secure the accounts of clients, personnel, and users at large. Examples of popular passwordless methods include:

• Biometric Authentication
• Email-Based Authentication
• Identity and Access Management (IAM)
• Single Sign-On (SSO)

Password Salting

Before a password takes on its hash form, a standard security hardening policy adds a unique string of characters to the plaintext password known as “salting.” These strings, or salts, are stored and known to the web application service provider and give accounts an additional layer of security beyond the user’s intended password.

Using the same salt across account passwords is better than no salting; however, using unique salts for each password provides even more robust security. This salting and hashing of passwords further complicates an actor’s effort to gain access.

Eyes on Hashing Algorithms

Cryptographic hashing algorithms are the mathematical processes transforming user input data into ciphertext, making the framework of choice an essential part of the password security formula. Examples of hashing algorithms like SHA, RSA, BLAKE, and MD offer cryptographers efficient and reliable computation where the same input will always receive the same output.

Though hashing algorithms are immune to reverse engineering, including rainbow table attacks, this is only the case with secure policies in place for password databases.

Read more: 1Password vs LastPass: Compare Top Password Managers

History of Rainbow Tables

Early Development by Hellman and Rivest

Cryptanalytic attacks required exhaustive compute power, and storing the complete search in memory wasn’t feasible before 1980. In 1976, Martin Hellman was a part of the computer science researchers breaking ground on public-key cryptography with the Diffie-Hellman-Merkle key exchange. Four years later, cryptographer Ron Rivest – the R in RSA – worked on a similar cryptanalytic method reducing time to breach through distinguished points and pre-calculated data stored in memory.

Oechslin’s Cryptanalytic Time-Memory Trade-Off

In 2003, Swiss computer scientist Phillppe Oechslin published Making a Faster Cryptanalytic Time-Memory Trade-Off, building off of Hellman and Rivest’s original application to develop what we know today as rainbow tables. Oechslin’s proposed method reduced the number of calculations needed during cryptanalysis by two, making rainbow tables an advanced form of time-memory trade-off methods and resulting in a swifter password cracking process.

Are Rainbow Table Attacks Still A Threat?

Yes. Though attack tactics, techniques, and procedures (TTPs) evolve, rainbow attacks remain a threat to organizations failing to practice adequate password security. Security administrators must be aware of their cryptographic scheme to ensure continued data privacy.

Rainbow tables bring up the broader question about the future of cryptanalysis and cryptanalytic attacks from quantum computers. The development of post-quantum cryptographic algorithms is a significant development and crucial to securing future communications and data.

Also read: Cybersecurity Outlook 2022: Third-Party, Ransomware, and AI Attacks Will Get Worse

The post Rainbow Table Attacks and Cryptanalytic Defenses appeared first on eSecurity Planet.

Today, doxing continues to be an intimidating prospect for digital users and is a mainstream data security problem. Online users can have a great deal of anonymity, but the growth of digital platforms makes obtaining information more accessible than ever. With any public-facing or dormant digital presence, threat actors can weaponize personal information to humiliate the victim, extort them, or conduct further malware attacks.

This article looks at doxing, how it works, types, best defensive practices, and what to know about the mainstream digital attack.

Jump to:

• What is Doxing?
• How Does Doxing Work?
• Types of Doxing Attacks
• Defending Against Doxing
• Proposal for Action: Dox Yourself
• The Unintended Victims of Doxing
• Notable Doxing Attacks

What is Doxing?

Doxing – abbreviated from “dropping documents” – is a form of Open Source Intelligence (OSINT) where an actor publicly shares online information or data about a specific individual or group of individuals. Doxing often reveals identifying information about an adversary and is almost always a malicious attack to hurt the victim.

A Brief History of Doxing

Doxing is a term that first originated alongside the boom of the internet and black hat culture. Within the hacking community, doxing is an intimidation tactic to unmask the otherwise anonymous details of another user. With user interactions expanding to entire communities and remote connections, doxing is easier than ever and present across today’s social media platforms.

Read more: Becoming a Cybercriminal Keeps Getting Easier

What Documents Are Getting Dropped?

• Personal Details: home address, phone number, workplace, criminal history
• Financial Information: social security number, banking, credit report, digital wallet
• Other Personal: private communications, personal data, embarrassing details

How Does Doxing Work?

Finding Documents

The list of tactics, techniques, and procedures (TTP) used by threat actors to gain another user’s data is extensive. Common searches include scanning public records, phone records, social media, and WHOIS domain information. Meanwhile, more advanced threat actors will utilize IP addresses, packet sniffing, and dark web data brokers to obtain personal details. Another widely used tactic for information gathering is phishing or the engagement and manipulation of another user’s trust.

Publishing Documents

Upon obtaining the documents in question, threat actors can dispose of the information as they please. Hackers can publish their findings under an anonymous account on a popular social media platform or another public-facing channel. In either circumstance, the hacker makes the personal details more accessible to other users by collecting and sharing the information.

Also read: Top Threat Intelligence Platforms

Types of Doxing Attacks

More niche examples of doxing include:

• Breach Doxing: the unintentional dropping of documents via a data breach or leak.
• Revenge Doxing: targeting individuals as a form of revenge.
• Swatting: targeting individuals via emergency tip to public authorities.
• Criminal Doxing: targeting individuals with harmful intent.
• Faulty Doxing: targeting of an unintended individual.
• Corporate Doxing: targeting a specific business and personnel.
• Celebrity Doxing: targeting a celebrity’s personal information.
• Intellectual Property Doxing: targeting a company’s proprietary data.

Defending Against Doxing

Keeping a low profile online can be difficult in an era where a brand is everything. Personal details about users – whether inadvertently available on social media or through a data breach on a long inactive account – are everywhere, giving persistent threat actors plenty to utilize.

• Practice cybersecurity hygiene, including strong passwords and MFA
• Scrub data from data broker sites or obsolete profiles and accounts
• Differentiate usernames and passwords between accounts
• Separate email accounts for distinct purposes
• Evaluate privacy settings and public info for social accounts
• Hide domain registration and protect IP with VPN
• Tread lightly with app permissions and minimize disclosure of personal information
• Avoid malicious interactions and stay vigilant with trust online

Read more: Corporate doxing is on the rise: Here’s how hackers are doing it and how to stop them | TechRepublic

Proposal for Action: Dox Yourself

Don’t believe you have anything to hide? Industry analysts offer a simple challenge: check how easy it is to dox yourself. Data owners can evaluate their current risk posture regarding a doxing attack and take steps for remediation.

Evaluate Doxing Risks

From Google to Twitter and LinkedIn, searching for a first and last name can reveal a lot about an individual or company.

The pedestrian user may not know or care about their privacy settings. Still, threat actors are well aware of publicly visible information on social media, personal websites, and other digital platforms. Individuals and organizations with a longstanding digital presence have even more content for threat actors to parse through in search of a humiliating tweet or picture.

In addition to popular websites, users must also consider data breaches and existing digital accounts. Disasters and attacks for web service providers can result in emails, passwords, and more being published and exposing account user information.

Users can check if their email or phone was compromised in a data breach on Have I Been Pwned? Hopefully, no pwnage is found!

Remediate and Continually Audit

Though personal details like a mobile phone number, email accounts, or home address on an online CV may seem harmless, this information is vulnerable to misuse. Creating phone and email accounts specific to public-facing purposes is a popular preventative measure.

Across digital platforms and accounts, users should ensure all settings meet their privacy and cybersecurity expectations. In evaluating doxing risks, users with compromised credentials must act with haste to change any other accounts carrying the same username and password. In the same vein, users should consider deleting dormant accounts to avoid additional exposure.

If the user isn’t going off the grid entirely, preventing doxing or other attacks against one’s privacy means proactive monitoring. Users should conduct regular audits of publicly available data about themselves. Keeping up with current events is also an invaluable part of securing data as a user can act quickly to remediate the potential exposure.

Also read: Top Vulnerability Management Tools

The Unintended Victims of Doxing

Never mind the real threat doxing can bring to the intended individuals – a disturbing number of instances show the original documents published to be inaccurate and the recipient of post-doxing reactions misidentified. These examples often lead to digital or in-person harassment and reputational damage of individuals unbeknownst to any identifiable reason for the attack.

Notable Doxing Attacks

Read more: Best Identity and Access Management (IAM) Solutions

The post Doxing Attacks: From Hacker Tool to Societal Problem appeared first on eSecurity Planet.