Information Technology

The term “extended detection and response” or XDR was coined back in 2018, but definitions continue to vary significantly. There was no reliable, unbiased explanation for what XDR is and how it differs from a security analytics platform, which has led to confusion and disregard, dismissing it as nothing more than yet another cybersecurity marketing buzzword. To help clarify this, Forrester has released research on what XDR is, what XDR isn’t, and what clients need to look for when evaluating XDR solutions. This research is a rigorous breakdown of what to expect from XDR solutions based on interviews and survey results from XDR end users and over 40 security vendors. Below is an adaptation of a short excerpt of the report that defines XDR and explains its origins. The complete report goes into significantly more depth and includes helpful recommendations. 

What Is Extended Detection And Response (XDR)? XDR is emerging due to the value that endpoint detection and response (EDR) brings to incident response and the appetite to pair EDR data with additional telemetry that can’t be captured from endpoints alone. Forrester defines XDR as: The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation. XDR’s value is driven by its security analytics capabilities, third-party integrations, and response actions. Why Does XDR Come From EDR? EDR was the proof of concept for XDR. EDR’s remarkable success served as validation that its detection and response capabilities allow security analysts to detect threats, perform investigations, and respond in real-time. While EDR provides effective endpoint detection and response, security teams require more telemetry than just the endpoint. Security teams have used security analytics platforms, security information and event management (SIEM) solutions, NAV, and homegrown data lakes to match endpoint telemetry with security data from other parts of the environment. These efforts had varying degrees of success but suffered from extreme resource consumption, a high rate of false positives, and sizable data volumes. How Is XDR Brought To Market? XDR is often categorized as open or closed, which is confusing, as open implies “open source,” which is very different than what is meant by “open XDR.” Thus, Forrester describes XDR as “native” or “hybrid.” 

Forrester defines hybrid XDR as: An XDR platform that relies on integrations with third parties for the collection of other forms of telemetry and execution of response actions related to that telemetry. Forrester defines native XDR as: An XDR suite that integrates with other security tools from their portfolio for the collection of other forms of telemetry and execution of response actions related to that telemetry. Is XDR The Same As SIEM? XDR is on a collision course with security analytics and security orchestration, automation, and response (SOAR). XDR and SIEM are not converging but colliding. XDR will compete head-to-head with security analytics platforms (and SIEMs) for threat detection, investigation, response, and hunting. Security analytics platforms have over a decade of experience in data aggregation they apply to these challenges but have yet to provide incident response capabilities that are sufficient at enterprise scale, forcing enterprises to prioritize alternate solutions. XDR is rising to fill that void through a distinctly different approach anchored in endpoint and optimization. The core difference between XDR and the SIEM is that XDR detections remain anchored in endpoint detections, as opposed to taking the nebulous approach of applying security analytics to a large set of data. As XDR evolves, expect the vendor definition of endpoint to evolve as well based on where the attacker target is, regardless of if it takes the form of a laptop, workstation, mobile device, or the cloud. This post was written by Analyst Allie Mellen, and it originally appeared here.  More

Screenshot by Jason Cipriani/ZDNet
Apple on Monday released iOS 14.5.1 and iPadOS 14.5.1 for its iPhone and iPad lineup. The update comes just a week after
iOS 14.5 and iPadOS 14.5

were officially released, but there’s a good reason for the back-to-back updates: It includes a fix for two security issues that, according to Apple, are actively being used. According to a security post about Monday’s update, there are two WebKit bugs that “Apple is aware of a report that this issue may have been actively exploited.”Also: Turn the Apple logo on the back of your iPhone into a buttonThe issue impacts the iPhone 6S or newer, all iPad Pro models, the iPad Air 2 or newer, the iPad 5th generation or newer, the iPad Mini 4 or later, and the latest iPod touch. To update your device, open Settings > General > Software Update and follow the prompts. As always, it’s a good idea to backup your device before installing the update.Apple also released a similar update for its Mac lineup with MacOS 11.3.1, WatchOS 7.4.1 for the Apple Watch, and iOS 12.5.3 for older iPhone and iPad models. 

Apple Event More

Image: Getty Images
Representatives from Google, Facebook, and Twitter on Friday appeared before an Australian security committee as a united front, spruiking the idea that they’re all working together to thwart nefarious activity, such as violent extremist material, from proliferating their respective platforms.The trio told the Parliamentary Joint Committee on Intelligence and Security as part of its inquiry into extremist movements and radicalism in Australia that the effort is a joint one and that the best way forward was to not actually legislate a ban of all mentions of content deemed inappropriate.”We all know combating terrorism and extremism is a continuous challenge. And unless we can completely eliminate hate and intolerance from society, there’s going to be hate and intolerance online,” Facebook Australia’s head of policy Josh Machin said. “It’s also a shared challenge between governments, industry experts, academia, civil society, and the media.”Asked about what the Australian government could do to help the platforms with such a mammoth task, Twitter’s senior director of public policy and philanthropy in the APAC region Kathleen Reen said it would be incredibly problematic to use a blunt force instrument like a ban.”One of the things that’s really important in order to really de-radicalise groups to ensure healthy, cohesive, inclusive, and diverse communities, is to make sure that there’s awareness, discussion, interrogation, and debate, and research about what the problems actually are,” she said. “If you ban all discussion at all about it … you may find yourself effectively chasing it off our platforms where the companies are working to address these issues, and pushing it out into other platforms.”Reen suggested, instead, for “deep work” with academic and civil society experts, as some examples, that considers how to create “cohesive communities when you’re also trying to stop those bad actors”.

“To be clear, stopping the conversation entirely won’t address the problem in our view. In fact, it’ll make it worse,” she said.Facebook, Twitter, Google-owned YouTube, as well as Microsoft in June 2017 stood up the Global Internet Forum to Counter Terrorism (GIFCT) as a collective effort to prevent the spread of terrorist and violent extremist content online. There are now 13 companies involved.The GIFCT shifted its focus in the wake of the Christchurch terrorist attack and the call to arms New Zealand Prime Minister Jacinda Arden made by way of the Christchurch Call. Reen said the Call was a “watershed moment”. “It was a moment for convening governments and industry and civil society together to unite behind our mutual commitment for a safe, secure, and open internet. There was also a moment to recognise that wherever evil manifests itself, it affects us all,” she said.Reen said the group is hoping to add more names to the GIFCT.”We’re looking forward to expanding these partnerships in future because terrorism can’t be solved by one or a small group of companies alone,” she said. Part of expanding the platforms involves working with smaller, less known platforms, with concerns an unintended consequence of eliminating hate from the more popular ones will result in echo chambers elsewhere.”We know that removing all discussion of particular viewpoints at times, no matter how uncomfortable they may seem, we’ll only chase extremist thinking to darker corners of the internet, to other platforms, and to other services, services that may be available in Australia,” Reen said. “Services that may or may not have been invited to participate in such conversations and critical debates about what to do next.”Google Australia’s head of government affairs and public policy Samantha Yorke believes there is clearly an opportunity for the big mainstream platforms to play a role.”The only ‘watch out’ for us all in the context of this particular conversation is just around privacy issues that would inevitably pop up around behavioural profiles and sharing information about specific identifiable users across different companies and platforms,” Yorke said. “There’s some obvious areas where there would be privacy implications there, but … it’s an area that I think is ripe for further exploration.”Twitter initiated a URL sharing project, which has since been inserted into the greater GIFCT work. She said since inception, about 22,000 shared URLs have been put into that database.”It speaks to the importance of experimentation,” she said. “And I think it also speaks to the importance of transparency around these processes.”Similarly, YouTube also has an “intel desk”, which Yorke said is essentially tasked with surveying what’s happening on the web more broadly, identifying emerging themes or patterns of behaviours that might be taking place off the YouTube platform, but which may manifest in some way onto YouTube. “It’s seeking to develop a little bit more of a holistic view of what’s going on out there,” she said.The trio agreed with Reen’s view that there is the opportunity for the Australian government to potentially dig deeper into these partnerships more.Appearing before the committee on Thursday, Australian eSafety Commissioner Julie Inman Grant was asked why a Google search for the Christchurch terrorist’s manifesto returns results. “We’re not going to the war with the internet,” she said.MORE FROM THE INQUIRYAustralia’s eSafety and the uphill battle of regulating the ever-changing online realmThe eSafety Commissioner has defended the Online Safety Act, saying it’s about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world.Home Affairs’ online team referred over 1,500 violent or extremist items for take-downThe department said the content it refers to social media platforms is beyond the actions the platforms themselves already take regarding the removal of items that incite hate or violence, or promotes terrorist ideals.Tech giants and cops at least agree thwarting terrorist or extremist activity is a joint effortSocial media platforms say they want to work with law enforcement and policymakers to stop their platforms from being used to promote extremist movements and radicalism in Australia. More

Around 345,000 files from the solicitor-general of the Philippines, including sensitive information for ongoing legal cases, have allegedly been breached and made publicly available, UK cybersecurity firm TurgenSec has reported.The files were publicly available since at least February, when TurgenSec said it first discovered the breach and emailed the solicitor-general and the Philippines government about the files. Both the solicitor-general and the Philippines government allegedly did not respond to the company’s emails about the breach, which were sent on March 1 and 28. The documents were eventually taken down on April 28, but the files have been accessed and downloaded by an unknown third party, Turgensec said. According to the cybersecurity firm, the breach contained hundreds of thousands of files ranging from documents generated in the day-to-day running of the solicitor-general’s office, to staff training documents, internal passwords and policies, staffing payment information, information on financial processes, and activities including audits, and several hundred files titled with keywords such as “private, confidential, witness, and password”.  The breached documents also contained over 750 instances of the word rape, as well as information on sensitive topics such as child trafficking, executions, the Philippines intelligence agency, Philippines Senator Francis Pangilinan, among other information. “This data breach is particularly alarming as it is clear that this data is of governmental sensitivity and could impact on-going prosecutions and national security,” Turgensec said.

In December last year, the solicitor-general’s website was reportedly breached by a hacker group that identified itself as “Phantom Troupe”. Four months prior to the website hack, the air-gapped networks of the Filipino government were targeted by hackers operating in the interests of the Chinese government. Related Coverage More

TikTok has appointed Singaporean Chew Shou Zi as its new CEO in a “strategic reorganisation” that sees its top executives based out of its various global offices, including Singapore and the US. The Chinese video platform also announces Vanessa Pappas as its new COO. Based out of Los Angeles, Pappas had served as the company’s interim head, said TikTok in a statement. The company’s former CEO Kevin Mayar left last August, just three months after taking up the position, citing a “sharply changed” political environment. TikTok that month had launched a lawsuit against the US government, then under the Trump administration, with regards to the video app’s ban. The appointments of Chew and Pappas were part of a strategic reorganisation to “optimise TikTok’s global teams” as well as support its growth, the company said. Its global offices also include Jakarta, Seoul, Tokyo, and London. 

Chew in March was appointed CFO of TikTok’s parent company ByteDance–a position which he will continue to hold from Singapore, where he currently is based. ByteDance’s founder and CEO Zhang Yiming said the two TikTok senior executives would set “the stage for sustained growth”, with Chew having led a team that was amongst its earliest investors and decade-long veteran in the technology industry. “He will add depth to the team, focusing on areas including corporate governance and long-term business initiatives,” Zhang said. Chew was most recently president of international at Chinese smartphone maker Xiaomi, where he also held the CFO position up until April 2020. Pappas, prior to joining ByteDance in November 2018, had spent more than seven years at YouTube where she was head of creative insights.TikTok’s US operations had been poised to be sold to Oracle and Walmart, but the sale was “shelved indefinitely” following a review by the Biden administration to assess security risks of foreign-owned apps and software. The sale had been prompted by former president Trump’s executive orders banning the downloads of Chinese-owned social media apps WeChat and TikTok, alleging they posed threats to his country’s national security, foreign policy, and economy due to the data they collected.RELATED COVERAGE More

iOS 14.5 is out. Likely to be the final big update to iOS until we get a sneak peek at iOS 15 at Apple’s developer keynote in June ahead of its release in the fall.That said, it’s unlikely to be the last iOS 14 update. An update of the size and scale of iOS 14.5 is likely to bring with it bugs that will take a few updates to crush. So, should you update, or wait for the inevitable iOS 14.5.1 to land in a few weeks?My advice: Update. Update now. Update right now.Must read: The new M1 iMac highlights everything that’s wrong with AppleI’m usually quite cautious when it comes to iOS updates. Well, not personally, but I am when it comes to others. But not where iOS 14.5 is concerned, because as well as bringing support for AirTags and the anti-tracking privacy features and new emojis, the update includes patches for 50 vulnerabilities.

Yes, you read that right, 50.To make matters worse, some of those bugs are remote code execution bugs, which mean that could run code on iPhones remotely. Other bugs allow attackers to read sensitive data remotely.One bug, labeled CVE-2021-30661, ‘may have been actively exploited’ by attackers, raising the stakes further.My advice on this one is to install it now. I’d normally recommend waiting for the update to land, but this is such a huge package of bug fixes that waiting doesn’t seem like a good idea.Head over to Settings > General > Software Update and run the update now (if you haven’t already). It’s quite a big package — over a gigabyte — so it might take some time, but given the severity of this bug, it’s time well spent. More

China has called out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. These companies, which include Baidu and Tencent Holdings, have been given less than a fortnight to plug the gaps. The Cyberspace Administration of China (CAC) said in a brief statement Saturday that these apps had breached local regulations, primarily, for capturing personal data that were not relevant to their service. Citing complaints from the public, the government agency said operators of the apps were found to have infringed the rules after authorities assessed several popular apps, including map navigation apps. These apps also gathered personal information without consent from their users, according to CAC.Amongst the list of 33 were apps from Sogou, Baidu, Tencent, QQ, and Zhejiang Jianxin Technology. These operators now had 10 working days to rectify the issue, failing which, they would be subject to penalties laid out by the regulations, CAC said.The government agency in March released regulations that prohibited mobile app developers from refusing to offer basic services to consumers who did not want to provide personal data that were unnecessary for the provision of such services. It said the legislation would provide greater clarity on the types of data deemed as necessary for commonly used apps, including ride-hailing, instant messaging, online retail, and map navigation. For instance, ride-hailing apps would need access to their users’ phone number, payment details, and location, CAC said.It added that the new regulations were needed as mobile apps grew increasingly popular and the collection of a wide range of personal data became prevalent. It noted that several apps sought personal information by bundling their services and prevented consumers from using basic functions, if they refused to authorise the use of their data. 

The legislation would regulate these operators’ access to data and safeguard consumers’ personal information, said CAC.The Chinese government in recent months had ramped up efforts to crack down on tech monopolies and their increasing influence and safeguard consumers’ rights on digital platforms. E-commerce giant Alibaba Group last month was hit with a record 18.2 billion yuan ($2.77 billion) fine for breaching China’s antitrust regulations and “abusing [its] market dominance”. The country’s State Administration for Market Regulation said Alibaba had been abusing its strong market position since 2015 to prevent merchants from using other online e-commerce platforms. Such practices impacted the free movement of goods and services, infringing on a merchant’s business interests, and were in breach of local anti-monopoly laws, the government agency said.RELATED COVERAGE More

Ransomware is a growing international problem and it needs global cooperation in order to prevent attacks and take the fight to the cyber criminals behind the disruptive malware campaigns.A paper by the Institute for Security and Technology’s (IST) Ransomware Task Force (RTF) – a coalition of cybersecurity companies, government agencies, law enforcement organisations, technology firms, academic institutions and others – has 48 recommendations to help curb the threat of ransomware and the risk it poses to businesses, and society as a whole, across the globe.

Members of the group include Microsoft, Palo Alto Networks, the Global Cyber Alliance, FireEye, Crowdstrike, the US Department of Justice, Europol and the UK’s National Crime Agency.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  Some of the solutions suggested include governments giving a helping hand to organisations affected by ransomware and providing them with the required cybersecurity support so they don’t fall victim in the first place. Others focus on more direct action, such as taking the fight to ransomware gangs by disrupting their infrastructure, or even regulating Bitcoin and other cryptocurrencies that cyber criminals use to anonymously demand ransom payments from victims.Ransomware attacks involve cyber criminals compromising the networks of organisations – often via phishing attacks, stolen Remote Desktop Protocol (RDP) credentials or exploiting software vulnerabilities – and then encrypting as many files and servers with malware as possible.

Organisations will in many cases only become aware they’ve been infected when they see a ransom note on the screens of machines across their network. Often, the victims feel as if they’ve got no option but to pay the ransom – which can amount to millions of dollars – in order to restore the network.Ransomware has been around for a number of years, but the cyber criminals behind the attacks are getting bolder, demanding ever-growing ransoms from targets and in many cases blackmailing organisations into payment by threatening to leak sensitive data stolen from the compromised network. And it isn’t just sophisticated criminal gangs that are causing problems; the rise of ransomware as a service means that almost anyone with the skills required to navigate underground forums on the dark web can acquire and use ransomware, safe in the knowledge that they’ll probably never face being arrested for their actions.”The tools are available to malicious actors to ramp up the scale of what they want to do and be able to get away with it. That’s what happens as technology diffuses into society and you have inadvertent ramifications which have to be dealt with,” says Philip Reiner, executive director of the RTF and CEO of IST. “We’re grappling with that as a global society and we have to come up with better solutions for the problems it presents.”Ransomware isn’t new, it’s existed in one form of another for decades and the threat has been rising over the past five years in particular. While it’s perceived as a cybersecurity problem, a ransomware attack has much wider ramifications than just taking computer networks offline. Ransomware attacks are increasingly targeting critical infrastructure, and crucially, over the course of the past year, healthcare. But many organisations still aren’t taking the necessary precautions to protect against ransomware, such as applying security patches, backing up the network or avoiding the use of default login credentials. These concerns are viewed as issues for IT alone, when in reality it’s a risk that needs the focus of the entire business. “We have to stop seeing leaders think of this as a niche computer problem; it’s not, it’s a whole business event. You should think about ransomware in the same way you think about flooding or a hurricane – this is a thing that will close your business down,” says Jen Ellis, vice president of community and public affairs at Rapid7 and one of the RTF working group co-chairs.”But we don’t. We think about it as a niche computer event and we don’t recognise the impact it has on the entire business. We don’t recognise the impact it has on society.”In 2017, the global WannaCry attack demonstrated the impact ransomware can have on people’s everyday lives when National Health Service (NHS) hospitals across the UK fell victim to the attack, forcing the cancellation of appointments and people who came for treatment being turned away. But years later, the problem of ransomware has got worse and in some cases hospitals around the world are now actively being targeted by cyber criminals.”You would think there would be no greater wake-up call than that, yet here we are years later having these same conversations. There’s a real problem with how people think about and categorise ransomware,” says Ellis.To help organisations recognise the threat posed by ransomware – no matter the sector their organisation is in – the RTF paper recommends that ransomware is designated a national security threat and accompanied by a sustained public-private campaign alerting businesses to the risks of ransomware, as well as helping organisations prepare for being faced with an attack.But the Ransomware Task Force isn’t just suggesting that governments, cybersecurity companies and industry are there to help organisations know what to do if faced by a ransomware attack – one of the key recommendations of the report is for cybersecurity companies and law enforcement to take the fight to the cyber-criminal groups behind the attacks. A recent operation involving Europol, the FBI and other law enforcement agencies around the world resulted in the takedown of Emotet, a prolific malware botnet used by cyber criminals – and something that had become a key component of many ransomware attacks.

Many cyber criminals switched to using other malware like Trickbot, but some will have taken the fall of Emotet as a sign to give up, because finding new tools makes it that little bit harder to make money from ransomware. “If you’re screwing with infrastructure, like going after Emotet, you’re making it harder,” says Chris Painter, president of the Global Forum on Cyber Expertise and former senior director for cyber policy at the White House. In line with this, the paper recommends that the pace of infrastructure takedowns and the disruption of ransomware operations should increase – ultimately with the aim of arrests and bringing criminals who develop and deploy ransomware to justice.SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upIt’s notoriously difficult to apprehend members of ransomware groups, especially when it’s an international problem. More often than not, the organisation that comes under a ransomware attack faces an extortion demand from someone who is in another country entirely.And that’s a particular problem for European and North American governments, when large quantities of ransomware attacks by some of the most prolific groups appear to originate from Russia and former-Soviet states – countries that are highly unlikely to extradite suspected cyber criminals.But identifying cyber criminals isn’t impossible – the United States has indicted individuals from Russia for the NotPetya cyberattacks, as well as naming and shaming three North Koreans for their involvement in the WannaCry ransomware attack. Meanwhile, Europol has previously arrested individuals for being involved in ransomware attacks, demonstrating that, while difficult, it isn’t impossible to track cyber criminals down and bring them to justice.One key factor that has allowed ransomware to succeed is that attackers are able to demand payments in Bitcoin and other cryptocurrency. The nature of cryptocurrency means that transactions are difficult to trace and, by the time the Bitcoin has been laundered, it’s almost impossible to trace back to the perpetrator of a ransomware attack.The Ransomware Task Force suggests that in order to make it more difficult for cyber criminals to cash out their illicit earnings, there needs to be disruption of the system that facilities the payment of ransoms – and that means regulating Bitcoin and other cryptocurrency.”It’s recognising that cryptocurrency has a place and there’s a reason for it, but also recognising that it’s notoriously being used by criminals – is there more that can be done there to make it harder for criminals to use it, or make it less advantageous to them,” says Ellis.Recommendations in the report for decreasing criminal profits include requiring cryptocurrency exchanges to comply with existing laws and to encourage information exchange with law enforcement. The idea is that by applying additional regulation to cryptocurrency, it allows legitimate investors and users to continue using the likes of Bitcoin and Monero, but makes it harder for cyber criminals and ransomware gangs to use it as an easy means of cashing what they’ve extorted out of victims – to the extent that, if it’s too difficult, they won’t bother with attacks in the first place. “If they’re using cryptocurrencies as a way to hide, if you have more compliance with existing regulations, it makes it tougher for them,” says Painter.The paper offers 48 recommendations and has been presented to the White House. It’s hoped that with cooperation across the board, businesses can be provided with the tools required to prevent ransomware attacks, governments can get more hands-on with providing help, and law enforcement can hunt down ransomware attackers – but it’s only going to work if ransomware is viewed as global problem, rather than one for individual organisations or governments to fight alone.”What’s really important is that this has an international perspective on it, because it’s not an American problem, it’s an international problem,” says Reiner.MORE ON CYBERSECURITY More