Between Two Alerts: Phishing Emails — Don’t Get Reeled In!

My Post (2)Potential attackers are really good at what they do. Security analysts see this firsthand with the amount of phishing emails their organizations see daily. A newly released State of the Phish report reveals that nearly 90% of organizations dealt with business email compromise (BEC) attacks in 2019. End users reported 9.2 million suspicious phishing emails globally for the year.

A BEC attack starts with a hacker spoofing emails to impersonate an organization’s internal email alias or a vendor email alias. Security analysts can spot these phishing emails fairly easily, but many employees can not. Hence, they fall for the trap and click on links within the email that they think are trustworthy. Once this happens, cybercriminals request personal or company information through what looks like a legitimate business transaction. Because it looks legitimate, the employees comply and the security analysts are left to clean up the mess.

What This Means

A successful BEC attack can result in the loss of sensitive information such as passwords, credit card numbers, account data and customer information. In a previous post, we highlighted that working from home has led to an increase in BEC and phishing threats. If organizations aren’t actively monitoring for threats — or are simply training their employees to report suspicious-looking emails to the cybersecurity team — attacks can and will fall through the cracks.

When employees report emails to the security team, this creates a manual workload for the Security Operations Center (SOC). This could result in 10-15 email investigations per day for a small organization, and up to 1,000 per day at a large financial institution. Each analyst could spend anywhere between 10 and 40 minutes to complete each investigation. That represents an overwhelming time commitment for even a large security team. It’s almost impossible for security teams to keep up, especially if they are forced to manually investigate these threats.

Consider an average SOC with around 10 full time employees who have to follow a manual process of investigating suspicious emails. The work is soul-crushingly tedious. These security analysts generally have to look through each email, pull out the attachments and/or web links, and then paste those artifacts into other security tools to find out if they are “known bad” or exhibit unwanted behaviors. Security tools like web reputation services, threat intelligence services, endpoint security, and sandboxes are all used simultaneously, or in a sequence, to investigate and resolve a phishing threat.

Analysts need to assemble all of this information, evaluate it, and then act to prevent further harm to the organization. It’s time-consuming and tedious.

How can security analysts accelerate their investigations and reduce their manual workload? – Read more

Learn More About Splunk

Zoom in on Security in a Remote Work World

My Post (1).pngOur world has been turned upside down by COVID-19. Whether it’s strategically planning our grocery run decontamination process, or trying to keep the kids quiet for even one single moment while on a conference call — things are different. One very evident difference is the change in the way we meet with each other. And one technology enabling this change is Zoom.

From a security perspective, this uptick in the use of Zoom brings to light some concerns and situational awareness that may previously have been paid much less attention. Fortunately, Splunk recently announced Splunk Remote Work Insights (RWI) designed to provide real-time visibility into disparate, remote-work-enabling systems, like VPN, Microsoft 365, Okta, and, you guessed it, Zoom. Even better, getting data in with Zoom and the JWT Webhooks modular input couldn’t be easier.

Better still, this data allows security practitioners to answer a number of the basic security questions that organizations have when it comes to Zoom. Meeting information like meeting duration, meeting attendees, and scheduled meeting dates can all be mined and used for security use cases and operational dashboards. However, some questions remain unanswered, chief among them are:

  • Are the meetings being secured properly?
  • How can we take proactive measures to educate and enforce meeting security?

The Zoom JWT Webhooks provides a very low friction way to bring a great deal of rich meeting data into Splunk, but it only tells part of the story. To get the rest, we must use the Zoom API, which thankfully provides everything you could ever want to know about your meetings.

The new Zoom App for Phantom provides a simple, user-friendly interface to this API to facilitate a variety of useful actions:

Meeting Enrichment

With only a meeting ID, the app can identify if scheduled meetings or meetings in flight are password protected and have the “waiting room” functionality turned on. You can eEven get a transcript of files transferred during meeting chat.

Meeting Modification

Upon identifying meetings that aren’t adhering to security best practices, meetings can be updated to require a password and enable the “waiting room” feature. Or, taking a more draconian approach, meetings can be removed from the schedule. – Read more

Learn More About Splunk

Coronavirus: Manage deploying working from home

My Post (1).pngWith no end in sight to COVID-19, for many people, a period of remote work is looking more and more inevitable. What we thought was the norm yesterday has changed and moved to a new norm today and so forth.

Many businesses are now implementing Working-from-Home (WFH) policies to ensure business continuity and to comply with the latest Government restrictions and advice.

Here are some tools companies can use to manage this new way of working using the latest technology with employee management systems;

  • Mobile App Sign in – allow your employees to sign on from home using their mobile phone and pinpoint their geo-location. You can ask them to select a pre-determined zone or add in a free text field ie. home address
              
  • Sign in Notifications – receive an email or SMS notification when your employees sign on and off for the day or you may choose just to view this data on a live dashboard.
  • Dashboards – have a clear view at any given time wherever you are of who is currently signed on or off in real-time data. View from your home PC or any smart device.
  • Online Working From Home Agreements – send out electronic WFH Safety Policies and Agreements that employees need to acknowledge. Send employees automated prompts if they haven’t completed the agreement before they commence WFH (this is an automated check upon sign in using the mobile app).
  • Questionnaires upon sign-on – build a questionnaire to be completed daily when employees sign-on. You can easily change the questions instantly for another day. All the data is collated into a spreadsheet and you can trigger actions automatically based on answers to any of these questions.

– Read more

 

Learn More About Visitor Management System