The event illustrated two things:

1. how deep the roots of digitization have become globally;
2. the fragility of the global technology ecosystem, exacerbated by an overreliance on a select number of cloud providers.

This is a wake-up call for us all. Although not a cyber attack, imagine if a nation state was able to find and exploit such vulnerabilities through a coordinated and sustained attack?

It’s given us a glimpse into what cyber armageddon could look like; how should we respond?

The Interconnectivity Trade-Off

Dubbed “the largest IT outage in history,” the global technology outage was caused when an update to one of CrowdStrike’s pieces of software, Falcon Sensor, malfunctioned, paralyzing computers running Windows and resulting in widespread tech failures around the world.

While not the cause, the severity of the impact was only made possible as a result of the increasingly interconnected systems and software that have become so entrenched in our digital infrastructure. The effects were also inflamed by the global reliance on a select number of cloud providers – with Windows devices the worst impacted, many initially thought it was solely a Microsoft issue.

This dependency has brought with it many benefits – global connectivity, efficiency and innovation. But it’s a simple fact that it leaves us all more vulnerable. If a major cloud provider goes down or is impacted, the world grinds to a halt.

For many of us in the business of IT and security, questions are starting to be asked about the trade-off: can we find a way to remain connected, but become more resilient and lessen the impact of events like these?

The initial discussion has been around reassessing cloud strategies, such as avoiding the automatic updating of patches. Some may also be thinking about a multi-cloud approach, where more than one cloud provider is used to ensure continuity if one goes down – “Microsoft is down? That’s ok, we can just switch to Google.” However, despite being a relatively simple undertaking, it would be an expensive luxury that’s out of reach for most.

Build Something from the Ground Up

Rather than trying to patch up ever more complex and interdependent legacy architecture, company boards should use this opportunity to explore shifting their legacy digital architecture to something built from the ground up and future proof.

That is, firms should be viewing this as an opportunity to run an entirely new, low-cost, digital infrastructure in parallel, which is independent of their primary cloud provider and legacy applications. The idea is that in the case of a major systems outage, organizations would have the ability to seamlessly switch over to this secondary infrastructure without manual intervention, allowing them to perform critical functions throughout the crisis. This infrastructure would be backed up with essential data, with advanced security protocols to protect against cyber threats. As a minimum, this provides an out-of-band communications channel for the board and senior management to tell staff and clients what to do and ensures they are not swamped by fraudulent scams after the Crowdstrike outage.

Imagine an airline affected by a major software outage. Having an independent backup system would allow them to continue day-to-day operations such as booking passengers, handling ticket changes and scheduling flights. Instead of relying on extensive manual interventions to recover the primary system, backup protocols would prevent disruption while the main systems are brought back online.

Any solution developed in this way needs to be quick-to-implement and must be able to initiate a contingency command and control process, handle basic tasks and keep the company running in the event of a major attack or outage. Our mission critical clients are beginning to build these fail-over systems that can handle basic tasks and keep the company running in the event of a major attack or outage. In some instances, these shadow systems operate entirely through a mobile messaging platform.

Continuity and Resilience are Possible

As businesses now begin to revisit how they can ensure a return to business as usual as quickly as possible when disaster strikes, they should not be clouded by all the technical terms and confusing offerings, and just focus on three simple and fundamental principles when assessing their current and future risks: completeness, accuracy and validity.

Shifting legacy digital architecture towards something that is built from the ground up ticks all these boxes.  Moreover, it addresses the inter-connectivity, inter-dependency and relatedness and reputational risks that we all face in the digital world today. This may just be the difference between surviving the next global meltdown or being left in its wake.

Andersen Cheng is the founder and chairman of Post-Quantum.

The post CrowdStrike Cyber Armageddon: How Do Firms Now Build Resilience? appeared first on My TechDecisions.

According to the Austin, Texas-based cybersecurity giant, Charlotte AI lets customers ask natural language questions and receive answers from the Falcon platform, enabling anyone from the IT helpdesk to CIOs and CISOs ask questions to help secure their organizations.

CrowdStrike’s cybersecurity generative AI assistant

CrowdStrike says Charlotte AI initially addresses three main use cases: democratizing cybersecurity and giving every user the same capabilities, elevating IT and security productivity with AI-powered threat hunting, and automating repetitive tasks like data collection, extraction and detection.

Users can ask Charlotte AI questions such as “What is our risk level against the latest Microsoft vulnerability?” to directly gain actionable insights to inform decision-making and accelerating time to response.

Like other generative AI applications, Charlotte AI will also help level the playing field and give less experienced IT and security professionals the ability to make better decisions faster, essentially narrowing the cybersecurity skills gap and reducing response time.

According to CrowdStrike, Charlotte AI will leverage CrowdStrike’s data, including the trillions of security events captured in the CrowdStrike Threat Graph, asset telemetry from across users, devices, cloud workloads and the company’s threat intelligence research.

In addition, Charlotte AI will benefit from “a continuous, human feedback loop” from Across CrowdStrike Falcon OverWatch managed threat hunting, CrowdStrike Falcon® Complete managed detection and response, CrowdStrike Services, and CrowdStrike Intelligence.

In a statement, CrowdStrike President Mike Sentonas said CrowdStrike has pioneered the use of AI in cybersecurity to identify malicious behavior and combat advanced attacks. Charlotte AI is the next innovation that will help users of all skill levels improve their ability to stop cyberattacks and reduce complexity, he adds.

“Our approach has always been rooted in the belief that the combination of AI and human intelligence together will transform cybersecurity,” Sentonas said. “We believe our continuous feedback loop on human-validated content is critical, and because of this, no other vendor will be able to match the security and business outcomes of CrowdStrike’s approach to generative AI.”

Charlotte AI in action

In a blog post, CrowdStrike lists several examples of questions users can ask, including:

• “Do we have vulnerabilities involving Microsoft Outlook?”
• “What are the biggest risks facing our business critical assets?”
• “Are we protected against the Log4j vulnerability? Where are we at risk?”
• “Which threat actors target us?”
• “What are the critical vulnerabilities being exploited by these adversaries?”
• “Can you sweep my endpoint estate for any IOCs you found?”
• “What are the top recommended remediation actions for the impacted endpoints?”

Other questions can prompt Charlotte AI to find malicious activity, such as lateral movement involving Windows hosts, the company says.

CrowdStrike, AWS AI partnership

The private preview of Charlotte AI came a day before CrowdStrike and AWS announced that the companies are working on new generative AI applications to help companies accelerate their cloud, security and AI journeys.

CrowdStrike will be leveraging new generative AI applications of Amazon Bedrock, a fully managed service that makes foundational models from leading AI startups and Amazon available via an API, to help customers adopt advanced Falcon Platform search, reporting and automation, the companies say.

In fact, Amazon Bedrock was used to accelerate development of Charlotte AI, according to CrowdStrike.

In addition, the companies are also working on solutions to help keep customers safe across a range of AI and ML services as generative AI rapidly transforms the tech industry.

According to CrowdStrike, the company is extending the protection of CrowdStrike Falcon Cloud Security to AWS AI/ML services by providing native integrations designed to further prevent, identify and remediate security risks associated with the adoption of AI/ML.

The post CrowdStrike Launches Virtual Security Assistant Charlotte AI appeared first on My TechDecisions.

According to the cybersecurity giant, these tools are specifically designed to affect VMware’s ESXi vSphere hypervisor. The company’s research into these kind of attacks date back to February 2021, when CrowdStrike began what is now a three-part blog series looking into this trend, which it says is continuing so far in 2023.

The company says RaaS platforms such as Alphv, Lockbit and Defray are being leveraged in attacks against ESXi, which CrowdStrike says does not support third-party agents or antivirus software.

“This, combined with the popularity of ESXi as a widespread and popular virtualization and management system, makes the hypervisor a highly attractive target for modern adversaries,” write CrowdStrike researchers in a new blog.

These attacks on ESXi servers have even led to the U.S. Cybersecurity and Infrastructure Agency issuing several warnings and releasing in February a recovery guide and script designed to help organizations recover from the ESXiArgs ransomware attacks.

CrowdStrike cites several vulnerabilities that have been exploited in the wild in the last few years, including:

• CVE-2020-3992 – an ESXi OpenSLP remote code execution vulnerability resulting form a user-after-free issue.
• CVE-2021-21974 – an ESXi OpenSLP heap-overflow vulnerability that could result in remote code execution.
• CVE-2019-5544 – an ESXi OpenSLP heap overwrite vulnerability.
• CVE-2021-44228 (Log4Shell) – a remote code execution vulnerability in Log4J that has been used to compromise VMware Horizon instances
• CVE-2016-7463, CVE-2017-4940 and CVE-2020-3955 – cross site scripting vulnerabilities used for privilege escalation.
• CVE-2021-22043  – privilege escalation vulnerability

New threats against VMware ESXi security

Due to VMWare’s prominence in IT infrastructure, ESXi servers remain an attractive target, with an increasing amount of threat actors leveraging these vulnerabilities in their attacks. Just recently, CrowdStrike has identified a new RaaS program that provides affiliates with ransomware binaries targeting Windows and ESXi/Linux systems, researchers write.

In addition, CrowdStrike and other researchers have identified many other new hacking groups and attack methods targeting ESXI over the past few years, as targeting virtual infrastructure gives attacks many advantages, including multiplying the impact of a single compromise or subverting detection and prevention mechanisms, as targeted components are often not sufficiently protected by security solutions.

“Because VMware products have been subject to critical vulnerabilities in the past, adversaries will likely continue to target any potential weaknesses, as successful compromises typically provide access to high-value resources,” CrowdStrike researchers write.

CrowdStrike says organizations should be aware of two main attack vectors when it comes to VMware ESXi servers: credential theft and virtual machine access.

Researchers call credential theft the “most straightforward attack vector against an ESXi hypervisor.” Following credential theft, an adversary can simply authenticate against the server to advance the attack based on their goal. With sufficient privileges to enable and access the SSH console, attackers can execute arbitrary code directly, even on the most recent ESXi versions.

If a VM can be accessed directly, CrowdStrike says poor segregation from the rest of the internal network can lead the VM facilitating lateral movement, which gives attackers more flexibility to choose a vulnerable system. A properly segregated VM, however, will require an attacker to directly target the ESXi hypervisor to run code at the hypervisor level and perform a VM escape exploit. However, this is a complicated process and most adversaries don’t have the capabilities to do so, researchers say.

How to secure VMware ESXi

To protect VMware hypervisors, CrowdStrike urges organizations to:

• Avoid direct access to ESXi hosts. It is recommended to use the vSphere Client to administer ESXi hosts managed by a vCenter Server. Direct access to managed hosts using the VMware Host Client or changing hosts from the Direct Console User Interface (DCUI) should be avoided.
• Use a hardened jump server with multifactor authentication (MFA). If direct access to an ESXi host is necessary, it should be limited to a jump server with MFA enabled. The jump server should be dedicated to administrative or privileged purposes, have full auditing capabilities, and restrict SSH, Web UI, and API access to ESXi or vCenter only from the jump server. SSH access should be disabled, and any attempt to enable it should trigger alerts and be investigated urgently.
• Not expose vCenter to the internet over SSH or HTTP. Adversaries have been observed gaining access to vCenter by exploiting vulnerabilities or using valid accounts. To mitigate this risk, vCenter services should not be exposed to the internet.
• Regularly back up ESXi datastore volumes. It is essential to back up virtual machine disk images and snapshots stored in ESXi datastores on a daily basis, or more frequently if possible. Backups should be stored offsite to enable system restoration during a ransomware event, while ensuring the backups themselves are not compromised.
• Consider physical disconnection of storage or power to ESXi host during encryption. In situations where encryption is suspected or known to be in progress and access to kill malicious processes is not possible, physically disconnecting the storage from the ESXi host or cutting power to the host can be an option. This can prevent ransomware from continuing to encrypt virtual machine disk files (VMDKs). Shutting down guest VMs will not help as the encryption occurs on the hypervisor itself. However, it’s important to note that physical disconnection may cause potential issues or data loss if data has not been written to backend storage.

Read VMware’s ESXi security recommendations to learn more.

The post CrowdStrike: VMware ESXi in the RaaS Crosshairs appeared first on My TechDecisions.

The partnership between the two cybersecurity giants will enable organizations of all sizes to leverage both the CrowdStrike Falcon endpoint technology and Mandiant’s incident response and consulting expertise.

The partnership comes shortly after Google announced that it would be acquiring Mandiant for $5.4 billion, and combines services and software that hit a customer base of more than 20,000 organizations.

Mandiant also supports the Falcon platform via its Mandiant Advantage modules Security Validation and Automated Defense, and the incident response provider’s Managed Defense offering will also include support for customers leveraging the Falcon platform later this year, according to the companies.

A Mandiant webpage dedicated to the partnership details the benefits, including the ability to reduce the impact of a breach, take rapid action, reduce business risk and make informed decisions based on knowledge of the attacker and their tradecraft.

The partnership is in response to an increasingly complex threat environment that calls for advanced threat protection technologies and top-level incident response talent, said George Kurtz, co-founder and CEO of CrowdStrike, in a statement.

“CrowdStrike has worked with Mandiant many times over the years and there is a mutual respect for the caliber of technical and team expertise we both bring to the fight,” Kurtz said. “We are proud to establish this alliance with them and to more effectively enable the people, processes and procedures necessary to secure the modern organization.”

Kevin Mandia, CEO of Mandiant, said the two companies have developed reputations in the cybersecurity community as go-to resources for both public and private sector organizations.

“This partnership between two mission-focused companies strengthens cyber defenses at a time when cyber attacks have become a notable business issue faced by organizations every day,” Mandia said.

The post Two Cybersecurity Leaders Partner To Help You Investigate Sophisticated Hacks appeared first on My TechDecisions.

CrowdStrike brings cloud-native AI-driven power of the CrowdStrike Falcon platform to secure critical endpoints and workloads for the CISA and multiple other civilian agencies and directly operationalize Executive Order (EO) 14028, the landmark guidance that unifies a number of initiatives and policies to strengthen the U.S. national and Federal Government cybersecurity posture.

Through the combination of CrowdStrike’s technology, real-time threat intelligence on shifting adversary tradecraft and elite threat hunting, the CISA will strengthen its Continuous Diagnostics and Mitigation program and advance its mission of securing civilian “.gov” networks and leading the national effort to understand and manage cyber and physical risk to critical infrastructure.

Related: NSA, CISA Release VPN Selection, Hardening Guidance

“CISA is on the front lines when it comes to defending our country’s most critical assets against the endless and evolving threats that nation-state and eCrime adversaries present,” said George Kurtz, co-founder and chief executive officer of CrowdStrike, in a statement. “Improving our nation’s defenses and cyber resiliency requires strong collaboration between the government and the private sector. This partnership will arm CISA and government agencies with CrowdStrike’s powerful technology and elite human expertise to stop sophisticated attacks and protect our nation’s critical infrastructure.”

CrowdStrike Falcon is FedRAMP authorized and enables agencies to detect and automatically prevent cyberattacks. Powered by the Security Cloud and delivered through a single cloud-native agent, CrowdStrike delivers protection at scale, reducing complexity and driving down operational costs, while empowering CISA security teams with hyper-accurate detections, automated protection and remediation, and elite threat hunting.

Leveraging funds appropriated from The White House’ American Rescue Plan, CISA and CrowdStrike will enhance the value of CDM Defend – the next iteration of Department of Homeland Security’s  Continuous Diagnostics and Mitigation program to deliver operational security capabilities through a single integrated platform.

EO 14028 embraces some concepts which CrowdStrike introduced to the marketplace over the past decade – concepts that have become cybersecurity best practices for the private sector’s most technologically advanced businesses.

The Executive Order calls for the mandating of government entities to embrace cybersecurity tools and concepts such as threat hunting, EDR and IT modernization, and to prioritize the adoption of cloud technologies. The expanded partnership between CISA and CrowdStrike operationalizes these concepts as the two organizations look to rapidly strengthen public-private collaboration and cyber resiliency, according to statement by CrowdStrike.

CrowdStrike is also one of the initial industry partners within CISA’s newly launched Joint Cyber Defense Collaborative, which will work to unify the cyber capabilities currently spread out across multiple federal agencies, many state and local governments, and countless private sector entities.

CrowdStrike will work with the CISA and other partners to develop proactive and rapid response plans to better inform cyber risk management, and enhance a more unified defense against adversaries through intelligence sharing.

The post CISA Selects CrowdStrike to Protect its Endpoints & Workloads appeared first on My TechDecisions.

The company’s third annual Global Security Attitude Survey, produced by an independent research firm, includes the results of a survey of 2,200 senior IT decision makers and security professionals in from August and September across 12 countries representing both private and public sector organizations.

Among the key findings, according to a CrowdStrike blog, is that 71% of security professionals have a growing fear of state-backed attacks and ransomware in the wake of COVID-19.

Further, a majority (56%) reported a ransomware attack within the last 12 months.

Nation-state attacks are much more common than people think, the survey found, as 87% of respondents said they felt that way. And, a shocking 73% said those kind of attacks are the single biggest threat to their organization.

Cloud computing has become a requirement in the age of remote work, but that could be exacerbating the issue of increasing attacks, the survey found, as 84% of respondents said they’ve accelerated their digital transformation as a result of the pandemic, with 45% saying they have increased cloud rollouts to remote employees.

Read Next: Sophos Threat Report: What Three Cybersecurity Trends To Look For In 2021

Despite the possibility of sanctions from the U.S. Department of the Treasury for paying ransoms to state-backed attackers, 27% of respondents said they’ve paid the ransom, which averages $1.1 million globally.

In the U.S., the average ransom paid is just under $1 million.

According to the survey, organizations are addressing these threats via investment in cybersecurity, digital transformation, and training.

Of organizations that reported a ransomware attack, 76% upgraded their security tools to reduce the risk of a future attack, and 65% upgraded their security staff.

Respondents also indicated that a security investment of at least $100,000 was necessary to securely deploy a remote workforce. And, 61% of respondents said they’ve spent $1 million on digital transformation over the last three years.

CrowdStrike recommends continuing to invest in digital transformation, protecting workloads where they are rather than maintaining security models built around network perimeters, integrating identity protection and quickly identifying, investigating and eliminating threats.

The post CrowdStrike: Ransomware, Nation-State Attacks Dominate Security Threats appeared first on My TechDecisions.

CounterFlow AI is enhancing its machine learning engine with Falcon X, CrowdStrike’s customizable, automated incident investigation platform. According to the joint release, the integration allows organizations to gather more data from threat insights gained from their networks’ endpoints without creating a large security stack or larger data storage footprint.

The companies said the integration brings more automation to the way security teams assess streaming network data with real-time contextualized threat intelligence, recording just the data with a high investigative value.

Customers will be alerted with detailed indicators of compromise, like domain and IP information, to help security teams detect existing threats and perform incident investigations more effectively and efficiently.

CounterFlow AI said its ThreatEye AIOps platform for network forensics is designed for hybrid cloud deployments, merging machine learning with full packet capture and visualization to provide insights. The platform integrates seamlessly with CrowdStrike’s cloud-native intelligent, single-agent Falcon platform, which CounterFlow AI said enables frictionless deployment at scale to stream high-fidelity data to the cloud, providing businesses with prioritized threat analysis and response.

Read Next: 3 Cybersecurity Companies That Don’t Trust “Trust but Verify”

In a statement, CounterFlow AI co-founder and CEO Randy Caldejon said the firm is bringing new network forensic tools to organizations to help increase the signal-to-noise ratio of their network data.

“That requires best-in-class threat intelligence, and there is no better firm who possesses the quality and scale of capabilities than CrowdStrike,” he said. “Together, we’re helping security teams start investigations sooner and from a more confident jumping off point.”

CrowdStrike’s Chief Product Officer Amol Kulkarni said CounterFlow AI’s approach is a more intuitive way to eliminate time-consuming activities associated with capturing data flowing through an enterprise’s network.

“By integrating the benefits of CrowdStrike Falcon with CounterFlow AI ThreatEye, we are offering customers contextualized threat intelligence to help enable security teams to move from a reactive state to a proactive one,” he said. “This powerful combination delivers a more efficient way to help organizations conduct investigations, including the critical intelligence necessary to get ahead of known and unknown threats.”

The post CrowdStrike, CounterFlow AI Partner to Accelerate Threat Detection appeared first on My TechDecisions.