Click “Start a meeting” and a new window opens with a unique, secure meeting for you to join and then share with others. You can also easily join meetings shared with you by entering a meeting code. And you can plan video meetings and invite others directly from Google Calendar.
Because video meetings have never been more important, we’ve been fast-tracking the most requested features for Meet, and are now making them available to all. Anyone can use Meet’s simple scheduling and screen sharing, real-time captions, and layouts that adapt to your preference, including an expanded tiled view—all built on Google’s secure, reliable global infrastructure. Speaking from my own experience, the new features in Meet are already making our team (and my family) meetings better. We love how tiled view makes us feel more connected—and the occasional surprise visits from kids and family pets!
And we’re continuing to look for ways to make Google Meet more accessible and useful. For example, we know video meetings can be challenging to follow for those with hearing loss, which is why we made sure AI-powered automatic live captioning was available to everyone. One of the most meaningful emails I’ve received was from a parent whose child was able to feel more included thanks to live captioning. Google AI has also made it possible to provide helpful features like low-light mode, which can automatically adjust your video to make you more visible to others.
Meet is available for free for everyone at meet.google.com and on iOS or Android. If you have an existing Google Account (for example, if you’re a @gmail.com user), you can sign in at meet.google.com to get started. If you don’t have a free Google Account, it only takes a minute to create one using your work or personal email address of choice (we require this step as a security measure, and you’ll only need to do this once). Or look for Meet right in Gmail.
We hope Meet will help you connect to all your important meetings—from work meetings, to graduation meetings, to wedding meetings, and everything in between.
Stories of organizations crippled by ransomware regularly dominate the IT news headlines, and accounts of six- and seven-figure ransom demands are commonplace. But, do the news stories tell the full story?
To understand the reality behind the headlines, Sophos commissioned an independent survey of 5,000 IT managers across 26 countries. The findings provide brand new insight into what actually happens once ransomware hits. Be prepared to be surprised.
The 2020 ransomware reality
The survey provides fresh new insight into the experiences of organizations hit by ransomware, including:
Almost three quarters of ransomware attacks result in the data being encrypted. 51% of organizations were hit by ransomware in the last year. The criminals succeeded in encrypting the data in 73% of these attacks.
26% of victims whose data was encrypted got their data back by paying the ransom. A further 1% paid the ransom but didn’t get their data back. Overall, 95% of organizations that paid the ransom had their data restored.
94% of organizations whose data was encrypted got it back. More than twice as many got it back via backups (56%) than by paying the ransom (26%).
Paying the ransom doubles the cost of dealing with a ransomware attack. The average cost to rectify the impacts of the most recent ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid etc.) is US$732,520 for organizations that don’t pay the ransom, rising to US$1,448,458 for organizations that do pay.
Despite the headlines, the public sector is less affected by ransomware than the private. 45% of public sector organizations were hit by ransomware last year, compared to a global average of 51%, and a high of 60% in the media, leisure, and entertainment industries.
One in five organizations has a major hole in their cybersecurity insurance. 84% of respondents have cybersecurity insurance, but only 64% have insurance that covers ransomware.
Cybersecurity insurance pays the ransom. For those organizations that have insurance against ransomware, 94% of the time when the ransom is paid to get the data back, it’s the insurance company that pays.
Most successful ransomware attacks include data in the public cloud. 59% of attacks where the data was encrypted involved data in the public cloud. While it’s likely that respondents took a broad interpretation of public cloud, including cloud-based services such as Google Drive and Dropbox and cloud backup such as Veeam, it’s clear that cybercriminals are targeting data wherever it stored.
For the details behind these headlines, read The State of Ransomware 2020 report.
Sophos Intercept X: Protection against ransomware
Ransomware actors combine sophisticated attack techniques with hands-on hacking. Sophos Intercept X endpoint protection gives you the advanced protection technologies you need to disrupt the whole attack chain, including:
Encryption rollback. CryptoGuard technology blocks the unauthorized encryption of files and rolls them back to their safe state in seconds.
Exploit protection. Deny attackers by blocking the exploits and techniques used to distribute malware, steal credentials, and escape detection.
AI-powered threat protection. Artificial intelligence detects both known and unknown malware without relying on signatures
Start an instant online demo to see how Intercept X works in a full environment. You’ll be up and running in less than a minute.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
It’s been a year since the Maze ransomware gang began its rise to notoriety. Previously identified as “ChaCha ransomware” (a name taken from stream cipher used by the malware to encrypt files, the Maze “brand” was first affixed to the ransomware in May of 2019.
Initial samples of Maze were tied to fake websites loaded with exploit kits. Since then, Maze has been delivered by multiple means: exploit kits, spam emails, and—as the group’s operations have become more targeted—Remote Desktop Protocol attacks and other network exploitation.
But aside from the gang’s adjustments in initial compromise approaches, the Maze group has risen in prominence largely because of its extortion tactics: following through on threats of public exposure of victims’ data in public “dumps” of victims’ stolen data, and offering victim data on cybercrime forums if no payment is made.
While Maze did not invent the data-theft/extortion racket, it was among the first ransomware operations to use data theft as a way of twisting the arms of victims to pay up. The Maze gang has made public exposure central to their “brand” identity, and actively seeks attention from press and researchers to promote their brand—and make it easy for victims who might hesitate to pay them to find out their reputation.
Stepping into the spotlight
Maze rose to greater attention in October of 2019, when the ransomware’s operators launched a massive spam campaign that masqueraded as messages from government agencies. One campaign sent messages claiming to be from Germany’s Bundeszentralamt fur Steuern (Ministry of Finance), while another posed as a tax message from Italy’s Agencia Entrate (Internal Revenue Service).
The Italian version of the attack claimed to be instructions to avoid being designated as tax cheats, with further details in the attached file VERDI.doc—described as an “interactive tool”, a ploy to trick the user to enable Visual Basic for Applications (VBA) macros. When macros were enabled, the scripts within the document downloaded the Maze ransomware to %TEMP% folder, and then executed it.
The fake email sent by Maze’s operators to Italian targets.The attachment, VERDI.doc
Since then, Maze ransomware has gained notice largely from stealing and publishing victims’ data as a means to coerce payment. While threatening to expose victims’ data has long been part of ransomware operators’ playbook, Maze was among the first to follow through on such a threat in a public fashion—starting with the November 2019 exposure of data from Allied Universal.
Maze is not alone in adopting this tactic. REvil/Sodinokibi began releasing data at about the same time as Maze; the DoppelPaymer and Clop ransomware rings have followed suit, and LockBit has added threats of data exposure to its ransom note. But the Maze “team” was the first to go as far as to engage news media to draw attention to its victims, going as far as to include a “press release” on their website.
Fame and fortune
Maze’s operators seek attention in many ways, in an effort to spread their reputation—and increase the likelihood that their “clients” (as they call their victims) pay quickly. Name recognition is important to them, even as they remain anonymous. One way they seek attention through their provocation of security researchers.
The developers of Maze often drop the names of researchers into strings contained within ransomware binaries or the “packers” that deliver them. For instance, Maze’s authors frequently put researchers’ names in the filenames or file paths for the program database (.pdb) file generated during development.
References to the Twitter account of researcher Michael Gillespie, the antivirus company Emisoft, and researcher Marcus Hutchins in the PDB path of one Maze binary sample, along with other meaningless strings.
The Maze authors have put names into the .pdb filename and path so frequently that it seems they may be running out of ideas about what to call them:
Sometimes, the Maze authors leave provocative messages to researchers within strings in the code itself. Often these strings have no function, though occasionally they’re used as “kill switches” that shut down the malware’s execution.
The Maze team’s provocation of researchers extends into its presence in web forums. On one board, the Maze team uses the account name “Kremez”, after prominent ransomware researcher Vitali Kremez, to post links to dumps of data from companies that failed to pay.
A web board post by the Maze team, using the account name “Kremez.”
But the main platform used to promote the Maze brand is the Maze team’s websites—one specifically for its victims, and another to communicate with the world at large (and encourage victims publicly to pay up).
“Keeping the world safe”
The web panel for victims features the ring’s ironic slogan, “Maze team: Keeping the World safe.”
Victims arriving at the site after following the URL in the ransom note are asked to provide the file DECRYPT-FILES.txt dropped by the ransomware, which contains the identification number assigned to the victim.
Once they’ve identified themselves, victims can upload three files for decryption as proof that the Maze crew can truly restore their data. (Only image files are supported, so no real critical data can be recovered for free.)
The site also provides a chat window, so the victim can communicate with the Maze team’s customer support representatives, who are standing by to answer any questions and negotiate a payment.
Aside from the private web panel provided to victims, the Maze group also maintains a “news” site (hosted both on Tor and on the public Internet) that hosts samples of stolen data for companies that have recently been hit by the ransomware, as well as “full dumps” of data from some companies that failed to negotiate a payment.
The site’s main page is currently a ”press release” dated April 17, 2020. It is really a message to victims, explaining all the bad things that will happen if they ignore Maze’s ransom demand and do not contact them about payment.
They assure “clients” that they honor their side of any agreement and delete stolen data, as their reputation is important to them to conduct business. And they claim to be ready to cut a deal for those hurt by the COVID-19 induced global economic downturn.
In the past, the Maze group has withdrawn data posted to its site due to extenuating circumstances, such as when the group backed off blackmail demands against the City of Pensacola following the shooting of two members of the US Navy at the naval air station there. And in March, the Maze team announced that it would stop attacks on medical organizations until the COVID-19 pandemic “stabilizes.”
In the most recent “press release” (dated April 17, 2020), the operators of Maze wrote:
We are living in the same reality as you are. That’s why we prefer to work under the arrangements and we are ready for compromise. But only with those partners who can understand what is reputation and what are the real consequences of private data loss.
Evasion and anti-analysis in the Maze main binary
Maze ransomware is mostly written in C++. However, it heavily uses pure assembly with control flow obfuscation This obfuscation includes:
Unconditional jumps that use combinations of conditional jump commands, such as putting a jz (jump if zero) instruction directly after a jnz (jump if not zero) instruction to the same location.
Jumps into the middle of instructions;
Instructions that point to strings within the .text section of the binary as a return address.
Necessary API names are hashed, and compared with the hash of the DLL function names, then the matched functions are resolved dynamically with the usual LoadLibrary and GetProcAddress functions.
The Maze team is very proud of their main binary’s code obfuscation—in a message in the text of the malware’s binary, they challenged researchers to write an IDAPython script to deobfuscate it. On May 1, Crowdstrike’s Shaun Hurley published a report showing just such a deobfuscation in detail.
Several of the Maze samples we’ve analyzed contain “kill” switches, which when triggered result in the malware not encrypting files. Many of these are there just to grab the attention of researchers, either to send some message or (as mentioned earlier) to name researchers that they know have been examining their code.
Researcher Vitali Kremez’s name is used here as a killswitch filename (C:\2433\kremez), along with a threatening message to another researcher in the binary text.Another killswitch setting taunts a company that did not pay Maze’s ransom.
There are also some samples that can be run with more meaningful, functional switches, such as:
–nomutex which allow to run multiple instances;
–logging turns on detailed console output, which logs each file encrypted, the time required to do so, and some error messages;
–noshares turns off encryption of network shares;
–path specifies a folder to be encrypted.
Output from the Maze binary with the –logging switch passed at startup.
Aside from the obfuscation, the Maze main binary’s authors applied a number of anti-analysis techniques to the malware. It checks debugging environment in multiple ways. In addition to using the IsDebuggerPresent API and PEB.BeingDebuggedFlag check , the Maze main binary contains hardcoded hashes of the names for known analysis processes, including procmon.exe, procmon64.exe, x32dbg.exe, x64dbg.exe, ollydbg.exe, procexp.exe, and procexp64.exe. The code enumerates the running processes present, checks processes’ names against the hashed list, and terminates itself if any are detected.
Setting up shop and phoning home
The Maze binary creates persistence by adding itself to Windows’ autorun registry. And it uses a mutex to ensure that another instance of Maze doesn’t execute (unless it’s a sample that has been executed with the –nomutex switch).
As with most ransomware, it deletes shadow copies with the Windows Management Instrumentation command line utility WMIC.exe. The binary also uses the WMI interface to query for antivirus information, executing the Windows Management Instrumentation Query Language (WQL) command “Select * from AntiVirusProduct” within WMI namespace rootSecurityCenter2.
The ransomware collects information about the computer and its user, including information about the system drives, operating system version, default language setting, username, and computer name. As with some other ransomware, Maze will terminate without encrypting files if certain languages are detected (such as those used in Commonwealth of Independent States nations).
Information about the local network its target is connected is also gathered by the malware, by creating a null session connection and enumerating network resources. It tries to find out the role of that the current machine in the network, in order to reuse it in the extortion—Maze varies the amount of the ransom depending on whether the target is a home computer, or a workstation or server on a corporate network.
This information is exfiltrated back to the command and control server using a standard port 80 HTTP POST method, connecting using Windows’ socket library, WS2_32.dll. The URI path is created from a hard-coded string list to building up the URI path.
The malware sends information including the username, drive information, drive free space, language, antivirus product present, and OS version back to the server.
Dear User, I’ve encrypted your files
Maze uses RSA and ChaCha20 stream cipher encryption to lock victims’ files. The malware generates an RSA key pair, which is in turn encrypted using the main RSA public key embedded in the malware. As it traverses the file system to encrypt files, it skips the following directories:
\Program Files
\Windows
\Games\
\Tor Browser\
\ProgramData\
\cache2\entries\
\Low\Content.IE5\
\User Data\Default\Cache\
\All Users
\IETldCache\
\Local Settings\
\AppData\Local
AhnLab
{0AFACED1-E828-11D1-9187-B532F1E9575D}
Maze also doesn’t encrypt .lnk, .exe, .sys, and .dll files, and specifically avoids the following files:
DECRYPT-FILES.txt (the file dropped with the victim’s ID code)
inf
ini
ini
dat
db
bak
dat.log
db
bin
The ransom note, on the altered desktop.
At the end of the encryption, a desktop wallpaper .bmp is dropped—and a voice message is played:
“Alert! *User* Alert! Dear *User*, Your files have been encrypted…”
Both the wallpaper and the voice message are stored in text forms within the binary. The background text is converted to bmp with the use of the DrawTextW and GetDIBits APIs, and is dropped as 000.bmp and set to the wallpaper. The voice message is created using the Microsoft Speech API with the default voice and default audio. Just before playing the message, Before the speech, it uses the operating system’s Beep function to be sure to catch the attention of the victim.
In the latest version of the ransom note, the Maze crew leaves a “friendly” warning for the IT support staff of the victim organization:
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
In the current situation of social distancing, record percentages of employees working from home have added complexities to securing the workforce. In fact, many of our customers have expressed that the actual distribution of YubiKeys to remote, individual employees is a real challenge. To help fix this issue, we are excited to release our second YubiEnterprise Services offering today: YubiEnterprise Delivery.
With YubiEnterprise Delivery, US and Canada-based organizations can ship YubiKeys directly to employees, partners, and contractors in more than 30 countries across the US, Canada, and Europe. Delivery requests can be entered online via the YubiEnterprise console individually, in bulk through a CSV file upload, or programmatically through an API. Leveraging the API option enables IT administrators to fully automate the distribution of keys as part of the user onboarding and allows for integration with in-house service catalogs like ServiceNow.
While Yubico takes care of the shipping logistics and simplifies YubiKey distribution, enterprises can focus on what matters – securing the workforce. Whether your organization has experienced an uptick in remote workers, has scarce IT resources, or has hiring surges throughout the year, YubiEnterprise Delivery makes it easy to quickly distribute YubiKeys to employees no matter their location.
For Remote Workers
IT administrators can experience cost-effective, turnkey shipping and tracking capabilities, with YubiKey delivery directly to employees’ doorsteps.
For Limited IT Teams
Typically, IT teams are stretched thin managing the many business-critical applications that keep an organization running. By simplifying delivery, distribution, and management of inventory, organizations can operate efficiently without hindering security or productivity.
For Seasonal Hiring
Managing security logistics and inventory has its challenges when hiring activities increase during specific times of the year. With the combination of YubiEnterprise Subscription and Delivery, Yubico customers have the flexibility to accommodate hiring surges and focus on the busy season ahead.
With YubiEnterprise Subscription, organizations can seamlessly add users midterm to existing subscriptions. Benefits also include the ability to replace or upgrade 25% of your user subscription with new YubiKeys, which can be leveraged to accommodate employee churn, lost keys, or support an influx of seasonal workers. With these options, added users can quickly receive YubiKeys via YubiEnterprise Delivery.
If you’re looking for an easy, flexible solution to improve your organization’s security landscape, let YubiEnterprise Services own the logistical difficulties. Work with your Yubico sales representative to set up your YubiEnterprise Delivery console with your YubiKey order today.
For a limited time only, any qualifying Yubico customer that purchases a 3-year YubiEnterprise Subscription with prepayment before June 26, 2020 will be eligible for free YubiEnterprise Delivery shipments within the US and Canada until September 30, 2020.
For terms and conditions, as well as YubiEnterprise Delivery pricing details please visit our YubiEnterprise Services page.
To learn more about the business advantages of YubiEnterprise Services, view the on-demand webinar, YubiEnterprise Services: Hardware Authenticators as a Service.
In 2019 alone cyberattacks cost the the healthcare industry $4 billion, making it the worst ever year for data breaches.
If healthcare organizations are to gain ground on modern cyber threats, they must follow certain key security strategies to build much needed cyber resilience.
Here are five security prescriptions to keep the industry healthy:
1. Embrace the zero trust security model
A recent report shows that in the healthcare sector more breaches are caused by internal than external threats. This can be attributed to human error, lapsed security oversight, or intentional abuse of privilege access to sensitive data and systems.
By implementing a zero trust approach, healthcare organizations can introduce granular controls on network traffic. This takes away the opportunity for modern attackers and internal rogue users to leverage attacks and gain access to sensitive personal health information (PHI) while remaining under the radar.
2. Improve cyber wellness against ransomware threats
Ransomware is a devastating weapon in the hands of cybercriminals targeting healthcare, accounting for over 70% of malware outbreaks in the sector.
Such attacks have brought healthcare operations to a grinding halt, paralyzed connected medical devices and systems, and encrypted healthcare records to render them inaccessible by caregivers.
Sophos not only provides industry-leading anti-ransomware security but also tracks ransomware development with rigorous research from SophosLabs. Sophos Intercept X with EDR, and Sophos XG Firewall work together to disrupt and stop advanced ransomware attacks.
3. Get around the skills shortage
Lack of personnel with the appropriate cybersecurity knowledge and expertise is one of the major challenges for healthcare service providers. This is especially a headache for those who don’t have a full-time, in-house security expert.
For healthcare organizations lacking cybersecurity resources Sophos offers the Managed Threat Response (MTR) service. The service provides effective monitoring and continuous risk assessment, as well as a 24/7 dedicated team of experts.
Our solution goes beyond just alerts, it provides real incident response against threats, ensuring the risk is identified, contained, and that corrective action gets taken immediately.
4. Cover blind spots in your digital transformation efforts
Transacting information between patients, caregivers, insurance agencies, and other stakeholders should be seamless and secure. Software-defined networking (SD-WAN), with its flexible architecture, has emerged as a new favorite among healthcare organizations to meet these requirements.
It’s crucial to provide reliable and secure access to classified healthcare data at a time when many hospitals are adopting new technologies like network-connected medical devices, telehealth, and medical apps such as picture archiving and communication systems (PACS).
Sophos, with its latest XG Firewall and SD-RED devices, makes it possible to achieve SD-WAN connectivity in line with your security and continuity goals.
5. Promote cyber awareness
Another major concern for healthcare organisation is the lack of cybersecurity education and poor data privacy awareness among employees.
Having the right cybersecurity culture is important to help reduce healthcare’s high susceptibility to a wide range of sophisticated cyberattacks.
Healthcare organizations should consider running regular awareness campaigns to make their employees, partners, and vendors more aware of the latest cybersecurity scams and phishing tactics, and thus be better prepared to take the right action when they encounter malware or phishing.
With Sophos Phish Threat, IT security teams can simulate security and compliance phishing attacks with a just few clicks, and provide automated, on-the-spot training to healthcare employees as necessary.
Additional reading
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
Over the last 12-18 months, I have talked to hundreds of customers across segments and industries. The two most common themes coming out of these conversations are, first that networks are getting more complex with time, and second, that automation is a strategic topic of interest regardless of the digital transformation project they have in place.
One of the most critical challenges of these increasingly complex and naturally fragmented infrastructures is how to implement an effective security strategy. Distributed and dynamically evolving networks can be a prime breeding ground for cyber risks, leading to frequent network outages. Contributing to this challenge is the fact that network operations teams rarely have clear and consistent insight into what controls and configurations have been setup across the infrastructure, and more importantly, a lack of comprehensive visibility across the network to identify anomalies. This limited visibility and control is the result of having deployed too many independent point products across the various segments of the network.
The Need for Network Infrastructure Automation
The events of the past several weeks, driven by the need to adapt to the COVID-19 pandemic, have accelerated digital transformation for many organizations even faster and further. The need to support remote workers by inverting the traditional networking model, where the majority of workers have now been moved outside of the network, has accelerated the need for network operations teams to adopt agile network strategies supported by infrastructure automation.
In fact, a recent Gartner report on “Cool Vendors in Enterprise Networking” had some good data points around agile network infrastructures:
Digital business requires agile networks, but 70% of enterprise networking activities are performed manually. This creates “human middleware” that limits networking scalability and agility, and increases the likelihood for errors.
The percentage of network activities that will be automated will rise from 30% in early 2020 to 50% by 2023.
The percentage of enterprises that do pre-verification of configurations will increase to 10% by 2023, which is an increase from fewer than 1% in early 2020.
These data points help explain why 75% of network outages and performance issues are the result of misconfiguration errors.
In this regard, a network security strategy that prioritizes network automation can help reduce one of the leading causes of cyber risk and downtime—human error and misconfigurations. An integrated network security architecture enhanced with network automation capabilities can easily eliminate the complexity challenge for network operators.
The Fortinet Fabric Management Center
Fortinet’s Fabric Management Center combines FortiManager and FortiAnalyzer for effective network operations, making agile network management a reality for Fortinet customers across NGFW, SD-WAN, and IPS, as well as other projects for the organization. This combined solution enables three key use cases:
Centralized Management
Network Automation
Security Fabric Analytics
1. Centralized Management
When it comes to network security, disparate products typically cannot share threat intelligence or coordinate responses across an organizational infrastructure. This critical cybersecurity shortcoming is often compounded by a lack of skilled security personnel who are able to manage a wide assortment of disconnected point products. But even large organizations with dedicated IT security staff still have difficulty monitoring the network to keep track of which devices are connected, who has access to the network, and which resources are needed by applications and workflows.
Elevating the Total Value of Network Automation Across the Enterprise
Fortinet’s Fabric Management Center enables enterprise-class automation capabilities while helping network leaders actualize industry-leading benefits, including:
Improved Efficiency. With its single-pane view, FortiManager helps enterprises simplify the oversight of their security infrastructure and automate responses to potential problems.
Reduced Risk. Fortinet’s tracking and reporting features help organizations ensure compliance with privacy laws, security standards, and industry regulations, all while reducing risks associated with fines and legal costs in the event of a breach. FortiAnalyzer tracks real-time threat activity, facilitates risk assessment, detects potential issues, and helps mitigate problems.
Decreased TCO. As part of Fortinet’s Security Fabric architecture, the Fabric Management Center helps lower TCO by consolidating disparate security management functions. Its FortiAnalyzer component delivers the advantages of advanced analytics and automation capabilities without having to add-on expensive, third-party point solutions.
Combined, Fortinet’s Fabric Management Center leverages orchestration and automation to increase visibility across complex, hybrid network environments, identify and alert on anomalous behavior, and ensures granular control to reduce network disruption and downtime, whether they are due to human error or malicious behavior.
Learn more about how Fortinet’s Fabric Management Center enables enterprise-class automation capabilities while helping network leaders realize industry-leading benefits like improved efficiency, reduced risk, and decreased TCO.
Engage in our Fortinet user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers.
In 2019 alone, over $124 billion was spent on cybersecurity. In spite of this, however, many security teams are still struggling to keep up. Their challenges include having too many consoles to monitor, alert overload, a reliance on manual processes, and a shortage of cybersecurity personnel.
Fortunately, there are a number of technologies designed specifically to address these issues. The question is, which SOC tools are right for your organization? The SOC Automation framework is designed to help security teams simply identify their current maturity level based upon their existing investment in people, processes, and products. From there, an organization can identify the tools appropriate for their organization, as well as define the steps required to advance to the next level.
Fortinet solutions, such as FortiAnalyzer (Security Fabric analytics and automation), FortiSIEM (security incident and event management), and FortiSOAR (security orchestration, automation and response), provide solutions for organizations along with every phase of the SOC Automation framework. Each solution leverages security automation to address the key challenges faced by security architects at their level of SOC Automation. And the Security Fabric links all of these solutions together, enabling lean security teams to maximize their ability to protect their enterprise.
Leveraging the Power of FortiSOAR
SOAR represents a new level of integrated incident response management designed for today’s larger, distributed, and highly dynamic and scalable networks. FortiSOAR is an ideal solution for enterprises and service providers seeking to simplify their operations while maximizing the efficiency of their security operations centers (SOCs).
It does this by consolidating and triaging alerts from a wide range of security products, automating threat analysis and repetitive tasks to save valuable resources. This includes interoperating with a wide array of solutions and technologies, and then leveraging well-defined playbooks to automate a real-time response to security events without human intervention to streamline SOC operations.
With over 300 connectors, FortiSOAR easily integrates with all major security vendors and technologies for a single, centralized point of visibility and control, and granular, role-based access control to secure user-related data. And its more than 200 out-of-the-box, easy-to-configure playbooks, including the most advanced case management modules in the industry enhanced with incident timelines and asset correlation views, enable the automation of incident response action sequences as well as routine tasks.
FortiSOAR is able to address all three of the most important SOAR capabilities identified by Gartner:
Security incident response that spans the entire response process, from planning and management to the tracking and coordinating of responses to a security incident.
Threat and vulnerability management to enable the remediation of vulnerabilities through formalized workflow, reporting, and collaboration capabilities.
Security operations automation to enable the orchestration of workflows, processes, policy execution, and reporting.
Digital Innovation Requires Automated Security Solutions
Moving aggressively into today’s digital marketplace is essential for organizations looking to compete in the new digital economy. But new business models and digital resources expand the attack surface and can quickly overwhelm security teams struggling to see and manage the expanded network through the lenses of multiple security consoles.
Digital innovation should not come at the expense of security. Simplifying security deployment requires a Security Fabric – supported by the use of SIEM technologies to aggregate security threat intelligence, and the deployment of a SOAR solution to provide deep analysis, broad visibility, and automated response to threats. And the addition of advanced AI analysis across the distributed Security Fabric further ensures visibility, detection, orchestration, and automated response to cyber events that occur anywhere across the expanding enterprise.
Find out how FortiSOAR enables SOC teams to accelerate incident response, unify operations, and eliminate alert fatigue.
Discover how this managed care provider and this consumer financial pioneer leveraged FortiSOAR to streamline SOC operations.
Engage in the Fortinet Security Orchestration, Automation and Response (SOAR) user community (Fuse). Share ideas and feedback, learn more about our products and technology, or connect with peers
After recent hotfixes to address the SQL injection vulnerability and password reset for the XG Firewall/SFOS (Refer KBA135412), this hotfix HF051220.1 adds a CLI option to change configuration based on previous administrator actions:
1) You can now disable captcha for the webadmin and user portal when they are exposed on the VPN zone.
Captcha authentication serves as an extra security defense against scripted automated login attempts.
As an additional security measure, a Captcha has been added to the XG Firewall admin and user portals on the WAN and VPN zones. It is enabled for all devices running v17.x and v18.x, except for XG85/XG85w devices. Any Cyberoam device that has upgraded to the XG Firewall firmware will not implement Captcha.
This hotfix provides CLI configuration for the same: console> system captcha_authentication_VPN enable/disable/show
In case, VPN has been configured as site-to-site IPSec with remote network configuration as “ANY”, you will also need to add an IPsec route to turn off captcha for specific VPN host/network.
Example:
console> system ipsec_route add host <50.50.50.1> tunnelname <mytunnel>
console> system ipsec_route add net <10.10.10.0/255.255.255.0> tunnelname <mytunnel>
2) You can now turn off mandatory password reset pop-up
As an additional security measure related to vulnerability CVE-2020-12271, the password reset is shown only on an XG Firewall that was identified as impacted. For more information see KBA135412.
If you have already changed passwords since 2200 UTC on April 25, 2020, for the administrator and any users with administrator privilege, you may want to turn off this mandatory password reset.
This hotfix provides CLI configuration for the same: console> system mandatory_password_reset disable/show
All supported versions: v17.0, v17.1, v17.5 and v18 GA
Firmware version on XG Firewall webadmin control center will show “HF051220.1” appended. Example – “SFOS 18.0.0 GA-Build379.HF051220.1”
If you have disabled “Allow automatic installation of hotfixes”, please reference the following KBA for instructions on how to apply the required hotfix: https://community.sophos.com/kb/en-us/135415
Note: Customers managing XG Firewalls with either Sophos Firewall Manager (SFM) or Central Firewall Manager (CFM) need to verify each firewall has an active connection with firewall management to receive critical updates. These steps are not required for Sophos Central managed devices.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
A new ransomware variant dubbed “ColdLock” has emerged in Taiwan where it’s having a devastating effect on impacted organizations.
Fortunately, Sophos Intercept X gives the cold shoulder to ColdLock, blocking the attack before it can hold you hostage.
Stop ColdLock with Intercept X
ColdLock is a file-less attack. It runs from a PowerShell script where the ransomware code is directly loaded into memory and then executed, all without writing an executable file to the disk.
Intercept X is packed with technologies that protect your organization from ColdLock and other ransomware variants:
Exploit protection stops the techniques used in file-less, malware-less, and exploit-based attacks.
CryptoGuard technology stops the unauthorized encryption of files by ransomware, rolling any impacted files back to their original state.
The deep learning engine uses cutting-edge machine learning to identify and block never-before-seen ransomware before it executes.
Credential Theft stops privilege escalation, preventing hackers from moving round your system
Plus, the built-in EDR tools give you detailed insight into what happened, so you can see where the threat got in, what it touched, and when it was blocked.
See Intercept X in action
Try out the demo!
Log in to our fully populated demo environment to try Intercept X for yourself. No obligation, no waiting, no set up. Just a ready-to-go demo.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
The CRN Mobile 100 is the definitive list of the top mobile devices, security and device management, software, and mobile app development platform vendors in the market today.
We are delighted to announce that Sophos Mobile has been featured in the 25 coolest mobile device management and security products of the 2020 Mobile 100 list.
Bob Skelley, CEO of The Channel Company said of the recognition:
The vendors featured on CRN’s 2020 Mobile 100 list support companies with the mobility services and protection they need to compete in today’s market. On behalf of our entire team, I want to congratulate these elite companies for their commitment to bringing innovative and secure products to their customers.
The mobile and remote workforce has never been as critical as it is in 2020 – though not for the reasons one would have expected coming into the year. The arrival of the COVID-19 pandemic has led to a massive increase in remote workers and has put mobility-focused products front-and-centre for countless businesses.
With more people working remotely, the use of mobile devices for work has increased quite significantly. This brings several considerations for IT teams trying to balance security and productivity.
The container-only management capabilities in Sophos Mobile let you control corporate content in the Sophos Secure Email and Sophos Secure Workspace apps without requiring management of the mobile device itself. This is ideal for Bring Your Own Device (BYOD) scenarios when you need to protect and control business email and data without intruding on users’ privacy.
In other words, it is the perfect working from home solution!
According to a recent survey of 3,100 IT Managers, 10% of all threats are discovered on mobile devices. Sophos Mobile includes Intercept X for Mobile, which protects devices against malware, network attacks and malicious web traffic. Intercept X for mobile also includes easy to use security tools right at your fingertips, like the Authenticator, Password Safe, Secure QR Code Scanner, and Privacy Advisor.
Setup is as simple as downloading the app from your relevant app store and then enrolling your device via the ‘Corporate Management’ section. You can even use the app without corporate management for free to protect your personal mobile devices. Give it a go today!
See our Sophos Mobile Data Sheet and comprehensive Help Document for more information and general configuration steps for Sophos Mobile & Intercept X for Mobile.
Net Universe offers all Sophos Devices and subscritpions also consultant services with worldwide Delivery Services. Send us an email to [email protected] for more information or visit https://www.netuniversecorp.com/sophos.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
