SpinOne adds new capabilities to secure SaaS applications and data

SaaS data protection provider Spin.ai has launched two new service modules — SaaS security posture management (SSPM) and SaaS data leak prevention/loss protection (SDLP) — along with a few new capabilities for existing modules, to its flagship SaaS security platform SpinOne.

The enhancements to the SaaS-based offering aim to protect SaaS applications, automate manual processes, and minimize business downtime for organizations.

Both SSPM and SDLP are being added as new subscriptions on the SpinOne platform and are generally available, along with the other capabilities released for existing modules.

The new capabilities for SpinOne’s existing modules include improvements for  SaaS ransomware detection and response (SRDR), integration with Jira and ServiceNow, and support for Slack.

“Many organizations underestimate the risks associated with SaaS data or believe that their cloud provider has it covered,” said Davit Asatryan, director of product at Spin.ai. “The shared responsibility models for Google, Microsoft, Salesforce, and Slack note that they take care of the physical security of their data centers and underlying infrastructure, but your data is still your responsibility. SpinOne makes SaaS security easier and faster for SecOps teams.”

Managing SaaS data, access and security

SpinOne’s SSPM is designed to offer automated security controls to help companies detect and respond to misconfigurations, and provides an inventory of unsanctioned third-party apps and extensions.

The module is powered by SpinOne’s database of more than 300,000 apps and extensions assessed by an in-house AI algorithm, to reduce risk assessment time significantly according to Asatryan.

“SpinOne SSPM outperforms other offerings by providing a risk assessment for third-party applications and browser extensions using a thorough list of over 15 risk criteria to perform assessments and is also geared toward understanding compliance risks related to regulatory frameworks like GDPR, HIPAA, SOC, CCPA, and others,” Asatryan said.

The tool essentially offers visibility into SaaS apps, cloud apps, mobile apps and browser extensions and cross-references any suspicious posture with SpinOne’s historic database to arrive at a risk score of 0 to 100. This, the company claims, eliminates the heavy lifting of manual assessment, bringing total risk assessment time to minutes and seconds.

In addition, SpinOne’s new SDLP module offers SaaS access management, backup, and recovery capabilities.

“SaaS DLP complements existing identity management tools and helps control all unauthorized access to sensitive SaaS data using SpinOne’s configurable access management and advanced reporting,” Asatryan said.

SaaS backup aims for quick data retrieval

SpinOne has added an integrated SaaS backup offering which promises recovery of lost data within minutes and hours as opposed to conventional weeks and months.

Additionally, SpinOne’s SRDR module now supports 24-hours-a-day, seven days a week ransomware monitoring and automated incident alerts, designed to help customers recover from ransomware attacks with minimum downtime. This “in-progress” detection of ransomware attacks adds to SpinOne’s “within hours” recovery claim.

“Both Google and Microsoft have API and throttling limits, i.e., how much data can be recovered at once (10 I/O requests per second), to help avoid the problem of one tenant affecting the performance of other tenants. However, in the case of an attack, it can result in downtime and recovery times of weeks or months depending on the amount of data,” Asatryan said.

By stopping an attack in progress, the damage is limited, and the files can be recovered within the company’s two-hour service level agreement he added.

SpinOne supports JIRA, ServiceNow and Slack

SpinOne’s integration with Jira and ServiceNow allows for the creation of automated incidents alerts, eliminating the need for manual intervention by the security teams, the company said.

“With this integration, customers can create policies in SpinOne and select existing ticketing ecosystems such as Jira and/or ServiceNow as an output, where actionable tickets can be created. These integrations help streamline SaaS security operations by automatically creating real-time actionable tickets and maintain logs of such tickets to reduce and mitigate incidents,” Asatryan said.

Support for Slack has also been added on SpinOne to meet data protection and compliance requirements, ensure business continuity, and decrease recovery costs. This includes setting up an automated backup of Slack data three times a day on AWS, GCP, Azure, or other computing platforms.

CrowdStrike enhances container visibility and threat hunting capabilities

Cloud-native security provider CrowdStrike has launched a cloud threat hunting service called Falcon Overwatch, while also adding greater container visibility capabilities to its Cloud Native Application Protection Platform (CNAPP).

Falcon Overwatch includes agent and agentless threat hunting

Falcon Overwatch is a standalone threat hunting service that uses CrowdStrike’s cloud-oriented indicators of attack to gain visibility into evolved and sophisticated cloud threats across the entire control plane, which includes the network components and functions used for cloud workloads.

The service leverages both the CrowdStrike CNAPP’s agent-based (Falcon cloud workload protection) and agentless (Falcon Horizon cloud security posture management) solutions, to provide greater visibility across multiple clouds, including Amazon Web Services, Azure, and Google Cloud.

“On one side, we receive agentless data from over 1.2 billion containers using Falcon Horizon,” says Param Singh, vice president for Falcon Overwatch. “On the other side, we have data from our agents installed by different organizations for their endpoints, such as Linux servers running in the cloud. By combining these together, we are able to deliver more effective threat hunting.”

CNAPP upgrades improve container visibility 

Elsewhere, CrowdStrike wants to improve customer visibility into software containers to help spot vulnerabilities, embedded malware, or stored secrets before a specific container is deployed. It achieves this by identifying and remediating rogue containers, or by correcting those which have drifted from their ideal configuration.

Responding to customer demand, CrowdStrike is expanding these capabilties to work with Amazon’s managed, serverless Elastic Container Services (ECS) Fargate, on top of existing support for its Elastic Kubernetes Services (EKS) Fargate service.

CrowdStrike has also extended its image registry scanning capabilities to eight new container registries, including: Docker Registry 2.0, IBM Cloud Container Registry, JFrog Artifactory, Oracle Container Registry, Red Hat OpenShift, Red Hat Quay, Sonatype Nexus Repository, and VMware Harbor Registry.

Finally, CrowdStrike is adding software component analysis capabilities for detecting and remediating vulnerabilities in popular open source components, including Go, JavaScript, Java, Python, or Ruby dependencies in a customer’s codebase.

Bringing container image scanning capabilities to a growing range of registries and managed services should help identify more threats and misconfigurations within containerized environments, and help secure continuous integration, continuous delivery (CI/CD) pipelines.

Russian DDoS attack on Lithuania was planned on Telegram, Flashpoint says

Cyberattacks on the Lithuanian government and private institutions conducted by  the Russian cybercollective Killnet, and the group’s possible collaboration with the Conti hacking gang, were shared on the Telegram messaging service ahead of a major DDoS attack Monday, according to cybersecurity company Flashpoint.

Multiple attacks on Lithuanian entities have been claimed by Killnet on its Telegram channel “WE ARE KILLNET,” in response to Lithuania’s June 18 restrictions of trade routes with Russia.

A Flashpoint blog post confirms that Killnet warned about the attacks on the Telegram channel, highlighting the cloud-based instant messaging platform’s use as a popular communication channel for threat actors.

In keeping with the UN’s sanctions on Russia for its invasion of Ukraine in February 2022, the Lithuanian government put restrictions on trade routes between the Baltic country and the Russian exclave Kaliningrad—a Russian territory situated between Lithuankia and poland on the Baltic coast—for the transport of steel and other metals. The train routes used for trade, according to the Russian government, are essential for at least half of the exclave’s imports, prompting Russian officials to label the move as a “blockade.”

The restricted train transit entails bans over goods including coal, steel, metal, construction materials, and advanced technology.

DDoS attacks hit Lithuania infrastructure targets

Killnet had declared their allegiance to the Russian government during the invasion of Ukraine. To that end, it launched a retribution campaign against Lithuania for its sanctions, featuring several DDoS attacks on infrastructure targets, such as airports, various prominent businesses, and government websites, including those belonging to Lithuania’s police departments, and its defense ministry, according to Flashpoint.

DDoS (distributed denial of service) attacks are malicious attempts to temporarily or indefinitely disrupt the traffic of a targeted server, service, or network, making the resources unavailable to the intended users.

Killnet sent Reuters a statement saying that, “The attack will continue until Lithuania lifts the blockade,” adding that it has “demolished 1652 web resources. And that’s just so far.”

The Lithuanian National Cyber Security Center told Reuters that it expects “attacks of a similar or greater intensity in the coming days, especially in the transportation, energy and financial sectors.”

Flashpoint revealed that it had identified chatter on various pro-Russian Telegram channels claiming that the “current standoff between Russia and Lithuania could escalate to a full-fledged military confrontation.” Flashpoint added that it has not seen any evidence yet pointing to actual physical violence as a result of planning on Telegram.

Killnet Telegram communications include a chat on June 25 regarding a plan for a mass coordinated attack on June 27, which Killnet referred to as “Judgment Day.” Additional smaller attacks were also observed by Flashpoint analysts, including one that took place on June 22.

Additionally, Flashpoint’s analysts have identified a post from June 26, wherein Killnet labeled Lithuania a “testing ground for our new skills” and added that their “friends from Conti” are eager to fight, hinting at a collaborative effort between Killnet and another Russia-based ransomware gang Conti.

Conti, too, had expressed their allegiance to Russia at the beginning of the Russian invasion of Ukraine.

Cato Networks offers new capability for network-based ransomware protection

Cloud-native SASE (secure access service edge) provider Cato Networks is offering a new capability for network-based ransomware protection on the Cato SASE Cloud. The Cato cloud will use new machine-learning heuristic algorithms, combined with the platform’s network insights, to detect and prevent the spread of ransomware across a company without having to deploy endpoint agents.

By identifying ransomware via its underlying network characteristics, security teams can protect against sophisticated threat actors that have learned to bypass endpoint defences, said Etay Maor, senior director of security strategy at Cato Networks, in a company announcement.

SASE is a fairly new concept in network and cloud security. It was first defined in 2019 by consulting firm Gartner as the combination of traditional WAN management with key security functions—including cloud access security brokers (CASB), secure web gateways (SWG), virtual private networks (VPNs), firewall as a service (FWaaS), and data loss prevention (DLP)—to be built and delivered as a single cloud-native service at dispersed SASE point of presence (PoPs).

Bringing ransomware protection to the network

As an SD-WAN provider, Cato provides a network that connects sites, cloud resources, and mobile users to one another and the internet, and thus has visibility into site-to-site and internet traffic.

The basic principle used in the new network-based ransomware protection capability includes inspecting all server message block (SMBs) flows with Cato’s algorithms for ransomware activities. SMB is a network file sharing protocol used in Windows, allowing applications to read or write to files and also request services from a server program in a network.

Trained against Cato’s data lake of end-to-end attributes for all of Cato Cloud’s historic traffic flows—including from connected edges, sites, users, IoT devices, and other cloud-connected resources—the algorithms inspect live SMB traffic flows for a combination of network attributes. The inspected attributes include file properties, shared volume access data, network behavior, and encryption time intervals.

Upon detection of ransomware, the Cato technology is designed to automatically block the SMB traffic from the source device, preventing any file encryption or lateral movement and notifying the customer.

According to a company press statement, the announcement is part of Cato’s multilayered ransomware mitigation strategy, designed to tackle common ransomware tactics, techniques, and procedures (TTPs) underlined in the MITRE ATT&CK framework.

To that end, Cato Networks recently introduced a new risk-based application access control for combatting security threats and productivity challenges posed by remote working and bring your own device (BYOD) strategies.

The company has also teamed up with Windstream Enterprise, a managed communication, to launch a comprehensive, managed SASE solution.

Snowflake offers cybersecurity data platform with security app integrations

In conjunction with third-party security vendors, Snowflake has launched what it calls a “cybersecurity workload” to enhance the capabilities of its data cloud for organizations looing to more  efficiently detect and respond to cyberthreats.

The Snowflake Cybersecurity workload is designed to let enterprises use the company’s namesake data cloud to unify security data from diverse security applications, combining it with contextual data from HR systems or IT asset inventories, according to the company.

The idea, according to Snowflake, is that cybersecurity personnel can then run fast queries against the unified data sets, which can be used to enhance threat detection and investigation, generating higher fidelity alerts.

Snowflake’s new security workload capabilities are aimed at helping security teams break down data silos to enable consistent visibility, eliminate manual processes and improve analytics, according to Omer Singer, head of cybersecurity strategy at Snowflake.

Cybersecurity workload processes data with SQL, Python

Snowflake’s pitch to cybersecurity professionals is that traditional security architectures with legacy SIEM (security information and event management) products are buckling under the strain of handling the volume and variety of data necessary to combat modern cyberthreats. Traditional SIEMs have high ingest costs, limited retention windows and proprietary query languages, all complicating security team’s efforts at visibility and protection.

Snowflake’s cybersecurity workload offers cloud-native capabilities to handle structured, semistructured, and unstructured logs, enabling users to efficiently store years of high-volume data. The platform also boasts a scalable, on-demand compute resource that will allow for searching and gaining insights using languages like SQL and Python. (This capability is currently in private preview.)

Customers already using the new workload include CSAA Insurance Group, DoorDash, Dropbox, Figma, and TripActions.

Snowflake joins cybersecurity partners to deliver connected data cloud

Snowflake is expanding its ecosystem of partners in a bid to provide customers with the ability to choose from a number of applications that best fits their needs without compromising on their security handle.

The latest integrations include partnerships with vendors Hunters, Panther Labs, and Securonix, allowing organizations the ability to use Snowflake as a data platform — with all its storage and query capabilities — for connected cybersecurity products.

Hunters is a security operations center (SOC) platform that empowers security teams to automatically detect, investigate and respond to real incidents.

Panther Labs is a cloud-scale threat detection platform that solves the challenges of security operations at scale.

Securonix collects volumes of data in real time, detects advanced threats using machine learning algorithms, and provides actionable security intelligence for an automated response.

Snowflake’s data cloud will leverage tightly integrated connected applications and data from providers on the Snowflake Data Marketplace to build a standard architecture, as a one-point solution for different cybersecurity use cases, the company said.

Snowflake Ventures, the corporate venture capital arm of Snowflake, has invested in Hunters.ai, Lacework, Panther and Securonix to help drive product alignment and  deliver security systems without data silos to joint customers.