Microsoft's RiskIQ Acquisition a 'Good, Sensible' Move
This acquisition shows Microsoft is getting serious about cybersecurity.
![thumbs up thumbs up](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt806b8bdbb3169b00/65244cb29e569b165f766289/Thumbs-Up.jpg?width=700&auto=webp&quality=80&disable=upscale)
Shutterstock
The combination of RiskIQ’s internet-based threat intelligence and Microsoft’s existing threat intelligence sources provide an “unprecedented” level of visibility and insight to help create a safer digital environment as customers work to digitally transform their business and support hybrid work, a Microsoft spokesperson tells us.
“We’re proud of the loyal customer base we’ve built and how far we’ve come,” said RiskIQ’s Elias Manousos. “We now partner with hundreds of the Global 2,000, and our incredible community has grown to more than 100,000 security professionals that we’re excited to have as partners in this journey. We’ll continue to support, nurture and grow this community with Microsoft. We’ll also continue to grow and work with the valued members of our Interlock Partner Program.”
Threat intelligence/brand protection/attack surface management is clearly a requirement for companies of all sizes, and particularly for ones going through digital transformation, Omdia’s Rik Turner said.
“I don’t know whether the rationale is for Microsoft to leave RiskIQ as a standalone subsidiary, but it would seem more likely that it will be integrated with the mothership as part of Microsoft’s overall security offering, particularly on the Azure side of the house,” he said. “It actually reminded me a little bit of Splunk’s recent acquisition of TruSTAR. Of course TruSTAR is not exactly in the same part of the threat intelligence market as RiskIQ, but it is still designed to enable companies to get more, better, faster intelligence about the threats they are facing and respond more quickly, and shows that the need not only to access intelligence, but also to make it actionable in a timely fashion, is a key requirement, and that the big tech vendors recognize this.”
Cybersecurity specialists will no doubt continue to say that they are more focused on cybersecurity than Microsoft and heterogeneous, whereas Microsoft makes its cybersecurity offerings work well on Microsoft platforms, Turner said.
“Even so, this is further evidence of Microsoft getting serious about cybersecurity, and while it still isn’t competing head-to-head in this market against the dedicated security vendors and has no intention of doing so, it becomes their de facto competitor, depending on how it monetizes the RiskIQ technology,” he said.
A comparison here might be with secure email gateway (SEG) vendors, Turner said. They compete with the SEG functionality that Microsoft bundles into the higher end of its offerings. This could explain why Proofpoint, the “big beast” in SEG, hasn’t turned a profit in the last 10 years and was taken private earlier this year.
In other security news …
Websites operated by the REvil ransomware gang have suddenly disappeared on the dark web. REvil is responsible for the attacks on Kaseya, JBS USA, the Republican National Committee (RNC) and more.
Although it’s not clear what led to these websites being taken down, President Biden and the National Security Council (NSC) have said they are taking action against such ransomware groups.
Ekram Ahmed is spokesperson at Check Point Software Technologies.
“One possibility is a silent takedown, similar to what happened in the DarkSide situation, where hackers were silently taken offline by the feds,” he said. “Though it might be too early to celebrate, as another viable possibility is that the ransomware gang has decided to lie low, given all the attention and spotlight they’ve undergone recently from the Kaseya, Colonial Pipeline and JBS attacks. It’s possible that REvil has gone into retirement, or at least a temporary one, as they did with the GandCrab ransomware a few years ago. We recommend not jumping to any immediate conclusions as it’s early. But REvil is, indeed, one of the most ruthless and creative ransomware gangs we’ve ever seen.”
Check Point Research (CPR) saw 15 cyberattacks per week from REvil over the last two months. The United States, Germany, Brazil and India were the most attacked countries by REvil.
Steve Moore is chief security strategist at Exabeam.
“This outage could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise, we don’t know,” he said. “If the outage is the result of an offensive response, this then sends a new message to these groups that they have a limited window in which to work. Furthermore, if a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organizations. The question becomes, who is and isn’t ready to participate in this new theater? If a nation engages in offensive ‘hack back’ operations, then to what degree should they defend private companies as well – which is arguably more valuable?”
Virsec, a provider of real-time software security, has obtained a $100 million Series C investment, bringing its total funding to $137 million.
The Virsec Security Platform (VSP) stops sophisticated attacks at the first point of insurgence, so an adversary doesn’t have the dwell time in software to orchestrate and execute their malicious plans. VSP can eradicate threats to the software workload at runtime, in real-time, while reducing the cost of security operations.
Virsec’s Series C investors range from John Chambers, former chairman and CEO of Cisco, to Mike Ruettgers, the former chairman and CEO of EMC. The investors also include a number of former high-ranking government and intelligence officials.
Jennifer Leggio is Virsec’s chief marketing officer.
“With this round, we anticipate expanding our go-to-market engine to increase our global presence, which will include opportunities for partners as we expand into new markets,” she said. “Now is a great time for us to further grow and restructure our global channel program, to include robust benefits to partners.”
Partnering with Virsec means having a “more complete arsenal of security for our channel to offer its customers,” Leggio said.
The Virsec solution maps the expected performance of each application on a workload and protects the memory those applications use to execute. Virsec ensures that the components of those applications are correct and unmodified before they are allowed to execute, and any deviation from the norm is treated as a threat.
New research by Digital Shadows reveals that in the last four months, each of its clients experienced on average 360 domains impersonating their company and brand name. That’s nearly 1,100 per year on average.
In just the last four months, the Digital Shadows’ Photon Research Team flagged over 175,000 impersonating domains raised to its clients over four months of 2021. It analyzed five sectors in detail. At 20% of the total, financial services are the most impacted, followed by food and beverage (12%), technology (11%), insurance (6%), health care (4%) and “other” at 53%.
Stefano De Blasi is threat researcher at Digital Shadows. He discussed the findings in a Q&A.
Channel Futures: What’s fueling this rise in domain impersonation?
Stefano De Blasi: Several factors contributed to a rise in the detection of impersonating domains. First, the barrier to conduct this kind of attack has significantly lowered. Cybercriminals can now buy or rent for cheap customizable kits that make setting up an impersonating domain a relatively easy task. These off-the-shelf tools make this criminal practice accessible to less sophisticated cybercriminals that cannot count on endless financial resources.
Second, impersonating domains can serve a variety of criminal purposes and are thus widely used by different threat actors, especially in the early stages of broader campaigns. From credential harvesting to malware dropping, we observed cybercriminals and state-sponsored actors using these fraudulent websites with different objectives in mind. As such, impersonating domains is a versatile tactic adopted by many groups, with the outcome of making attribution processes even more complicated.
Third, obsolete approaches adopted by many organizations make this tactic an easy one to carry out. The idea of simply buying any potential variation of an organization’s brand name is outdated and will not result in a better security posture.
CF: What sort of damage can be inflicted by domain impersonation?
SDB: Harvesting credentials for account takeover and extracting sensitive financial data are the two most common goals observed in the research. In both cases, targeted organizations can suffer significant financial and reputational damage from these attacks.
Additionally, impersonating domains can be used to host and deliver malware onto targeted machines, as well as spreading disinformation on sensitive topics such as political elections or topics of heightened societal attention. When used for these purposes, impersonating domains can cause considerable harm to individuals, organizations and countries alike.
CF: What aren’t organizations doing that they should be doing to protect themselves?
SDB: Defensive strategies that rely on buying similar domains no longer work. With more than 1,500 generic top-level domains recognized by Internet Corporation for Assigned Names and Numbers (ICANN), and an average of three impersonating domains per client detected by Digital Shadows, it is evident that such strategy can no longer work in the long run. On the other hand, compiling a thorough asset inventory of your organization and setting up a domain monitoring program can go a long way in quickly identifying new fraudulent domains and enforce their takedown before they can cause any harm.
CF: Can MSSPs and other cybersecurity providers help protect organizations? If so, how?
SDB: Given the sheer number of impersonating domains popping up on a daily basis, cybersecurity partners and MSSPs can support organizations in this potentially overwhelming task. Along with monitoring for new domains registered that use any of your assets, it is crucial to have a takedown service that can support reporting to law enforcement and demand hosting providers to take down those websites.
New research by Digital Shadows reveals that in the last four months, each of its clients experienced on average 360 domains impersonating their company and brand name. That’s nearly 1,100 per year on average.
In just the last four months, the Digital Shadows’ Photon Research Team flagged over 175,000 impersonating domains raised to its clients over four months of 2021. It analyzed five sectors in detail. At 20% of the total, financial services are the most impacted, followed by food and beverage (12%), technology (11%), insurance (6%), health care (4%) and “other” at 53%.
Stefano De Blasi is threat researcher at Digital Shadows. He discussed the findings in a Q&A.
Channel Futures: What’s fueling this rise in domain impersonation?
Stefano De Blasi: Several factors contributed to a rise in the detection of impersonating domains. First, the barrier to conduct this kind of attack has significantly lowered. Cybercriminals can now buy or rent for cheap customizable kits that make setting up an impersonating domain a relatively easy task. These off-the-shelf tools make this criminal practice accessible to less sophisticated cybercriminals that cannot count on endless financial resources.
Second, impersonating domains can serve a variety of criminal purposes and are thus widely used by different threat actors, especially in the early stages of broader campaigns. From credential harvesting to malware dropping, we observed cybercriminals and state-sponsored actors using these fraudulent websites with different objectives in mind. As such, impersonating domains is a versatile tactic adopted by many groups, with the outcome of making attribution processes even more complicated.
Third, obsolete approaches adopted by many organizations make this tactic an easy one to carry out. The idea of simply buying any potential variation of an organization’s brand name is outdated and will not result in a better security posture.
CF: What sort of damage can be inflicted by domain impersonation?
SDB: Harvesting credentials for account takeover and extracting sensitive financial data are the two most common goals observed in the research. In both cases, targeted organizations can suffer significant financial and reputational damage from these attacks.
Additionally, impersonating domains can be used to host and deliver malware onto targeted machines, as well as spreading disinformation on sensitive topics such as political elections or topics of heightened societal attention. When used for these purposes, impersonating domains can cause considerable harm to individuals, organizations and countries alike.
CF: What aren’t organizations doing that they should be doing to protect themselves?
SDB: Defensive strategies that rely on buying similar domains no longer work. With more than 1,500 generic top-level domains recognized by Internet Corporation for Assigned Names and Numbers (ICANN), and an average of three impersonating domains per client detected by Digital Shadows, it is evident that such strategy can no longer work in the long run. On the other hand, compiling a thorough asset inventory of your organization and setting up a domain monitoring program can go a long way in quickly identifying new fraudulent domains and enforce their takedown before they can cause any harm.
CF: Can MSSPs and other cybersecurity providers help protect organizations? If so, how?
SDB: Given the sheer number of impersonating domains popping up on a daily basis, cybersecurity partners and MSSPs can support organizations in this potentially overwhelming task. Along with monitoring for new domains registered that use any of your assets, it is crucial to have a takedown service that can support reporting to law enforcement and demand hosting providers to take down those websites.
Microsoft’s upcoming RiskIQ acquisition is a sensible and good move. And it’s the latest among big players to have a meaningful offering in threat intelligence.
That’s according to Rik Turner, principal analyst at Omdia. (Omdia and Channel Futures share a parent company, Informa.)
Microsoft is acquiring RiskIQ, a provider of global threat intelligence and attack surface management, in a deal reportedly worth $500 million.
Keep up with the latest channel-impacting mergers and acquisitions in our M&A roundup. |
RiskIQ helps customers discover and assess the security of their entire enterprise attack surface in the Microsoft cloud, AWS, other clouds, on premises, and from their supply chain. RiskIQ can help enterprises identify and remediate vulnerable assets before an attacker can capitalize on them.
Better Defense for Partners, Customers
Eric Doerr is Microsoft’s vice president of cloud security. In his blog, he wrote that Microsoft has been a leader in delivering end-to-end cloud-native security. It does so with Microsoft 365 Defender, Microsoft Azure Defender and Microsoft Azure Sentinel. They help protect, detect and respond to threats in multicloud and hybrid cloud environments.
Microsoft’s Eric Doerr
“With the acquisition of RiskIQ, we will continue our mission to help customers and partners defend their growing digital estate against increasing cyber threats,” he said.
Microsoft didn’t say how much it’s paying for RiskIQ; however, Bloomberg reports the software giant will cough up more than $500 million.
Elias Manousos is RiskIQ’s co-founder and CEO.
RiskIQ’s Elias Manousos
“The vision and mission of RiskIQ is to provide unmatched internet visibility and insights to better protect and inform our customers and partners’ security programs,” he said. “We’re thrilled to add RiskIQ’s attack surface and threat intelligence solutions to the Microsoft security portfolio, extending and accelerating our impact. Our combined capabilities will enable best-in-class protection, investigations, and response against today’s threats.”
Scroll through our slideshow above for more on this acquisition and other cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like