The Gately Report: Noname Security Expects SEC Rule Changes to Increase Sales
Plus, the INC Ransom gang is emerging as a major ransomware threat.
![Noname Security talks SEC changes Noname Security talks SEC changes](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltcab17752b92b599f/65242b07dbf7e6d4fabc2d6d/The-Gately-Report-logo.jpg?width=700&auto=webp&quality=80&disable=upscale)
Channel Futures: Are the SEC rule changes, particularly for public businesses reporting cyberattacks, a good thing? We’ve seen numerous cases of cyberattacks being reported several months after they occurred.
Noname Security's Karl Mattson: It’s kind of like the answer to the question of, is it a good thing that I wear a Fitbit? Maybe the first time I wear it, it informs me that my heartrate is irregular, and maybe I do a test on my health and it turns out that I'm not very healthy. So in a short time, that creates a little bit of chaos because I didn't even know I had a heart problem, and now I know and have to fix it.
So I think downstream, as we look toward routine practices that management teams and boards should be taking to oversee cyber responsibly, yes, it's a good thing. But there are going to be a lot of bandage-off moments for organizations when their boards and their CEOs find out that their programs weren't that strong. So I think it's only down the road that we can see the positive. Right now, it creates a lot of nervousness because not every company is ready for this scrutiny. Not all of us want to hear that we have high blood pressure, but we do.
CF: Noname Security, like all organizations, is likely constantly targeted by cybercriminals. How are you helping to keep Noname Security, and its partners and customers safe?
KM: It starts with structuring a security program that is, first and foremost, extremely sound at fundamentals. The National Institute of Standards and Technology (NIST) security framework is my default language. Also, looking at foundational practices from access control and end-user compute environments, to basic cloud security and patch configuration. And then for us as a product company, we probably overdo it more than others in terms of … producing secure software for our production environments.
We're a company that was born in the cloud, so as a CISO building a practice originally, I had an unfair advantage at being able to capitalize on modernization in the security stack with a cloud-native product. So that was a big advantage. But it still comes down to excellent access control, great asset management, great patch and configuration management, and security operations monitoring. We don’t do collection analysis and incident response any differently than anybody else. We just probably have a little easier time because we're doing it in a cloud-native world. So we have cloud-first technologies.
CF: Noname Security recently announced it has integrated with Swimlane, Tines and Palo Alto Networks for enhanced API security. How is that benefitting Noname Security and its partners?
KM: What it does is it gives customers of those orchestration platforms the ability to receive alerts and telemetry from the Noname system, so their security operations center (SOC) teams and their SOC analysts can automate through investigation and remediation very quickly. So an API security event that we discover requires analysis. It requires some degree of either research or insight into what phenomena occurred. Is it misuse, accidental or anomalous for whatever reasons. And with Swimlane and Tines, and Palo Alto Networks, what an analyst can do now is supercharge their research and investigation to get through workflow quickly so that you can block an attacker or implement the control block necessary. You're decreasing the amount of time from what could be many minutes down to a few seconds.
CF: Is the evolving threat landscape shaping Noname Security’s overall business, product and channel strategies?
KM: Absolutely. I think the elephant in every security room right now is handling AI, and how do we secure AI and how do we equip our customers to secure AI?
So that really means two things for us as a company. The first is to ensure that we're capitalizing on the best possible analytics that become a part of our software package so that we can do the best job at detecting true positives and discounting things that are false alarms. So it's product accuracy that we're using to enhance our Noname software. The second thing is on the customer side. What our customers are faced with is a world where developers can increasingly use API-based connections to AI models. So an easy example would be a software product developed in the customer's environment where that software product via API is reaching out to Azure AI, OpenAI or Google Bard, whatever the case is. And the detection and protection of that API has intensely important consequences because the volume and the criticality of traffic that's going through that Azure AI environment or that OpenAI environment is something that we can solve for. And so it really causes us to calibrate our attention for not just how we market ourselves, but to make sure that our product is excellent at that problem set. And honestly, that problem set existed only as edge cases a year ago. Now it's a prominent use case that we're talking about with every customer. The external landscape of AI has evolved very quickly. It prompts us to modernize product, and it prompts us to modernize our conversations with our customers about thinking about AI.
CF: How are partners and customers’ needs prompting enhancements to Noname Security’s platform?
KM: The biggest thing that we're seeing, maybe starting about six months ago and probably for the next six to 12 months, will be the degree to which regulators in the United States and internationally are very much waking up to the API as a critical asset for data privacy and protection. So what we find, like open banking standards, open banking APIs that have existed as a standard practice in Europe for several years now, the Consumer Financial Protection Bureau (CFPB) is making that rule in the United States. And the Payment Card Industry Security Standards Council now mentions the API by name in PCI version 4.0. And so the degree of compliance and regulatory-specific oversight of the API prompts us then to better characterize the API risk in the language that meets PCI requirements. Think of what we do as a platform being our raw engine, and now we have regulatory and compliance overlays that allow our customers then to use our technology to answer the requirements of those various regulators that are coming out.
CF: Many organizations are dealing with tight budgets. How is Noname Security helping partners meet those organizations’ needs?
KM: There are a couple of ways. The first is to emphasize that there are areas, particularly in software development and testing, where we can automate. We can create automation so that an organization doesn't have to go out and hire 10 more application security testers because automation is available. We can apply rigorous testing to APIs at a fraction of the cost it would take to do it the old school way. The other area then, especially at runtime, is to develop partners. Security technologies are famously hard to deploy and configure. A lot of companies will purchase things that they don't get value out of. So what we want to focus on is our relationships with partners like IBM, Intel, Amazon Web Services (AWS) and Google Cloud Platform (GCP) so that we can make the deployment of our technology as frictionless as possible. We all hope that the days of six-to-12-month deployment are in the past. We want to be able to say, "I want this technology and I want it to work right now. I want to get value right away, I want to get traffic right away, I want protection right away." And for us, that means leaning into the partners, because those companies like AWS, IBM and Intel, when we can deploy our technology as a native part of their builds, then it saves the customer an enormous amount of time and energy to deploy our technology uniquely.
CF: What do you find most dangerous and surprising about the current threat landscape?
KM: In a macro sense, what happens in the world geopolitically definitely manifests itself in the cyber world. So war in Ukraine, there are downstream effects in the cyber world. Even U.S. and European companies see that knock-on effect. And we're in a spot right now where the next geopolitical spike could create for us a new exposure. I think what we've seen over the last couple of years is geopolitical war. And when wars break out, we all have to adapt. And particularly in an environment where we're extremely budget conscious, if another war breaks out, can we adapt our resources? Can our customers now redirect focus and how can we help them do that? So I think geopolitical implications of cyber risk and what's next there, that's a big variable. We're also heading into an election season and as we've seen in the last couple of cycles, expect the unexpected.
CF: What can partners expect from Noname Security in 2024?
KM: Partner enablement. What our technology could do when implemented by an extremely well-trained expert in the field was remarkable. But we’re getting really good now at making the use of our technology much easier in the field. It requires a lot less support from Noname and less support from our R&D team. So self-service for partners, self-service for customers and enabling partners to have this engine in their hands and that they can be successful with it independently of the software team that built it.
In other cybersecurity news …
The INC Ransom ransomware gang, which claimed to have stolen sensitive data and confidential documents from Xerox, is quickly racking up victims and making a name for itself in the world of cyber crime.
NCC Group has been tracking INC Ransom since it first appeared last August. It racked up 46 victims last year, including three in August, 11 in September, 10 in October, 15 in November and seven last month, including Xerox.
“The group uses a double extortion strategy, stealing and encrypting data from their victims and threatening to leak via their leak site if victims do not pay the ransom,” said Ian Usher, NCC Group’s head of threat intelligence. “The group also claims to offer details of how initial access was achieved and advice on how to secure the impacted network once negotiations are completed successfully.”
These victims were spread across industrials, consumer cyclicals, technology, health care and education, with most victims sitting within industrials.
The group's known tactics, techniques and procedures (TTPs) include:
Gaining initial access through spear-phishing emails or exploiting vulnerable services, such as Citrix NetScaler.
Using commercial or legitimate tools for network scanning, data exfiltration and remote access.
Encrypting local and network files with a custom ransomware payload that supports various command-line arguments. The payload also attempts to delete volume shadow copies (VSS) and output the ransom note to connected printers or fax machines.
Leaving ransom notes in .TXT and .HTML format as "INC-README.TXT" and "INC-README.HTML" in each folder containing encrypted files. The ransom notes contain a personal ID for each victim and instruct them to contact the group via their TOR-based portal.
INC Ransom will likely launch even more attacks this year, Usher said.
“The pervasive threat from organized crime groups should be at the forefront of minds in 2024,” he said. “We have seen a gradual increase in the activities of initial access brokers, the deployment of info-stealer malware, and of course extortion in the form of ransomware. With the industrials sector in particular remaining the most attractive sector for ransomware gangs, cybersecurity must be a key priority for the industry to improve supply chain resilience.”
The big cybersecurity challenges for this year and beyond relate to ever-evolving technology and threat landscapes, and the need for agility to keep pace in line with these evolutions against the backdrop of a volatile geopolitical landscape, Usher said.
“Research has never been more important to help us in our endeavor to achieve security and resilience in these times,” he said.
23andMe, a direct-to-consumer genetic testing service, is facing a class-action lawsuit after users’ data was accessed without authorization. And it’s blaming the breach on customers who used a recycled password as login credentials for their accounts on its website.
In a letter responding to attorneys representing customers whose data was exposed, 23andMe said no breach occurred under the provisions of the California Privacy Rights Act (CPRA) because users targeted in the initial breach were using login credentials that had been exposed in breaches involving other websites through the use of credential stuffing.
In a. Dec. 1 SEC filing, 23andMe said certain user profile information was accessed and downloaded from user accounts by a threat actor.
“Upon learning of the incident, 23andMe immediately commenced an investigation and engaged third-party incident response experts to assist in determining the extent of any unauthorized activity,” the company said. “Based on its investigation, 23andMe has determined that the threat actor was able to access a very small percentage (0.1%) of user accounts in instances where usernames and passwords that were used on the 23andMe website were the same as those used on other websites that had been previously compromised or were otherwise available (the credential-stuffed accounts). The information accessed by the threat actor in the credential-stuffed accounts varied by user account, and generally included ancestry information, and, for a subset of those accounts, health-related information based upon the user’s genetics. Using this access to the credential-stuffed accounts, the threat actor also accessed a significant number of files containing profile information about other users’ ancestry that such users chose to share when opting in to 23andMe’s DNA Relatives feature and posted certain information online. We are working to remove this information from the public domain. As of the filing date of this amendment, the company believes that the threat actor activity is contained.”
Justin Wynn, director of red team operations at Coalfire, said it’s important to recognize the responsibilities that companies have in protecting user data and the “immorality” of deflecting blame in situations where adequate security measures could have been implemented.
“While users should use strong, unique passwords, the onus is on the company to have robust security measures in place to safeguard data and detect unauthorized account access,” he said. “An attack of such magnitude, over 6.9 million accounts could have been easily detected or mitigated in a number of ways. Multifactor authentication, monitoring login attempts, rate limiting and lockouts, and IP anomaly detection all come to mind.”
Ken Westin, field CISO at Panther Labs, said placing blame on end users for large-scale security incidents is never a good move.
“This move by 23andMe feels more like something that lawyers cooked up to avoid liability in the short term without consideration for the long-term consequences or real reflection by the company regarding their security practices,” he said. “Given the nature of 23andMe's business, trust is a key component of their go-to-market strategy, so it will be interesting to see how the market responds to this approach. I believe it will have a detrimental effect and have a larger impact on the business as a result. How organizations respond to security incidents can have a more significant impact than the original breach if it is not handled responsibly.”
HealthEC (HEC), a health care technology provider, disclosed that a data breach last July impacted nearly 4.5 million individuals.
According to its notification, HEC’s investigation determined that certain systems were accessed by an unknown actor between July 14 and July 23, and during this time certain files were copied.
The types of information identified through its review varies by individual, but includes name, address, date of birth, Social Security number, taxpayer identification number, medical record number, medical information, health insurance information and/or billing and claims information.
Nearly 20 health care organizations using HEC’s population health management platforms were affected by the breach.
According to a U.S. Department of Health and Human Services list of breaches under investigation, the HEC data breach has impacted more than 4.45 million individuals.
Kevin Kirkwood, deputy CISO at LogRhythm, said the health care sector remained a top target for cyberattacks during 2023, with notable attacks involving HCA Healthcare with the data of 11 million patients exposed, and the Colorado Department of Health Care Policy and Financing MOVEit breach.
“This updated disclosure from HealthEC serves as a stark reminder that these threats persist,” he said. “For a company that provides health management platforms to such a wide range of organizations, safeguarding the personal health information (PHI) of customers is essential. PHI is the most complete record for an individual and makes it extremely easy to steal a person’s identity. This information can be used by bad actors who are also looking to acquire a record that allows them to steal prescriptions that could satisfy a drug need while putting the compromised individuals' health at risk.”
Dirk Schrader, vice president of security research at Netwrix, said a major problem in the health care sector is breach prevention and detection are often not swift enough.
"This leads to breaches going undetected for a longer period and endangering the victims even more,” he said. “As the type of data breached is all-encompassing, the value of it for an attacker is huge.”
The second problem is about the position of health tech companies as parts of a supply chain to first-line health care providers,” Schrader said.
“Their customers are not the individuals, but insurers, hospitals and clinics, as documented by the list of 19 organizations named as affected business partners,” he said. “As they aggregate data from various health care organizations, the health tech providers should acknowledge that they are a prime target for attackers. Due to no direct interactions with the individuals, they tend to underestimate the responsibility they hold and are lacking diligence for protecting the patients’ data they have access to.”
HealthEC (HEC), a health care technology provider, disclosed that a data breach last July impacted nearly 4.5 million individuals.
According to its notification, HEC’s investigation determined that certain systems were accessed by an unknown actor between July 14 and July 23, and during this time certain files were copied.
The types of information identified through its review varies by individual, but includes name, address, date of birth, Social Security number, taxpayer identification number, medical record number, medical information, health insurance information and/or billing and claims information.
Nearly 20 health care organizations using HEC’s population health management platforms were affected by the breach.
According to a U.S. Department of Health and Human Services list of breaches under investigation, the HEC data breach has impacted more than 4.45 million individuals.
Kevin Kirkwood, deputy CISO at LogRhythm, said the health care sector remained a top target for cyberattacks during 2023, with notable attacks involving HCA Healthcare with the data of 11 million patients exposed, and the Colorado Department of Health Care Policy and Financing MOVEit breach.
“This updated disclosure from HealthEC serves as a stark reminder that these threats persist,” he said. “For a company that provides health management platforms to such a wide range of organizations, safeguarding the personal health information (PHI) of customers is essential. PHI is the most complete record for an individual and makes it extremely easy to steal a person’s identity. This information can be used by bad actors who are also looking to acquire a record that allows them to steal prescriptions that could satisfy a drug need while putting the compromised individuals' health at risk.”
Dirk Schrader, vice president of security research at Netwrix, said a major problem in the health care sector is breach prevention and detection are often not swift enough.
"This leads to breaches going undetected for a longer period and endangering the victims even more,” he said. “As the type of data breached is all-encompassing, the value of it for an attacker is huge.”
The second problem is about the position of health tech companies as parts of a supply chain to first-line health care providers,” Schrader said.
“Their customers are not the individuals, but insurers, hospitals and clinics, as documented by the list of 19 organizations named as affected business partners,” he said. “As they aggregate data from various health care organizations, the health tech providers should acknowledge that they are a prime target for attackers. Due to no direct interactions with the individuals, they tend to underestimate the responsibility they hold and are lacking diligence for protecting the patients’ data they have access to.”
Rule changes for reporting cyberattacks will likely spur more dialogue about cyber readiness and investment in new technology like what Noname Security offers.
That’s according to Karl Mattson, Noname Security's field CISO. The U.S. Securities and Exchange Commission (SEC) rule changes took effect last month.
Public companies are now required to publicly disclose material cybersecurity incidents within four days. The disclosure may be delayed if the U.S. Attorney General determines that immediate disclosure would pose a substantial risk to national security or public safety, and notifies the Commission of such determination in writing.
The SEC rule changes also include annual reporting of cybersecurity risk management, strategy and governance.
![Noname Security's Karl Mattson Noname Security's Karl Mattson](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/blt8375c4b691b26f7b/659870b131806f0407892b74/Mattson_Karl_Noname_Security_2024.jpg?width=700&auto=webp&quality=80&disable=upscale)
Noname Security's Karl Mattson
“What it really does is it changes the dialogue at the board level and the executive team because as a technical matter, with the change of reporting frequency, public companies already have that process developed,” Mattson said. “There are playbooks, there are processes, and there are notifications to customers and regulators. All that stuff already exists. So by lowering the threshold to four days, what the SEC is really prompting to happen is to have governance conversations consistently, continuously with general counsel and at the board level.”
New Investment in Noname Security Coming
Gone are the days when a board conversation on cybersecurity could be once a year, Mattson said.
“Now it has to be almost in immediate real time because if there is an incident and there needs to be disclosure, and the consequences are going to be immediate, it places this intense spotlight on an organization's governance, the conversations that the CISO is having with the board, general counsel and CIOs,” Mattson said. “And so what that concentrated dose of governance will probably do is result in more decisions in the investment in new security technologies like Noname. So it has the downstream impact of probably prompting new investment. But in and of itself, it's a governance requirement and there isn't any technology that changes the quality of the dialogue between a CEO, a CISO, a general counsel, etc. That dialogue is really what rulemaking is all about.”
Scroll through our slideshow above for more from Noname Security and more cybersecurity news.
About the Author(s)
You May Also Like