0:01

Even though the images, as I say, are going to be stored locally on, on your own computer, not on Microsoft servers, not in the cloud. The idea is the employees will can use. The Microsoft co pilot artificial intelligence search tool to hopefully find the website that people are looking for. Recall doesn't take any screenshots of anything that's open in a private browser window. Look we've been doing these types of investigation using these investigation tools on potential customers for a long time see whose employees are wasting time and get more insights into what productivity that their customer their, employees are doing. I'm more worried about the cyber criminals, what they can do with recall.

0:03

There's a lot of things that can go wrong here. I know it's a, it's an easy button for the user, but this can be, this could turn into a nightmare, a security breach, especially around surveillance and, espionage. So if the attacker gained access to physically, physical access to the machine or to the device it could be used to monitor user activity over time and it'd be collecting information about user habits or maybe the company's operations or even sensitive negotiations. But, Microsoft wants it expanded to Intel powered PCs, AMD powered PCs, if those companies agree. On the other hand, everything has risks, but it has to be managed properly. And, in this case, as I say, the data, the snapshots that recall stores is going to be encrypted. But you still think that from what we know so far, it's a risk.

0:05

On the other hand, experts note that IT and security administrators already can use behavior monitoring and analytics software, some of which includes covert still or video screen captures. And in fact, the, some sort of Employee PC monitoring is mandatory in some industries. Yeah, we've used both tools, but there's there is a difference between the two. What do you think about this argument? Crooks don't want to be bothered with encrypted data in the recall store. When there's so much unencrypted data on employees computers. Oh I gotta tell you, they love low hanging fruit, okay? So if you've got unencrypted data the ease of access is right at their fingertips.

0:07

So what we need to do here is make sure we have a, proper layered security in place because as encryption is not foolproof. So you need to add more to it. Make sure you have your MFA on there. Do you have things like dual for MFA for the administrator's account? And you need to really look at a holistic approach. It'll be interesting to see if there will be business and government take up of this feature and in fact, it it could be dead before, before Microsoft knows it. To be continued. Topic two, lessons learned from the attack on Mitre. Last week, the MITRE organization published the last of a three part series detailing the hack of one of its research networks last December by a nation state backed threat actor.

0:09

So maybe their solution that they're using right now only relies on logs and didn't capture the entire event as it occurred. Which obviously causes a delay in the response. Obviously taken away from what we learned is that they need to have continuous monitoring, especially around anomaly detection. One of, one of the things that jumped out at me, though, was this attack started New Year's Eve. That's a common tactic, attack during a holiday. Yeah it makes sense because obviously they're going to be short staffed and also we see in a lot of cases where the autoresponder is going to give a lot of information out.

0:11

And you also want to make sure you, educate the employees on how to conduct security reviews. Or what to say during the holiday seasons, if not to give up too much information. Another thing is that the attacker was in the MITRE environment for over two months without being detected. That's the biggest key. And you need to have protection on the endpoint, EDR, you have cloud security in place that can tie all this together so you see holistically what on earth is going on. Because there's so many ways that attackers can get in your network and stay undetected. We also see things like customers don't have proper segmentation in place.

0:13

That's something that administer administrators who. Who have, virtual machines in their environment. That's something they've got to watch out for. Yeah, absolutely. You need to have proper alerts in place to the administrators when, anomalies are occurring. If if a person is trying to access MFA and they're seeing a ton of failed logins, is that an automated tool that's malfunctioning or is it a brute force that's occurring? Logs get delayed, logs get modified. So you can't fully trust logs all the time. So you need to really assess what you have in place right now. This started with the exploitation of zero day vulnerabilities. Okay. That may be impossible to defend against, but then the attacker goes through several steps after that from the description of the attack that MITRE gave out.

0:15

You're not seeing these types of alerts, which is very problematic. So if you're not getting those types of alerts, you need to like really make sure you have a layered approach, try to go to a zero trust model where we're going to limit access. Look for behavioral analysis and you got to really make sure that your incident response plans are up to date. All right, let's move on. Topic three, zero trust. The concept of creating a zero trust network has been around for over a decade, yet many IT and security leaders. Have still not started or are only on the early stages of building a zero trust IT infrastructure in their organizations. This week, John Kindervag, who, when he was an analyst at Forrester research, introduced the model, wrote an article for SC magazine on the four common misconceptions about zero trust that still persists today, before we Terry, what's a zero trust network.

0:17

Which means every access request is thoroughly verified, authenticated, and authorized based on contextual data in which the user has his identity, or his health data, or the location that's being granted to the resource. So the model minimizes the risks of data breaches by continuously validating the trust at every single stage of the interaction. They need to overcome the misconceptions about its being complex and, its application to, to set that up. So this article talks about zero trust myths, and one of them is that zero trust is just about identity. Not so says John Kindervag confirming who is accessing data or the network isn't enough.

0:19

When users were working from home, they were making their own hours. And they would log in sometimes at midnight instead of log in to the typical nine to five. And a lot of them were doing this constantly at different times, but the IT administrators were only receiving those alerts at eight o'clock when they walked in the next day. The first thing is you need to really clarify what your critical assets are. Okay. Which information needs most protecting and then you need to assess how secure is the current setup? If you're not exploring identity and access management products right now, I suggest you do because this will remove least privilege access to the resources and it'll force you to implement MFA on all the users including administrators we're we often see this happening in, cyber insurance questionnaires.

0:21

Is there any anomalies occurring? Make sure you enforce the policies. A lot of times when we do these audits, we see that the policies aren't synchronized everywhere. We'll have half the environment will say that they were forced to install complex passwords, but it never synchronized the other side for some reason. Cyber security complexity. Is that what you found? I did. So obviously when when you start putting that framework on, you get to see what you currently have in place and how it could be maximized. So it'll streamline your security policies and it'll remove any implicit trust from the network.

0:23

One of the principles of cyber defense is you can't defend what you don't see. In other words, if you haven't identified what your critical data is and where it is, You can't protect it. And you mentioned that just a few minutes ago when we were talking about zero trust. When you talk to IT leaders of organizations, what do you hear about their asset discovery? It's scalable and obviously reduces overhead, but you also need to make sure you do proper regular audits, the penetration tests, attack surface scans. These are really important because the, attack surface is changing constantly all the time. And now I mentioned recall earlier, there's an, there's, there could be another possible attack way that they can get in.