Skip to content
Sreenivas Gukal
|
October 27, 2021
Acalvio ShadowPlex Awarded FedRAMP Ready Status by US government
Today we are pleased to announce that Acalvio’s cloud-based ShadowPlex Active Defense platform has been awarded FedRAMP Ready status by the US Government’s General Services Administration. This award demonstrates to federal agencies, and the broader security community, Acalvio’s commitment to offering threat management solutions for even the most demanding environments. ShadowPlex is the first Deception solution to attain FedRAMP Ready status in the FedRAMP Marketplace, which gives federal agencies the assurance they need to proceed with evaluations or initial purchases of our solution. FedRAMP was initiated in 2011 as a national government-wide program to define mandatory security standards for cloud services. The intent was to accelerate federal government cloud adoption by establishing a marketplace for secure cloud service providers (CSPs). “FedRAMP Ready” requires CSPs to submit to an audit of dozens of security controls by an authorized third-party auditor (3PAO). The controls are under NIST 800-53 guidance, one of the most stringent controls sets in existence. “The United States faces persistent and increasingly sophisticated malicious cyber campaigns that threaten the public sector”, says President Biden’s May 2021 Executive Order. FedRAMP has been tasked with Federal cloud-security strategy for Cloud Services. Federal agencies are under constant attack and require Active Defense strategies that go beyond passive approaches Acalvio ShadowPlex not only adheres to the strict FedRAMP security controls, but also helps implement stronger cyber security standards for Federal departments and agencies by providing Active Defense. Acalvio has passed the control evaluation at the FedRAMP Moderate level for our SaaS-based ShadowPlex Deception service, placing us in Ready status. The 3PAO has attested to our security capabilities, and a Readiness Assessment Report has been reviewed and deemed acceptable by the FedRAMP Program Management Office. We invite federal agencies and other public sector entities to trial and deploy the solution with confidence.
Read More
Tanmoy S
|
September 22, 2021
Microsoft Active Directory Security Part 3: A Deception-Based Approach
In a previous blog, we provided an overview of AD Attack Surface and AD Attack Paths. In Part 3 of this series, we’ll explore Acalvio’s Active Directory (AD) security solution that is designed to protect AD against advanced persistent threats (APT). Cybersecurity defense is a moving target. New and sophisticated attack variants are continuously appearing, APTs are constantly revising their strategy and seeking weaknesses in business security implementations, making it imperative for enterprises to continuously refine their security stack. Organizations often use either siloed security tools or a combination of multiple cybersecurity products that collect huge volumes of data, independently. This results in disparate and disconnected systems. While standard security solutions offer capabilities for detecting and preventing a range of Active Directory attacks, they provide a limited solution for advanced threat defense against Active Directory. Cybersecurity requires an integrated strategy that augments standard security tools with an Advanced Deception Platform to effectively protect enterprises from Active Directory exploits. Acalvio ShadowPlex offers a differentiated, best-in-class AI-based deception solution for Active Directory security. The combination of deceptions with AI-powered analytics serves as a powerful mechanism to protect the enterprise from known and new variants of Active Directory exploits, such as AS-REP Roasting, DCSync, Kerberoasting, Unconstrained Delegation, Pass-the-Hash among others. This approach is built on Acalvio’s unique and powerful Active Directory Protection Kill Chain.
Read More
Tanmoy S
|
July 20, 2021
Microsoft Active Directory Security Part 1: Understanding the Attack Surface
An Active Directory (AD) compromise has been at the core of several cyberattacks, such as the SolarWinds hack and the Ransomware attack on Colonial Pipeline. Potential vulnerabilities, such as nOAuth on Microsoft Azure Active Directory, have been identified by security researchers. When the first version of Microsoft Active Directory was released two decades ago, it was built on the philosophy of inherent trust models within the boundaries of a network. Given these legacy architectural principles, Active Directory security is a challenge. As an enterprise grows, new users, computers, applications, and cloud services are added to the enterprise network. Each addition is a new object that is managed in the AD. Administrators must set up new accounts, grant required permissions to these accounts, and enable these accounts to communicate with devices and applications. These factors make Microsoft Active Directory security very complex. In this 3-part series, we look at protecting Microsoft Active Directory, which is central to most enterprise architecture. This series covers: Understanding the AD Attack Surface. A look at Attack Paths How Advanced Deception can be used to protect the AD. This first blog discusses the AD Attack Surface and Microsoft Active Directory vulnerabilities that attackers can exploit to perform lateral movement, escalate privileges, and to maintain persistence in the enterprise network.
Read More
Team Acalvio
|
July 1, 2020
Massive Breach Hit Diagnostic Lab in Healthcare
Yet another massive breach has impacted the health care industry this June with Quest Diagnostic’s disclosure that 11.9 million customers may have their personal identifiable information (PII) access in yet another high profile cyber breached. This data was contained in systems managed by the American Medical Collection Agency (AMCA) of New York, a billing collector and apparent business associated of Quest Diagnostics. On May 14, 2019, AMCA notified Quest Diagnostics of “potential unauthorized activity” on AMCA’s web payment page. It appears that between August 1, 2018 and March 30, 2019 an unauthorized user had access to the AMCA system that contained confidential PII on Quest Diagnostics patients. This likely included financial information (credit cards, bank account information) as well as other personal information such as medical records, personal identity, and social security numbers. Early evidence seemed to indicate that attackers gained access to the AMCA website and then ran a “man in the middle” attack. This enabled the attackers to access payment and other personal information entered by website visitors. It does not appear that the laboratory test results internal to Quest were accessed, but the attackers did get any medical information that was entered through the AMCA website. AMCA was primarily part of a collection process used by Quest to track down customers, also involving a company called Optum360 that processes payments. Note that Quest Diagnostics, like many other health care institutions, was also breached earlier in 2016. Late in 2016 Quest disclosed that a data breach impacted about 34,000 medical records. These include PII to include dates of birth, lab results, and names. At that time, the cyber attackers utilized an improperly secured mobile application to gain access to the breached medical records. Quest diagnostics has certainly not been alone. Last year, in 2018, hackers breached the network at Laboratory Corporation of America (LabCorp), one of the largest clinical laboratories in the United States. Pursuant to the detection of “unauthorized activity” on the Labcorp networks, their internal networks were temporarily shut down while they investigated the breach. The number of successful cyber attacks on the health care industry is growing every year, either in records breached, number of institutions breached that year, growth in ransomware and other key metrics. The data on major data breaches, specifically those impacting more than 500 patients, is available in the HHS OCR data base which is accessible for anyone to see here: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf. This portal lists the number of major breaches which can be sorted to identify breaches caused by “Hacking/IT Incidents.” Central to this theme is that both Quest, AMCA, and Labcorp likely have many best-in-class security controls installed. They no doubt have very strong cyber security teams, and these teams likely utilize industry best practices to reduce and minimize cyber breach. Quest, AMCA, and Labcorp are faced with the problem that faces all commercial institutions and governments today. Most of the legacy strategies and best practices used to day depend on keeping attackers out by vigorously defending a perimeter. There is attention focused on the internal networks, and certainly hospitals have been aggressive in implementing network segmentation to protect medical devices, but this is still not enough. We know today that it is highly probable that sophisticated cyber attackers will get into health care networks. At some point, they will get past the all of the IDS/IPS systems, the next generation firewalls, network segmentation, and endpoint detection and response capabilities. All it takes is one (1) successful breach to result in a potentially disastrous breach. New technology sets must be deployed to reduce the attacker’s dwell time within the network to the absolute minimum. These new technologies must be placed in play to counter the latest attacker tactics and techniques. You don’t need to outrun the tiger, you just need to outrun the next target of opportunity for them. Said differently, you don’t need to stop every perimeter breach (you cannot do this anyway) but you do need to stop their progress within the kill chain before they can exfiltrate your data. Consider that Quest’s business associate, AMCA, likely had these attackers, per the reports released, within their networks for eight months or more before they were detected. Deception Technology can help, perhaps very substantially, reduce dwell times such as these. New to best practice for health care as a rapidly emerging technology set, Deception Technology has exceptional efficacy in finding and helping you stop these attackers. Deception Technology has been deployed over the past few years by first movers in hospitals, physician practice groups, surgical centers, long term care facilities, diagnostic laboratories, MRI/CT centers, other key parts of the extended health care ecosystem. Deception works particularly well to help protect the sea of internet of things (IoT) and medical devices which are pervasive within health care networks. When a cyber attacker touches just one of the camouflaged deception decoys within your diagnostic lab network, Deception Technology delivers a highly accurate and certain alert for your health care security operations team. The cyber attackers are decisively identified and then can be stopped. In summary, highly responsible and capable firms like Labcorp, AMCA and Quest and many other health care institutions will continue to be the targets of cyber attackers. It is certain that cyberattackers will penetrate every health care network at some point. The question becomes, “how will you rapidly detect them and shut them down?” At almost every move or turn they make, Acalvio ShadowPlex can be in their path. Once they touch a deception decoy ShadowPlex will identify them at extreme certainty, and then generate alerts of the highest integrity and importance for your SOC team. To find out more about ShadowPlex, please review our resource page here: /resources-and-documents/ or contact us for a free trial. We’d be delighted to share more about our technology and how it can help secure health care networks.
Read More
Team Acalvio
|
March 26, 2020
The Most Dangerous Threats to the Cloud
The digital transformation has been powered by several factors, the most important of which is the rapid move to the cloud. It is estimated today that 90 percent of organizations utilize some type of cloud service and that 60 percent of organizations use cloud technology to store confidential data. In fact, approximately 83 percent of enterprise workloads are going to be on the cloud by 2020. Yet despite the benefits of the cloud, most IT professionals say that security is their number one concern when they adopt a cloud computing strategy. In fact, the move to the cloud has exposed a multitude of new vulnerabilities and weaknesses, and cyber attackers have moved aggressively to take advantage of them. There are eight key areas in which the cloud has introduced new and expanded risk. Let’s take a look at them individually: Data Breaches We all know a data breach when we see one. Data breaches usually involve the exfiltration and theft confidential or sensitive data, perhaps regulated by compliance, that is stolen and accessed by an organization or individual not authorized to do so. The risk of a data breach is not unique to cloud computing, but is rather a trending topic due to many visible breaches in the cloud now identified in the media and the press. Insecure Application Program Interfaces (APIs) The cloud has brought many new application program interfaces for customers to use when interacting with their cloud services. Many services, such as logging, monitoring, set-up for orchestration, administration and management, and provisioning, all depend on these APIs. These interfaces are also used to set up the most sensitive security, such as encryption, that, when broken, can expose large amounts of data to exposure and theft. These APIs may extend accessible IP addresses outside of the organization and hence are subject to continual and ongoing attacks. Account Hijacking Accounts have been exploited by phishing and related attacker techniques for many years. Given the reuse of passwords, this makes this attack vector quite successful for the diligent attacker. Once an attacker gains access to these credentials, they can begin to gather more sensitive data and to manipulate many aspects of your business. Malicious Insiders It is a fact that many data breaches are caused by malicious insiders. This creates an obvious conundrum – not all malicious activity is anomalous, and not all anomalous activity is malicious. These are the hardest attacks to discover, as insiders often have requisite permissions to move through the clouds and networks unimpeded. Data Loss Everyone is concerned about access to data and data theft, but most never really expect to have their data completely lost or destroyed. Yet this is what many organizations are facing due to new threats like the advanced ransomware as a service (RAAS). Data in the cloud can also be lost due to physical catastrophes, administrative error, and other causes. For this reason, segregated data back-up, offsite storage, and disaster recovery remain essential and even more necessary for cloud-based data. Identity and Credential Access Management The biggest and most obvious problem is the protection of password data. It is expected that attackers will penetrate your networks and cloud, and, when they do, they will target passwords and authentication data. Worse yet, that authentication data tends to be the same across multiple systems – when an attacker gets into one they often get into other systems as well. One of the best mitigation techniques is to use multi-factor authentication. This can reduce, though not always eliminate, the effectiveness of this attacker tactic. General System Vulnerabilities Vulnerabilities have been a problem across networks for many years. The multi-tenancy advantages of the cloud unfortunately provide access to shared memory and resources, creating an entirely new attack surface. This new list of vulnerabilities continues to grow and varies by cloud provider. Denial of Service Attacks Denial of service attacks (DoS) are designed to shut down cloud access by flooding the servers and networks with more traffic than can be processed. The goal is to create extreme difficulties for the cloud service providers, shut down or severely slow their systems, and cause the system users concern over the lack of availability and performance. There are also additional vulnerabilities with the use of the shared technology in the cloud, risks due to advanced persistent threats, and much more. Given the high probability that an attacker will successfully breach your cloud platforms, the question becomes how you will detect and diagnose this attack, take steps to mitigate it, and successfully shut it down. Your goal is detection and mitigation. So long as you can interrupt the attacker’s Kill Chain, you have prevailed and your cloud will be secure. Many of the new technologies that protect clouds focus on authentication, encryption, digital rights management, data loss prevention (DLP), and configuration analysis. In the case of configuration analysis, errors that can expose security challenges can be identified and mitigated rapidly. Most of the other forms of attack are currently only being detected by probabilistic-based approaches that attempt to analyze traffic and detect malicious and/or anomalous behavior. Unfortunately, attempts to discern the relative probability of high-risk attacker behavior can generate huge amounts of spurious alerts. Adjust the thresholds too low and attackers will slip through the system undetected. Adjust the threshold too high and there are so many alerts that triage becomes almost impossible. Acalvio ShadowPlex deception technology was designed to protect the cloud. ShadowPlex Cloud, released in 2018, is our mature deception platform and is designed to protect cloud assets. ShadowPlex Cloud detects malicious activity within your public cloud environments rapidly and with virtually no false alerts. Deception is binary. Either you are touching a deception asset or you are not. If you do, you have absolutely violated security policy and your activity is to be considered highly suspect. The alerts generated by ShadowPlex Cloud will represent a true and present threat of the highest urgency. Find out more about Acalvio and how deception technology can help you reduce risk and maintain compliance. We’d be pleased to introduce you to our latest technology and share information about customers that have used Acalvio ShadowPlex to protect the most health care institutions around the world.
Read More
Subscribe to Our Newsletter
Acalvio, the Ultimate Preemptive Cybersecurity Solution.