Blog posts by John Tolbert

Almost all enterprises have many security tools in place already, some of which are still focused on perimeters/DMZs and on hosts, such as servers and endpoints. Endpoint Detection & Response (EDR) tools are becoming more commonplace in enterprises and SMBs. EDR tools depend on agents installed on endpoints to collect and transmit telemetry to the EDR console. EDR agents can be instructed by administrators and programmatically to respond to suspicious and malicious events, taking actions like gathering forensic evidence, terminating processes, removing malware, etc. EDR tools emerged...

Last week Colonial Pipeline, one of the largest pipelines in the US, was hit by a ransomware attack from the Dark Side cybercrime group. While many pertinent specifics about the attack are not known, FireEye and US Cybersecurity and Infrastructure Security Agency (CISA) have shed some light on how Dark Side’s malware works. These two posts point out some common Tactics, Techniques, and Procedures (TTPs) that all organizations should be on the lookout for as indicators of attack: Password spraying against Virtual Private Network (VPN) devices. Legitimate user credentials...

Security Orchestration, Automation, and Response (SOAR) platforms are attracting a lot of attention from many organizations, from enterprises to government agencies and even those on the upper end of Small-to-Mid-Sized Businesses (SMBs). The reason for this is clear: the cybersecurity landscape continues to evolve and get more complex in order to combat the corresponding rise in frequency and complexity of attacks. SOAR platforms can be the capstone application for Security Operations Centers (SOCs). Most organizations have a plethora of security tools already, such as Endpoint...

STG announced that they intend to acquire McAfee’s enterprise business for around $4B. The McAfee brand will continue to operate and focus on consumer cybersecurity. STG will pick up MVISION, Global Threat Intelligence, database security, unified endpoint security, CASB, CSPM, CWPP, DLP, SIEM, SWG, XDR, and policy management products and services. STG picked up RSA from Dell in September 2020. When the deal closed, STG stated that RSA would remain independent and would pursue growth in their most successful product lines: Archer, SecurID, NetWitness, and the Fraud & Risk...

Okta will purchase Auth0 for $6.5B. Okta is a leading IDaaS vendor , originally focused on workforce but now addressing B2E, B2B, and B2C use cases. Okta’s solutions are designed for organizations that want to quickly enable cloud-delivered identity and seamlessly interoperate with other SaaS applications. Auth0 had a different entry point into the realm of IAM. Auth0 was aimed at developers, both in functionality and their marketing approach. Auth0’s founders knew that this was an underserved market. Consider a case where a company needs to expose one or two major...

The ongoing SolarWinds incident illustrates that the much-lauded Zero Trust security paradigm is, in fact, based on trust. Zero Trust is about authenticating and authorizing every action within a computing environment. It is putting the principle of least privilege into action. In an ideal implementation of Zero Trust, users authenticate with the proper identity and authentication assurance levels to get access to local devices, on-premises applications and data, and cloud-hosted resources. Access requests are evaluated against access control policies at runtime. In order for Zero Trust...

Many if not most organizations have moved to a risk management model for cybersecurity and identity management. Priorities have shifted in two major ways over the last decade: decreasing attack surface sizes focusing on detection and response technologies instead of prevention only Reducing attack surfaces inarguably improves security posture. Achieving the objective of reducing attack surfaces involves many activities: secure coding practices, vulnerability scanning and management, consolidation of functions into fewer products and services, access reconciliation, user...

Ivanti has completed its acquisition of MobileIron and Pulse Secure. Ivanti, headquartered in Salt Lake City, had its roots in desktop management (LANDESK), evolved into endpoint and patch management, and had added full IT asset, service, and workspace management, as well as IAM capabilities. Though headquartered in North America, Ivanti had already become a global IT solutions provider. Pulse Secure, a strong secure access vendor, was spun-out from Juniper Networks in 2014. MobileIron was dedicated to mobile device management, mobile security, and authentication since it was...

NIST, the US National Institute for Standards and Technology, recently released SP 800-207 Zero Trust Architecture . The NIST special publication examines the principles of and motivations for ZTA, as well as implementation considerations, security concerns, and suggestions for improvements to architecture. NIST SPs are authored primarily for consumption by other US government agencies. In practice, however, their documents often become de facto standards and guidelines used more broadly in industry. In this post I’ll review the strengths of the SP and identify areas for...

MITRE recently published the detailed results of their second round of tests. This test pitted APT29 malware and methods against 21 cybersecurity vendors . The MITRE testing is an excellent benchmark for comprehensively exercising Endpoint Protection (EPP) and Endpoint Detection & Response (EDR) tools in real-world scenarios where organizations find themselves under attack by Advanced Persistent Threats (APTs). MITRE describes the environments, methodology, and operation flow of their testing regime in great detail here . The raw results are available for review, and they have...