The National Cyber Security Alliance and ITSPmagazine Announce Partnership in Support of CyberSecure My Business™

Yahoo Finance | May 07, 2019

The National Cyber Security Alliance (NCSA) – a nonprofit, public-private partnership focused on helping businesses and consumers stay safer and more secure online – announced today a strategic partnership with ITSPmagazine. At the intersection of IT security and society, ITPSmagazine is a free, online publication that focuses on information technology, cybersecurity, data privacy, the InfoSec community and the influence that tech has on our daily lives – in business and at home. Both organizations will work closely to promote and amplify awareness of NCSA's national CyberSecure My Business program. CyberSecure My Business ‒ of which FedEx is a Founding Partner, Trend Micro is a Signature Sponsor and Infosec is a Contributing Sponsor – was created to help protect the small- and medium-sized (SMB) community's cybersecurity. It does so by offering free in-person, interactive training workshops, webinars and monthly newsletters summarizing recent hot topics.

Spotlight

In this ESG Lab report, learn about the Cohesity Data Platform: Data Efficiency with Converged Secondary Storage.


Other News
SOFTWARE SECURITY

Red Canary and Palo Alto Networks expand collaboration to provide detection and response across security landscape

Red Canary | July 08, 2022

Red Canary, the Managed Detection and Response (MDR) trailblazer, has expanded its collaboration with industry leader Palo Alto Networks to help deliver on a bold vision: unifying threat investigation across a wide range of Palo Alto Networks products. To help achieve this goal Red Canary is now a part of the Palo Alto Networks Cortex® MSSP partner program. Today, Red Canary MDR supports Palo Alto Networks firewalls by integrating with PAN-OS version 9 and higher. This integration allows security alerts and event data generated by firewall appliances to feed into the Red Canary MDR platform for further investigation and remediation. Red Canary is working with Palo Alto Networks as an MDR partner for the Cortex XDR product, which includes built-in endpoint protection. While many MDR offerings simply ingest alerts generated by endpoint security tools, Red Canary is working toward being able to ingest raw telemetry as well as alerts from the Cortex XDR endpoint agent. Red Canary anticipates this will allow it to reduce false positives by up to 99% and significantly increase the detection of confirmed threats compared to what endpoint security tools can identify on their own. "The detailed endpoint telemetry generated by Cortex XDR enables leading scores in actual hands-on tests, such as MITRE's recent ATT&CK® evaluation," said Rick Caccia, SVP of Marketing for Palo Alto Networks. "Red Canary's ability to manage and analyze large volumes of endpoint, network, and other types of telemetry will make them an ideal partner for solving customers' most pressing security challenges. Together, we can help protect organizations from ransomware, phishing, and other modern threats." To complete our vision of unifying threat investigation across the Palo Alto Networks product line, Red Canary is also developing integrations for Prisma® Cloud, Threat Prevention, and the WildFire Analysis Environment. Red Canary's MDR everywhere strategy allows events from Palo Alto Networks products to be combined with multi-vendor events in a unified timeline. To learn more, visit https://redcanary.com/cyber-threat-investigation/. "Red Canary is meeting customer demand for security across the modern IT environment by integrating alert data from network, identity, and SaaS applications – all in a unified timeline. Our collaboration with Palo Alto Networks layers best-in-class managed detection and response across an industry-leading portfolio of cybersecurity solutions. The result is more choice and better security for our customers." Chris Rothe, CTO, Red Canary About Red Canary Red Canary stops cyber threats no one else does so organizations can fearlessly pursue their missions. The company's managed detection and response (MDR) solution works across enterprise endpoints, cloud workloads, network, identities, and SaaS apps. Red Canary operates as a security ally for customers and partners by providing unlimited 24×7 support, deep threat expertise and hands-on remediation to prevent threats from turning into business-defining incidents.

Read More

SOFTWARE SECURITY

JFrog Integrates with ServiceNow to Improve Software Security Vulnerability Response Times with “ServiceOps”

JFrog | May 27, 2022

JFrog Ltd. , the Liquid Software company and creators of the JFrog DevOps Platform, today unveiled new integrations for JFrog Xray with ServiceNow’s Lightstep Incident Response and Spoke products for IT Service Management. Available immediately, the JFrog Xray integrations with ServiceNow (NYSE: NOW) provide IT leaders with real-time insights on security vulnerabilities and compliance issues to quickly engage necessary team members from across the organization for more immediate response and remediation. “Successfully securing the software supply chain at the speed of business is a team sport, requiring efficient, cross-team collaboration for timely security incident remediation. Our integration with ServiceNow aims to change the relationship between developers and the rest of the business, so they can maintain the speed and frequency of releases, while avoiding downtime and loss of trust from end customers." Shlomi Ben Haim, Co-Founder and CEO, JFrog The new integration enables IT teams to proactively address security issues before they become major concerns. The combination of JFrog Xray and ServiceNow delivers a robust software composition analysis (SCA) tool that can quickly scan binaries for vulnerabilities and license compliance issues, then share those insights with the appropriate parties across the organization. The JFrog Xray-ServiceNow solution is unique in that it helps DevOps engineers, site reliability engineers (SREs), IT system administrators, and others, more securely build, deploy, run, and monitor applications effortlessly, in a single view. It also enables real-time security alerts and insights with assigned actions across all the tools, people, and processes needed for timely resolution. JFrog Xray & ServiceNow: Delivering Incident Response & Enterprise-wide Workflow Design for Security Incidents Identifying and effectively responding to malicious attacks must transcend business units and operational functions. By improving real-time insight, collaboration, and communication amongst and between enterprise security and IT teams, the JFrog Xray-ServiceNow integrations ensure swift responses to emerging security threats. The JFrog Xray integration with Lightstep Incident Response enables developers, SREs, and Security Administrators to: Monitor, collect and respond to license compliance and security vulnerabilities impacting the software supply chain across all stages of the software development and release lifecycle. Streamline vulnerability response by pulling-in the right team members across the organization for faster remediation. The JFrog Xray Spoke for ServiceNow allows IT operations staff to: Generate violation reports, create ‘ignore rules’, re-scan builds, add custom item properties, and more. Automate workflows that meet audit demands and avoid penalties for improper use of code segments obtained from the open-source community. Identify problems earlier in the application development pipeline and incorporate change management solutions. For more information on the new JFrog Xray integrations for ServiceNow Lightstep Incident Response, read this blog or solution sheet. Further details on the JFrog Xray integration with Spoke can be found in this blog. You can also connect with JFrog and ServiceNow solution experts during swampUP 2022 taking place in San Diego, May 25 - 26, 2022. For more information and to register, visit https://swampup.jfrog.com/. About JFrog JFrog Ltd. , is on a mission to power all the world’s software updates, driven by a “Liquid Software” vision to allow the seamless, secure flow of binaries from developers to the edge. The JFrog Platform enables software creators to power their entire software supply chain throughout the full binary lifecycle, so they can build, secure, distribute, and connect any source with any production environment. JFrog’s hybrid, universal, multi-cloud DevOps platform is available as both self-managed and SaaS services across major cloud service providers. Millions of users and thousands of customers worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely manage their mission-critical software supply chain. Once you leap forward, you won’t go back.

Read More

SOFTWARE SECURITY

Whistic Announces Support of Google’s Minimum Viable Secure Product Framework

Whistic | May 23, 2022

Today, Whistic, the proactive vendor security network for both buyers and sellers, announced support for the Minimum Viable Secure Product (MVSP) framework, a security baseline developed by Google in a collaborative effort with Okta, Slack, and Salesforce. Until the introduction of MVSP, there was no commonly accepted baseline available among security professionals that indicated the importance of security controls. With MVSP, vendors can demonstrate to their customers that they are meeting, at a minimum, the baseline of security as outlined by some of the industry’s top security professionals. “We believe a vendor-neutral security baseline is an important step in establishing minimum acceptable security requirements for enterprise software and services. “By assuring enterprise solutions include the core security building blocks, we can work to reduce third-party risk, and promote security as a key part of the product development lifecycle.” Chris John Riley, Senior Security Engineer at Google Vendors that utilize Whistic to share security documentation via the MVSP help streamline and accelerate the security review process for their customers, helping them to rapidly understand the vendor’s security posture. “Enabling companies to showcase their security posture using the MVSP and other industry frameworks is a key step toward ensuring transparent relationships between vendors and their customers,” stated Nick Sorensen, Whistic CEO. “In addition to announcing support of MVSP, we recently launched Whistic Basic Profile that enables any business regardless of size to proactively share their security posture with customers and publish it to the Whistic Vendor Security Network for free.” Basic Profile allows vendors to self-assess against industry standard frameworks, including MVSP. It also includes a limited number of Profile shares, and the ability to publish to the Whistic Trust Catalog, enabling Whistic customers to conduct Zero-Touch Assessments of the vendor’s security posture. “Okta has already added MVSP to our Whistic Profile and we look forward to seeing more and more of our vendors adopt this baseline in their Profiles,” said Gen Buckley, Director, Customer Assurance Customer Trust at Okta Security and founding committee member of MVSP. “We are always looking for ways to streamline our vendor security reviews and drive a more secure ecosystem, and MVSP helps accomplish that while also promoting transparency and collaboration between vendors and customers.” Marat Vyshegorodtsev, Enterprise Security JAPAC representative at Salesforce adds, “Organizations of all sizes often purchase dozens of software products managed by third parties. The onboarding process alone can take weeks or months, especially when it comes to vetting the security posture for each. MVSP helps solve this—it standardizes this process and eliminates overhead, complexity, and confusion for both parties while ensuring the minimum-security requirements.” About Whistic Located in the heart of the Silicon Slopes in Utah, Whistic is the network for assessing, publishing, and sharing vendor security information. The Whistic Vendor Security Network accelerates the vendor assessment process by enabling businesses to access and evaluate a vendor’s Whistic Profile and create trusted connections that last well beyond the initial assessment. Make security your competitive advantage and join businesses like Airbnb, Okta, Betterment, and Atlassian who are leveraging Whistic to modernize their vendor security programs.

Read More

PLATFORM SECURITY

Cloud Security Alliance Offers Governance Best Practices for Protecting Data Throughout Software-as-a-Service (SaaS) Lifecycle

Cloud Security Alliance | June 10, 2022

The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining standards, certifications, and best practices to help ensure a secure cloud computing environment, today released Software-as-a-Service (SaaS) Governance Best Practices for Cloud Customers. Drafted by the SaaS Governance Working Group, the paper provides a baseline set of SaaS governance best practices for protecting data within SaaS environments, enumerates and considers risks according to the SaaS adoption and usage lifecycles, and finally, provides potential mitigation measures from the SaaS customer’s perspective. The SaaS environment ultimately presents a shift in the way organizations handle cybersecurity that introduces a shared responsibility between producers and consumers. While the domain of cloud adoption and security continues to evolve, not much guidance is available regarding SaaS governance and security. This, despite the reality that increasingly, different departments within an organization (Shadow IT) are occasionally utilizing SaaS offerings to power their critical business processes and functions and often storing sensitive data in SaaS environments. “SaaS requires a different security governance mindset. Because SaaS apps allow businesses to quickly and easily optimize business operations, adoption has come at the price of security. Few recognize how complex the configuration and permission settings of SaaS apps can be, which results in numerous misconfigurations, giving attackers the potential to access sensitive data,” said Amir Ofek, CEO of AxoniusX, the new innovation unit of Axonius, which sponsored the paper. “By following a widely adopted security framework, such as NIST CSF, coupled with the best-practices and recommendations in this document, organizations will be able to better establish SaaS governance and security processes to mitigate risk associated with SaaS usage, eliminate misconfigurations, and gain full control over their entire SaaS environment.” “While SaaS offers tremendous opportunities for organizations to change the way they operate, consume innovative capabilities, and offload many of the operational burdens associated with both creating and maintaining applications, it isn’t without its concerns. As organizations continue to adopt SaaS-based applications and solutions, traditional organizational cybersecurity must be updated to reflect this new operating model. Failing to do so can increase the potential risk and ramifications of security incidents associated with the consumption of SaaS.” Chris Hughes, co-founder and CISO at Aquia and project lead/lead author of the paper The guide defines three necessary components that, when combined into a cohesive strategy, can provide integrated security for SaaS systems and solutions: Process security. Protects the integrity of procedural activities to ensure the input and output of processes aren’t easily compromised. These are the managerial aspects, including policies and procedures, to ensure that an organization’s processes are consistent. Platform security. Deals with the security strength of the platform and the underlying dependencies of a SaaS service. These include the SaaS infrastructure, operating systems, and its potential suppliers. Application security. Deals with the security of the SaaS application itself. A SaaS application can only stay secure if it does not contain exploitable vulnerabilities and has implemented hardened configurations aligned with organizational and vendor security best practices, as well as compliance requirements. The Software-as-a-Service (SaaS) Governance Working Group aims to benefit all parties in the SaaS ecosystem by supporting a common understanding of SaaS related risks from the perspectives of the cloud customer and cloud service provider. Individuals interested in becoming involved in future research and initiatives are invited to join the working group. SaaS Governance Best Practices for Cloud Customers was sponsored by Axonius, a leader in cybersecurity asset management and SaaS management. CSA research prides itself on vendor neutrality, agility, and integrity of results. Sponsors are CSA Corporate Members who support the findings of the research project but have no added influence on the content development or editing rights to CSA research. About Axonius Axonius gives customers the confidence to control complexity by mitigating threats, navigating risk, automating response actions, and informing business-level strategy. With solutions for both cyber asset attack surface management (CAASM) and SaaS management, Axonius is deployed in minutes and integrates with hundreds of data sources to provide a comprehensive asset inventory, uncover gaps, and automatically validate and enforce policies. Cited as one of the fastest-growing cybersecurity startups, with accolades from CNBC, Forbes, and Fortune, Axonius covers millions of assets, including devices and cloud assets, user accounts, and SaaS applications, for customers around the world. About Cloud Security Alliance The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, training, certification, events, and products. CSA's activities, knowledge, and extensive network benefit the entire community impacted by cloud — from providers and customers to governments, entrepreneurs, and the assurance industry — and provide a forum through which different parties can work together to create and maintain a trusted cloud ecosystem.

Read More