Archive for September, 2017

Announcing SentinelOne 2.0 Version

Wednesday, September 27th, 2017

SentinelOne has announced their new version, 2.0, introducing the simplified policy, improved prevention, detection, and response, and many more features, fixes, and enhancements. Their customers have been telling them what improvements they want to see in the product, and they’re responding. Let’s go over the most significant changes.

Simple Policy

SentinelOne’s policy was never complex – Yet, they simplified it further by removing any setting that was not 100% clear to ther clients.

The new policy of 2.0 is a simple selection between “Protect” and “Detect”. Choosing “Protect” means complete automation and autonomy – SentinelOne take responsibility for preventing and mitigating all threats. Choosing “Detect” means that you are running in EDR mode.

Another option you will find useful is the differentiation between Threats – high confidence detections, and Suspicious activity, so you can assign them different policy modes. Try it out.

Controlling Engines

Under the hood of the SentinelOne agent, multiple engines are running and ensuring full visibility and detection of any malicious activity. We recommend running all of SentinelOne’s Static and Behavioral AI engines, but allow administrators to control them, based on policy.

Prevention, Detection, and Response at Scale

Many have tested SentinelOne’s capabilities, and the results are available:

  • Static AI (DFI) prevents malicious files and variants from ever being executed on your devices.
  • Behavioral AI specializes in catching zero-day and unknown attacks based on their behaviour, including file-less and other new means to evade traditional AV solutions.

SentinelOne are always working on improvements. In the wild, we see more and more campaigns that don’t need to use files (WannaCry, EternalBlue, etc’). The reason is obvious – why expend effort on a file that will become a blocked signature in few days? For instance, it is common for attackers to find a weak host on a network and utilize it to compromise other devices on the same network. They invested further in their behavioural AI engines to improve detecting of such flows. When SentinelOne detect a risk, they already have the full context: users, processes, command line arguments, registry, files on the disk, external communication, and more.

Forensics Analysis Improvements

Once detected, it is helpful to identify the full context of the attempt, where it came from, and what it tried to do, even if it was automatically mitigated by “Protect” mode. To make this easy, SentinelOne improved what you see and what you can do. Starting in 2.0:

You can see:

  • Which of their engines detected it.
  • A link to VirusTotal entry (for known threats) and to a Google search.
  • More forensics information, including the username, and the full command line arguments used by all processes during the incident.

You can do:

  • More exclusion options: by hash, path, certificate, file type, or browser type.
  • Quickly and easily exclude for each specific incident directly from the forensics analysis view.

Full Disk Scan

Many of their customers asked for the option to scan a device and Full Disk Scan is now available for their Windows and macOS agents. Whether you are worried about dormant malware or concerned with issues of audit and compliance, you can choose a group from the console and initiate a scan, or just install using a flag that triggers the full disk scan. This is a great way to get value on day one.

More improvements starting in 2.0

  • Performance improvements (cross-platform)
  • Click-through EULA
  • SSO support for the management console login.
  • VSS disk space does not exceed 10% (unless configured by the administrator to a different limit).
  • Support tools and remote troubleshooting options for your agents.
  • Additional proxy options, including failover to direct connection (for roaming devices) and authenticated proxy.
  • The Auto-immune flow is improved and now works on verified threats only.
  • Document names are not sent to the console, unless malicious.
  • Support for Windows agent on a single core.

What’s next?

The SentinelOne team is already working on the next release, planned for later this year. It will have improved deployment flows, more reporting options, Agent configuration and more policy options, initial scan support (no reboot needed), and static detection indicators, for a better understanding of detection reasons.

Stay tuned!

View the original post by SentinelOne.

Palo Alto Networks Strengthens Ransomware Prevention Capabilities With New Traps Advanced Endpoint Functionality

Monday, September 25th, 2017

New Features Enable Customers to Prevent Malware and Kernel Exploit Attacks.

Palo Alto Networks, the next-generation security company, today announced enhancements to its Traps™ advanced endpoint protection offering that strengthens current ransomware prevention by monitoring for new techniques and ransomware behaviour and, upon detection, prevents the attack and resulting encryption of data.

As ransomware attacks continue to escalate in both sophistication and frequency, organisations are working quickly to protect themselves from falling victim to the next attack. According to Cybersecurity Ventures, ransomware will cost organisations more than $5 billion in 2017 – more than 15 times the cost of damages absorbed in 2015.

To protect themselves from the evolving threat of ransomware, most organisations deploy multiple security point-products and software agents on their endpoint systems, including one or more legacy antivirus products. The protections provided by these signature-based products continue to lag behind the speed of ransomware attacks, which can impact and spread throughout organisations in a matter of minutes compared to the hours or days it could take a customer to receive a signature update.

When combined with its existing ransomware prevention and other multi-method prevention capabilities, Traps offers effective ransomware protection and helps organisations avoid the business productivity losses associated with inaccessible data. Traps effectively secure endpoints with its unique multi-method prevention capabilities by combining multiple defensive techniques, preventing known and unknown attacks before they can compromise endpoints.


“Traps 4.1 takes endpoint security to the next level and continues to bring more innovative and impressive capabilities to address the modern threat landscape. The added ransomware capabilities and ease of deployment across Windows and MacOS clients further cement Traps as a necessary standard for any organisation serious about their endpoint security strategy.”
Bryan Norman, chief executive officer, Norlem Technology Consulting

“Ransomware attacks will continue to increase in frequency and sophistication for the foreseeable future, and with the new capabilities introduced today in version 4.1, Traps is better able to preemptively stop these attacks and protect our way of life in the digital age.”
Lee Klarich, chief product officer, Palo Alto Networks

Key advancements introduced in Traps version 4.1 include:

Behavior-based ransomware protection adds a layer of malware prevention to pre-existing capabilities without reliance on signatures or known samples. By monitoring the system for ransomware behaviour, upon detection, Traps immediately blocks the attack and prevents encryption of end-user data.

Enhanced kernel exploit prevention protects against new exploit techniques used to inject and execute malicious payloads, like those seen in the recent WannaCry and NotPetya attacks, by stopping advanced attacks from initiating the exploitation phase.

Local analysis for macOS provides added protection against unknown attacks for a growing macOS® user base.

Traps version 4.1 is generally available to Palo Alto Networks customers with an active support contract.

Traps advanced endpoint protection
Traps: Expanding Ransomware Protection for Current and Future Threats (blog post)
Palo Alto Networks Next-Generation Security Platform

View the original post by Palo Alto Networks.

First Half 2017 Breach Level Index Report: Identity Theft and Poor Internal Security Practices Take a Toll

Monday, September 25th, 2017

Gemalto, the world leader in digital security, today released the latest findings of the Breach Level Index, a global database of public data breaches, revealing 918 data breaches led to 1.9 billion data records being compromised worldwide in the first half of 2017. Compared to the last six months of 2016, the number of lost, stolen or compromised records increased by a staggering 164%. A large portion came from the 22 largest data breaches, each involving more than one million compromised records. Of the 918 data breaches more than 500 (59% of all breaches) had an unknown or unaccounted number of compromised data records.

The Breach Level Index is a global database that tracks data breaches and measures their severity based on multiple dimensions, including the number of records compromised, the type of data, the source of the breach, how the data was used, and whether or not the data was encrypted. By assigning a severity score to each breach, the Breach Level Index provides a comparative list of breaches, distinguishing data breaches that are not serious versus those that are truly impactful.

According to the Breach Level Index, more than 9 billion data records have been exposed since 2013 when the index began benchmarking publicly disclosed data breaches. During the first six months of 2017, more than ten million records were compromised or exposed every day, or one hundred and twenty-two records every second, including medical, credit card and/or financial data or personally identifiable information. This is particularly concerning, since less than 1% of the stolen, lost or compromised data used encryption to render the information useless, a 4% drop compared to the last six months of 2016.

“IT consultant CGI and Oxford Economics recently issued a study, using data from the Breach Level Index and found that two-thirds of firms breached had their share price negatively impacted. Out of the 65 companies evaluated the breach cost shareholders over $52.40 billion,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “We can expect that number to grow significantly, especially as government regulations in the U.S., Europe and elsewhere enact laws to protect the privacy and data of their constituents by associating a monetary value to improperly securing data. Security is no longer a reactive measure but an expectation from companies and consumers.”

Primary Sources of Data Breaches

Malicious outsiders made up the largest percentage of data breaches (74%), an increase of 23%. However, this source accounted for only 13% of all stolen, compromised or lost records. While malicious insider attacks only made up 8% of all breaches, the amount of records compromised was 20 million up from 500,000 an increase of over 4,114% from the previous six months.

Leading Types of Data Breaches

For the first six months of 2017, identity theft was the leading type of data breach in terms of incident, accounting for 74% of all data breaches, up 49% from the previous semester. The number of records compromised in identity theft breaches increased by 255%. The most significant shift was the nuisance category of data breaches representing 81% of all lost, stolen or compromised records. However, in terms of the number of incidents, nuisance type attacks were only slightly over 1% of all data breaches. The number of compromised records from account access attacks declined by 46%, after a significant spike in the 2016 BLI full year report.

Biggest Industries Affected by Data Breaches

Most of the industries the Breach Level Index tracks had more than a 100% increase in the number of compromised, stolen or lost records. Education witnessed one of the largest increases in breaches up by 103% with an increase of over 4,000% in the number of records. This is the result of a malicious insider attack compromising millions of records from one of China’s largest comprehensive private educational companies. Healthcare had a relatively similar amount of breaches compared to the last six months of 2016, but stolen, lost or compromised records increased 423%. The U.K’s National Health Service was one of the top five breaches in the first half with over 26 million compromised records. Financial services, government and entertainment were also industries that experienced a significant jump in the number of breached records, with entertainment breach incidents increasing 220% in the first six months of 2017.

Geographic Distribution of Data Breaches

North America still makes up the majority of all breaches and the number of compromised records, both above 86%. The number of breaches in North America increased by 23% with the number of records compromised skyrocketing by 201%. Traditionally, North America has always had the largest number of publicly disclosed breaches and associated record numbers, although this is poised to change in 2018 when global data privacy regulations like the European General Data Protection Regulation (GDPR) and Australia’s Privacy Amendment (Notifiable Data Breaches) Act are enforced. Europe currently only had 49 reported data breaches (5% of all breaches), which is a 35% decline from the previous six months.

​Related Resources:​
– For a full summary of data breach incidents by industry, source, type and geographic region, download the First Half 2017 Breach Level Index Report
– Download the infographic here​
– Visit the BLI website here

View original article by Gemalto.

SentinelOne Announces New Deep Visibility Module for Breakthrough IOC Search and Threat Hunting on the Endpoint

Thursday, September 14th, 2017

New Capabilities Enable Untethered View into All Endpoint Activities and Network Traffic – Encrypted and Clear Text.

SentinelOne, a pioneer in delivering autonomous AI-powered security for the endpoint, datacenter and cloud, today launched its new Deep Visibility module for the SentinelOne Endpoint Protection Platform (EPP), making it the first endpoint protection solution to provide unparalleled search capabilities for all indicators of compromise (IOCs) regardless of encryption and without the need for additional agents.

“We are bringing visibility to every edge of the network – from the endpoint to the cloud,” said Tomer Weingarten, CEO of SentinelOne. “Deep Visibility enables search capabilities and visibility into all traffic since we see it at the source and monitor it from the core. We know that more than half of all traffic is encrypted – including malicious traffic – which makes a direct line of sight into all traffic an imperative ingredient in enterprise defence.”

Deep Visibility extends the company’s current endpoint suite abilities to provide full visibility into endpoint data, leveraging its patented kernel-based monitoring, for complete, autonomous, and in-depth search capabilities across all endpoints – even those that go offline – for all IOCs in both real-time and historical retrospective search. SentinelOne EPP with Deep Visibility enables customers to fully automate their detection to response workflow while also gaining unprecedented insight into their environment.

Deep Visibility also empowers customers to gain insights into file integrity and data integrity by monitoring file characteristics and recording data exports to external storage.

Deep Visibility monitors traffic at the end of the tunnel, which allows an unprecedented tap into all traffic without the need to decrypt or interfere with the data transport. This, in turn, provides a rich environment for threat hunting, that includes powerful filters, the ability to take containment actions, as well as fully automated detection and response.

Since Deep Visibility does not require an additional agent and is a holistic part of the SentinelOne EPP platform, it is fully integrated into the investigation, mitigation and response capability sets, including process forensics, file and machine quarantine, and fully automated, dynamic remediation and rollback capabilities.

Additionally, Deep Visibility does not require any changes to network topology and does not require any certificates for installation. Visibility into encrypted traffic further enriches forensics insights and empowers security analysts with more holistic investigation capabilities without impacting the end-user experience.

“Deep Visibility is a breakthrough that will redefine how we think about perimeters,” said Weingarten. “Gaining visibility into the data pathways marks the first milestone for a real, software-defined edge network that can span through physical perimeters, to hybrid datacenters and cloud services. This is the beginning of the network of the future.”

In addition to Deep Visibility, SentinelOne EPP will also offer several new capabilities that further enrich visibility into customer environments and threats. Key capabilities include:

  • Support for new platforms Amazon Linux AMI and Oracle Linux to expand visibility into critical server environments
  • Full disk scan support to discover latent threats
  • Richer forensics insights to help identify the source of threats and build attack storylines

Current SentinelOne customers can upgrade to a new agent with access to Deep Visibility by working with their customer success managers. Prospective customers can learn more about SentinelOne EPP and the new Deep Visibility capabilities here.


View the original article by SentinelOne.

A Deeper Dive Into GDPR: Due Diligence and Risk Mitigation

Thursday, September 14th, 2017

In the last entry in this series we covered GDPR’s breach notification requirements. Breach notification should be, for all of us, the scenario of last resort. Fortunately, GDPR treats it as such and emphasises preventative steps that protect data privacy. One of these steps is the expectation that organisations conduct due diligence to mitigate the organisational and technical risks to their data.

As we covered in our blog post on data control and integrity, Article 5 lays out a set of data protection principles. Section 2 of that article first step in understanding GDPR’s chain of data protection responsibility. It states:

“The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

The ‘controller’ – as referenced throughout the regulation – is the organisation that collects data from the data subject. GDPR naturally lays responsibility for properly processing and controlling data at their feet. Yet it compounds that responsibility with a requirement to demonstrate their compliance – an obligation we explore in the data control blog post.

Their responsibilities continue in article 24 (Responsibility of the controller) section 1 which states (emphasis mine):

1. Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”

For controllers, Article 24 section 1 joins the basic due diligence demanded by Article 5 with the obligation to mitigate risks based on the context of their operations.

GDPR doesn’t prescribe an approach to mitigating risk. Intimated here and articulated elsewhere in the regulation, GDPR expects organisations to conduct risk assessments and adopt accordingly the necessary technical and organisational measures. This is both a blessing and a curse for most organisations. While this gives organisations the freedom to choose solutions as they see fit, there is also no excuse for shirking their responsibilities. Here, again, GDPR is clear that the controller’s solutions must also allow them to demonstrate their compliance. This flexibility is the root of GDPR’s severe penalties – both its fines and breach notification obligations. Penalties are severe, but only because the level of negligence involved resulting in a data breach would be correspondingly significant. So, to satisfy GDPR, preventative efforts need to be demonstrable.

Yet, controllers aren’t the only ones on this journey. Part of what makes GDPR so far reaching is the fact that security responsibilities travel with the data. GDPR makes data processors responsible at the same time as controllers. No longer can a processor push security responsibility back on to their customers or vice versa. Article 28 (Processor) includes the following sections:

1. Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject

2.The processor shall not engage another processor without prior specific or general written authorisation of the controller. In the case of general written authorisation, the processor shall inform the controller of any intended changes concerning the addition or replacement of other processors, thereby giving the controller the opportunity to object to such changes.

3. Processing by a processor shall be governed by a contract or other legal act under Union or Member State law, that is binding on the processor with regard to the controller and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the controller. That contract or other legal act shall stipulate, in particular, that the processor:

  1. processes the personal data only on documented instructions from the controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the processor is subject; in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  2. ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. takes all measures required pursuant to Article 32;
  4. respects the conditions referred to in paragraphs 2 and 4 for engaging another processor; (e) taking into account the nature of the processing

In plain language, Article 28 essentially says

  1. Organisations can only use processors that offer sufficient security guarantees
  2. Data processors cannot use other data processors without their customers’ agreement
  3. Processors and their clients must have contracts that articulate what data is involved and which security measures are in place.

The moral of the story is that whether your organisation collects data or processes it, there is no escape from GDPR. Its obligations attach to the data itself and travel wherever that data travels no matter how many steps removed from its origin.

So, how can controllers and data processors more easily manage this web of responsibilities? Much like the other topics we’ve covered, encryption and key management have a role to play.

As we pointed out earlier on this blog, encryption and key management is an effective tool for establishing control of your data and ensuring its integrity. Unlike other security approaches, demonstrating compliance using encryption is relatively straightforward. By virtue of its central role in managing encryption, enterprise key managers offer a full view of an organisation’s data and how it is accessed, handled, moved, etc. The auditing and logging tools available in many key management solutions can be used to demonstrate compliance. When assessing data processors, organisations should consider how they are using encryption and key management in their service.

Since encryption attaches security directly to the data itself, as a solution, it addresses a wide range of risks – both known and unforeseen. As organisations conduct their risk assessments to decide the appropriate level of security, they can choose encryption to mitigate a wide range of risks. As a solution, encryption is a high-value option; it addresses a broad range of challenges, and it shows a proactive best effort approach to security that will reflect well in regulators’ eyes.

Lastly, encryption ensures the secure transfer of data between controllers and processors. Controllers that use encryption will be able to securely pass data to processors while retaining a measure of control. Either through key management or policy backed access controls, controllers can ensure that the processors don’t use the data without their express written authorisation – an explicit GDPR requirement. In the capacity as the new guarantors of the data’s security once authorised, encryption and key management will keep data processors in full control in order to preserve the data’s integrity and security.

May 2018 will be here before we know it; preparations need to start now. For nearly everyone, that will start with a risk assessment. The information from this assessment will play a critical role in the majority of GDPR security related decisions. GDPR demands that organisations proceed diligently, both in their own approach and their partners’ approaches to security. Fortunately, organisations like Gemalto are available to help navigate GDPR’s varied requirements and the solutions in the marketplace available to meet them. For more information on GDPR’s due diligence requirements along with other topical issues such as breach notification, security, and data control obligations, check out our expanded ebook, The General Data Protection Regulation.

View the original article by Gemalto.

SentinelOne: Addressing the Security-Encryption Paradox

Thursday, September 14th, 2017

Encryption is a critical partner to organizational security. Except when it isn’t!

It’s clear that encryption has a key role in ensuring that organizational data stays invisible and protected. Technology giants such as Google are pushing us towards encryption – whether it’s via prioritizing search results[1] or flagging unencrypted sites as unsafe[2]. WordPress, the most widely used content management system on the Web, is also ensuring that every site built using WordPress will use HTTPS as the default[3]. The average volume of encrypted traffic has now crossed the 50% mark – in other words more traffic on the network is now encrypted than is clear-text.

Figure 1: Growth in encrypted web traffic (Source: )

What does that mean in the context of security? This is obviously great news since organizations are taking security more seriously. But attackers, as we all know, are constantly challenging our ability to innovate – always looking for ways to hide as they infiltrate organizations. What better way to hide than within encrypted traffic – since it renders security solutions that rely on deep packet inspection in the data pathways blind to the traffic!

Attacks such as Dridex and Gootkit rely on this invisibility cloak to conceal their movements and exfiltrate information. Dell pointed out in its report[4] that this tactic was used in a crafty malvertising campaign in 2015 to expose as many as 900 million Yahoo users to malware by redirecting them to a site that was infected by the Angler exploit kit!

Protecting against these hidden attacks is going to be increasingly crucial for organizations to safeguard their information assets. Gartner predicts that more than 80 percent of enterprise web traffic will be encrypted by 2019[5] . Visibility into the encrypted traffic is the first step towards achieving security. But you’ve got to be able to achieve that without complicating your networks or impacting your user-experience. Complicated deployments will increase the operational overheads and cause users to undermine security.

SentinelOne Deep Visibility can help you achieve the rich visibility and automate your threat protection, without the performance overheads. Click here to learn more about SentinelOne Deep Visibility.

Join us for a webinar with SentinelOne CEO, Tomer Weingarten, on September 20th, 2017 to learn how SentinelOne can help you address encrypted threats.





[5] Security Leaders Must Address Threats From Rising SSL Traffic

View the original article by SentinelOne.