Joyce Teo

LastPass hack: Illustrative case studies of the CSA top threats to cloud computing

Understanding the LastPass hack

This marks the initiation of a series exploring hacks spotlighted in CSA’s renowned paper on the Top Threats to Cloud Computing. Delving into the LastPass hack, this article aims to offer an easy-to-read, illustrated guide. Additionally, we will provide guidelines for detection.

LastPass, a Software as a Service (SaaS) provider, offers a password vault service. These services are typically used for the secure storage of secrets and are popular with security-conscious individuals, as they facilitate the secure and easy storage of complex passwords.

LastPass assures customers that they do not have knowledge of the actual secret stored in their system because of LastPass’s zero-knowledge architecture, which includes the following:

  1. Data is stored encrypted in LastPass’s database.
  2. The encrypted data can only be decrypted with the master password provided by the customer just-in-time.
  3. The master password provided by the customer is never stored in any persistent storage in LastPass’s system.

The following diagrams help illustrate how such a password vault works.

Step 1: The customer launches the password vault software and provides the master password. The master password might be salted or hashed further to ensure secrecy in transit before it is sent to the password vault’s server for authentication. Upon successful authentication, the password vault server sends the encrypted secrets to the customer.

LastPass password vault workflow (1)

Step 2: The customer can now decrypt the encrypted secrets with the master password. These secrets can typically be copied into the clipboard for Just-in-time usage. In the illustration, the customer has decrypted and copied the ‘Secret A’ into the Clipboard. The customer can now login to another software or web portal which requires Secret A to access.

LastPass password vault workflow (2)

In the incident of LastPass hack, the customer’s encrypted password (X), as shown in the illustration, was stolen. Additionally, customer information, such as the company name and the URL where the decrypted password could be used, was also compromised.

One can imagine the impact this could have had on the industry if the attacker had been able to decrypt any password they had stolen. This would mean the attacker could access any password-protected systems easily accessible from the internet. Of course, this is only applicable if 2FA is not present in those accounts!

The LastPass hack unveiled

How possible is it to decrypt the secrets stolen from LastPass?

Since the secrets are stored encrypted, what are the possibilities that the attacker could recover the secrets? There are multiple ways these encrypted passwords can be decrypted, and we will be discussing two possible methods:

  • Password guessing:

As the secrets are stored encrypted with the customer’s master password, if a weak master password has been used, the attacker can easily guess the customer’s master password to access the data and reveal all the passwords stored by the customer.

  • Tampering with the backend code:

If the attacker compromises the backend server responsible for decrypting the encrypted data and plants malicious code, they could potentially log the customer’s master password and use it to decrypt the stolen data.

How the Attack Happened

User-SaaS attack path, compromised LastPass initiated

In early August 2022, attackers successfully accessed LastPass’s S3 bucket in a development environment and exfiltrated source code together with technical documents (4). A developer’s valid credentials, stolen from the developer’s compromised machine (1), were used to access the S3 bucket (3). It is interesting to note that the developer does not usually access those resources on S3; however, the access given to the developer has been overly permissive. It is also noted that the attackers obfuscated their original location by accessing the cloud resource over VPN (2).

In mid-August 2022, the LastPass security team discovered the hack and decommissioned the development environment, under the assumption that the attacker’s activity had been contained.

User-SaaS attack path, compromised LastPass initiated

In October 2022, a LastPass Senior DevOps engineer’s machine was compromised (5) and used to access the DevOps engineer’s LastPass corporate vault. This allowed the attacker to access the corporate vault in the S3 bucket (6), which contains backups of LastPass customer data and encrypted vault data. Fortunately, the customers’ secrets remain safe as they are encrypted in the customer’s master key due to the zero-knowledge architecture.

LastPass discovered the hacks after the attackers triggered an ‘IAM unauthorized activity’ alert generated by AWS GuardDuty, likely be caused by running reconnaissance and enumeration operations (4).

We can map the attacks to the following Tactics, Techniques, and Procedures (TTPs) in MITRE.

Detection and prevention strategies

There are multiple opportunities for detection. Let’s walk through the timeline and determine possible detection strategies.

In (2) and (3), when the attacker was accessing the cloud resource over VPN, we can detect such activities by:

  1. Detecting logins from unusual locations or fast-flux location changes.
  2. Detecting logins from VPN IP ranges.
CSX has the capability to identify suspicious logins, such as those originating from unfamiliar locations and user agents.
CSX has the capability to identify suspicious logins, such as those originating from unfamiliar locations and user agents.

Storage locations with sensitive data should be tagged, and accessing such data should be monitored. In (4) and (7), when the attacker was accessing sensitive data, we could trigger an alarm.

In (6), when the attacker exfiltrated a hoard of data from the S3 buckets, we can detect this by monitoring for an unusually high intensity in data access. Since the accounts do not usually access that data, this form of alerting will have very low false positives.

CSX has the capability to identify suspicious data access, such as when the data access intensity has significantly changed.
CSX has the capability to identify suspicious data access, such as when the data access intensity has significantly changed.

Finally, when the attackers are performing reconnaissance and enumeration, they tend to execute a number of privileged activities to verify the privileges of the compromised account. These can be detected by comparing the usual privileged activities the authentic account would perform with those executed by the attacker.

Staying ahead of cyber threats

Innovative solutions by InsiderSecurity

Looking for ways to stay ahead of any cyber threats? InsiderSecurity provides advanced cybersecurity behavior analytics products that help your company to uncover cyber threats before there is any serious data loss. We offer a range of solutions, including Automated UEBA for securing on-premise and cloud IT infrastructure, as well as the CSX for ensuring cloud data security. 

CSX is designed to detect sophisticated attacks described in this article making it an essential subscription for any organization serious about its cybersecurity posture. Beyond detecting threats, CSX offers recommendations and a user-friendly avenue for executing remedial actions and implementing mitigation strategies.

CSX provides an easy way to perform mitigation and remediation.
CSX provides an easy way to perform mitigation and remediation.

LastPass hack: Illustrative case studies of the CSA top threats to cloud computing Read More »

A comprehensive guide to Singapore cybersecurity compliance

In the landscape of cybersecurity, compliance requirements across industries demand that businesses stay vigilant and up to date with regulations. Keeping up with the compliance measures is undeniably challenging yet essential to safeguard your business.

Ideally, companies should align with one of the many globally recognized cybersecurity standards, such as ISO 27001, PCI DSS, or CIS Critical Security Controls, to ensure alignment with universally accepted cybersecurity benchmarks.

However, it’s worth noting that certain industries introduce additional layers of guideline and regulations. While some align with international, industry-agnostic standards, businesses operating within these sectors must adhere to the specific guidelines illustrated below.

Let’s delve into the sectors affected and the corresponding guidelines they must comply with:

Government agencies

The Instruction Manual for ICT & SS Management, formerly known as IM8, aims to support agencies as they embrace ICT & SS for digital transformation. This enables them to manage risk and maintain their security. This manual spans various domains, including, Digital Service Standards (DSS), Third-Party Management (TPM), and Data. Although security policy details are not publicly available, it establishes customised security practices and government systems based on system classification and criticality.

Government agencies interested in leveraging InsiderSecurity for IM8 Policy on Security compliance can contact us for more information.

Financial services

Guidelines on Technology Risk Management (MAS-TRM), issued by the Monetary Authority of Singapore (MAS), sets out risk management principles and best practices to guide financial institutions (FIs). The MAS-TRM aims to promote adoption of sound and robust practices for the management of technology risk, as well as to maintain IT and cyber resilience. The TRM guidelines apply to all FIs that MAS regulates, ranging from banks, insurers, exchanges, venture capital managers and payment services firms.

It is important to note that while the MAS-TRM Guidelines serve as a set of principles and best practice standards, providing essential guidance for FIs, they do not impose legal obligations on FIs in themselves.

However, these guidelines offer valuable insights into the mandatory requirements outlined in two critical technology risk management notices issued by MAS: 

These notices, in contrast, carry the weight of legal obligations for FIs, accompanied by penalties for noncompliance. They highlight the imperative nature of adhering to key security measures, including the timely application of security patches to address vulnerabilities and the secure management of administrative account access. Complying with these guidelines is essential to ensure the continued security and resilience of financial institutions operating in Singapore’s dynamic digital landscape.

Financial institutions interested in learning how InsiderSecurity can assist in achieving MAS-TRM compliance are encouraged to contact us for more information.

Healthcare

In healthcare, protecting personal and medical data is extremely important. Recognizing this critical need, the Ministry of Health (MOH) developed the Healthcare Cybersecurity Essentials (HCSE). HCSE aims to provide guidance to healthcare providers regarding basic cybersecurity measures that can be adopted to ensure the security, confidentiality, integrity, and availability of IT assets, systems, and patient data. With its foundational principles, HCSE is dedicated to supporting healthcare providers in enhancing their cybersecurity posture.

Designed to be both practical and feasible, HCSE serves as an ideal starting point for healthcare providers, especially those with smaller IT infrastructures. HCSE sets out 12 recommendations designed to assist healthcare providers in enhancing the security of their systems and data. These recommendations include establishing an IT asset inventory, enabling multi-factor authentication, deploying anti-malware protection, and conducting audits of logs. 

If your work involves defending organizations in this sector, MOH regularly publishes advisories, circulars, and regulations to keep you informed of relevant developments. For those involved in developing software for medical devices or supplying such devices, adopting a Total Product Life Cycle approach is essential to adapt to the rapidly evolving environment.

Telecommunications

The Infocomm Media Development Authority (IMDA) has issued the Telecommunications Cybersecurity Code of Practice to bolster cybersecurity readiness for designated licensees. The Codes are currently enforced on major Internet Service Providers (“ISP”) in Singapore, making it mandatory for them to follow these rules. The Code were created based on international standards and best practices including the ISO / IEC 27011 and IETF Best Current Practices.

Other regulatory guidelines

Apart from these industry-specific rules, Singapore also has some industry-agnostic cybersecurity guidelines, including:

1. Cybersecurity Code-of-Practice (CCoP) 2.0: 

CCoP 2.0 specifies the minimum cybersecurity requirements that organizations operating Critical Information Infrastructure (CII) must implement to ensure the security and resilience of their IT or OT system and/or network infrastructure, including physical devices and systems, software platforms, and applications of the CII.

The primary objective of CCoP 2.0 is to enhance the defensive capabilities of organisations against the sophisticated tactics, techniques, and procedures (TTPs) employed by cyber attackers. It seeks to impede their progress of attacks and improve the agility to tackle emerging risks in domains such as cloud, AI, and 5G. Additionally, it facilitates coordinated defenses between the government and private sectors to promptly identify, discover, and respond to cybersecurity attacks and threats.
The designated CII sectors, which are responsible for the continuous delivery of essential services in Singapore, are Government, Energy, Water, Healthcare, Banking & Finance, Transport (encompassing Land, Maritime, and Aviation), Media, Infocomm, and Security & Emergency Services.

CIIs interested in leveraging InsiderSecurity for CCoP2.0 compliance can reach out to us for more information.

2. PDPA (Personal Data Protection Act):

The PDPA (Personal Data Protection Act) establishes a baseline standard for the protection of personal data in Singapore. It governs the collection, use, disclosure, and protection of personal data. The PDPA also establishes a national Do Not Call (DNC) Registry, allowing individuals to opt out of unwanted telemarketing messages. It aims to balance the protection of personal data with legitimate data use by organizations while maintaining trust. The PDPA applies to personal data in both electronic and non-electronic formats but doesn’t typically include personal or domestic use, employees’ data, public agencies, or certain business contact information. Its aim is to enhance Singapore’s reputation as a trusted business hub.

The challenge of keeping up with compliance

Every organization, regardless of size or industry, is vulnerable to cyberattacks. Compliance with cybersecurity standards and regulations goes beyond fulfilling legal requirements; it critically determines an organization’s success, operational efficiency, and adherence to strict security practices.

Data breaches, beyond their immediate financial impact, can lead to complex challenges that tarnish an organization’s reputation and legal standing. Legal proceedings and disputes stemming from such breaches are increasingly common across industries. Therefore, compliance is a pivotal component of any organization’s cybersecurity program, serving as a shield against cyber threats and a guardian of reputation and financial well-being.

Conclusion: The future of cybersecurity compliance in Singapore

In Singapore, cybersecurity compliance transcends legal obligation; it is critical for protecting your organization, maintaining trust, and enhancing the nation’s digital resilience. By understanding the regulatory framework, implementing robust cybersecurity measures, and staying proactive, businesses can thrive in Singapore’s digital-first landscape while safeguarding their data and operations from cyber threats.

Need assistance with cybersecurity compliance?

InsiderSecurity offers tailored products for compliance:

  • User-friendly, particularly for small IT teams
  • Automated review of account activity to save monitoring hours
  • Built-in workflow to support governance and audits

Learn how InsiderSecurity can help you meet your compliance and security requirements. Schedule a demo with us today!

A comprehensive guide to Singapore cybersecurity compliance Read More »

Meaningful lessons to learn from CircleCI’s breach investigation

CircleCI, a well-known CI/CI (continuous integration and continuous delivery) platform provider, fell victim to an advanced Cyber Attack and was alerted to a suspicious GitHub OAuth activity by one of CircleCI’s customers on December 29, 2022. The attacker planted malware in the laptop belonging to a CircleCI’s employee and gained unauthorized access to its production systems to extract sensitive data. Although the data was encrypted, the attacker managed to obtain the encryption keys, which could potentially grant them access to the decrypted data. The CircleCI’s breach was massive as CircleCI was serving prominent companies, such as Meta, Okta, Salesforce, and Airbnb. In this article, we analyze the details of the incident, how it happened, and what measures can be put in place to protect against similar attacks.

What happened in the CircleCI’s breach?

The attack started with a compromise of a CircleCI employee’s laptop through malware. The attacker could access the employee’s laptop and stay undetected, which allowed them to gain access to the company’s network. The attacker reused the existing login session found in the employee’s laptop to impersonate the employee and gain further access, effectively allowing the attacker to by-pass two-factor authentication. This allowed them to move further laterally within the network to gain access to production level systems and data.

The key sequence of steps in the attack was:

  • The employee laptop was compromised on December 16, 2022
  • Attacker performed reconnaissance on December 19, 2022
  • Attacker gained access and collected data on December 22, 2022

How the CircleCI’s attack succeeded

The attack succeeded due to a failure of several essential controls:

  • Firstly, the attacker compromised a laptop belonging to CircleCI’s engineer and planted a backdoor. CircleCIs’ anti-malware solution did not detect the malware, which allowed the attacker to further continue their activities and remain undetected for an extended period (step 1). 
  • Secondly, the attacker reused the web session cookie stored on the laptop (step 1).
  • Thirdly, this attacker impersonated a CircleCI employee who has been authorized via multi-factor authentication and gained access to production systems (step 1).
  • Fourth, the attacker further escalated their breach by successfully downloading an array of highly sensitive data including SSH keys, API tokens, OAuth tokens, and an AWS IAM access key (step 1).
  • Fifth, armed with the SSH keys and tokens, the attacker could seamlessly reuse these credentials to infiltrate not only CircleCI’s internal systems but also gain illicit access to invaluable resources such as the customer’s repo and AWS resources (step 2).
  • Finally, the attacker extracted encryption keys from CircleCI’s customer code repository. Despite the company following best practices by encrypting sensitive information such as AWS keys and GitHub tokens, the attacker gained access to the keys needed for decryption (step 2).

As is obvious the attack was multifaceted, with attacker abusing the trust present in the employee’s laptop to impersonate authorized requests. Their careful network reconnaissance allowed them to plan further attacks, increasing their chances of success. This allowed the second phase of the attack, i.e., the data exfiltration attempt to succeed, allowing them to compromise highly sensitive data.

What does CircleCI do?

CircleCI took several steps to contain the breach once it was detected to limit the blast radius of the attack. The level of exposure post-attack was challenging to determine as the compromised staff had production access and access to customer tokens and keys. The attacker might have exfiltrated further data without leaving any traceable evidence. CircleCI took a transparent approach to the incident and informed its customers of how the attack had taken place. It issued regular updates to customers and advised them to rotate all of their credentials, such as SSH keys, OAuth tokens, etc., to mitigate the risk of further misuse by the attacker. It also revoked Project API tokens and personal API tokens to limit the potential entry points the attacker could exploit following the attack.

Secondly, it recognized the security failings that allowed the attack to succeed and initiated a comprehensive review of its environment. It strengthened production access controls, introducing additional controls for employees needing access to systems. This was intended to mitigate the risk of session compromise in the future via stolen session cookies.

Lastly, it enhanced its capabilities to detect specific behaviors indicative of attacks such as the one that occurred. Attacks such as lateral movement and malware activity were focused on to ensure no similar attacks occurred.

CircleCI also assured its customers of regular security reviews and risk assessments to identify weak areas and areas of improvement. There have been reports of customers who have reported attacker misusing the stolen credentials, so it is possible that the impact of the breach is yet to be determined.

Key lessons to learn from the CircleCI breach

The CircleCI data breach is a prime example of how sophisticated attacks can undermine even the most reliable security controls such as encryption and multi-factor authentication. Advanced threats are aware of these controls and adopt techniques to evade or bypass them. To remain updated, continually evaluating your security posture against the latest threats is essential.

Some of the key lessons from this breach are:

  • Traditional security controls may no longer be enough. Companies need to adopt techniques like biometrics and machine-learning-based anomaly detection that can detect subtle variations in behavior that human security analysts might miss.
  • Devices like laptops and smartphones remain a vulnerable entry point into a network as it was one compromised endpoint that allowed the attacker the access they needed to carry out further attacks. Companies need to look into re-architecting their networks based on Zero Trust principles. This architecture assumes that every request is potentially malicious and no implicit trust is assumed regardless of location or device.
  • Key Management best practices remain as critical as ever. Even though CircleCI had implemented encryption, the attacker could retrieve the encryption keys from a running process on the machine. Protecting encryption keys is crucial to key management, as a compromised key can undermine the entire security strategy.

On a positive note, it should be mentioned that CircleCI displayed proper transparency regarding the attack and took immediate remedial action once they detected it. Despite the security weaknesses that allowed the attack to occur, companies should note how they informed customers and released notifications regarding the scope of the incident.

Conclusion on the CircleCI breach

Like SolarWinds, the CircleCI attack is a wake-up call for companies to not be over-reliant on controls like multi-factor authentication and encryption. Instead, a company’s cybersecurity posture must be evaluated continuously to assess its resilience against advanced cyber-attacks. By adopting controls like zero-trust architecture, machine learning based detection, and a proactive stance towards cybersecurity; companies can significantly mitigate the risk of falling victim to such attacks like CircleCI.

How InsiderSecurity can help

InsiderSecurity’s Automated UEBA (User and Entity Behavior Analytics) solution can play a crucial role in mitigating the security risks posed by attackers reusing stolen keys and tokens to access the customer’s Github repo, as described in the CircleCI attack scenario. Automated UEBA is a sophisticated cybersecurity technology that focuses on monitoring and analyzing the behavior of users and entities within an organization’s network to detect anomalous or suspicious activities.

Automated UEBA enhances an organization’s ability to respond swiftly to potential threats by identifying anomalies, correlating data, and providing real-time alerts, ultimately safeguarding critical assets.

Meaningful lessons to learn from CircleCI’s breach investigation Read More »

Hybrid cloud security – Top challenges and best practices

The increasing prevalence of digital transformations in businesses has led to a global surge in cloud adoption. Many companies are now opting for a hybrid cloud model, which combines private and public cloud services to harness the advantages of both while introducing specific security challenges. It’s important for businesses to be aware of the risks and follow best practices for managing hybrid cloud security. The article examines the security challenges faced in hybrid cloud setups and recommended best practices.

Security challenges within hybrid cloud environments

1. Lack of visibility and increased complexity

Hybrid cloud combines public and private cloud services, creating a complex IT setup. This complexity can pose risks as security teams find it challenging to oversee and manage workloads in both environments. It also leads to complicated logging systems with multiple storage sources for security events. This lack of visibility and increased complexity can leave potential threats unnoticed. To address this, security teams need to restructure their logging approach for centralized, unified visibility across both environments.

2. Misconfiguration risks


Misconfigurations in hybrid clouds pose a significant security risk. The quick and flexible nature of hybrid cloud setups can create challenges for businesses with rigid change management processes. These processes may not easily adapt in a cloud environment, where changes in the production environment can be made with a single click or code change. Accidental misconfigurations in the cloud can expose data and infrastructure, making them vulnerable to cyberattacks. Moreover, there’s a risk of malicious insiders making deliberate insecure changes that can go unnoticed. To address these issues, it’s crucial to implement a comprehensive cloud security solution that can automatically fix insecure configurations before they become exploitable.

3. Inadequate network protection

Hybrid clouds offer flexibility and resilience due to their dynamic and distributed nature. Nevertheless, this uniqueness can render traditional network defenses ineffective at securing and controlling workloads within them. While these defenses work well in on-premises environments, they may not seamlessly adapt to the cloud, creating security “blind spots” that threat actors could exploit. As a result, security teams need to assess and adapt their controls to align with the specifics of the hybrid cloud environment.

4. The cloud skills gap

Cloud Security differs considerably from traditional on-premise security in several areas, such as a shared responsibility model, higher focus on automation, data residency requirements, etc. These skills needs to be developed within security teams, which can take time and effort. Most businesses invest heavily in hybrid cloud infrastructure without upskilling their teams in parallel, creating a skill gap. This can lead to risks like security misconfigurations and loopholes in the cloud environment.

5. Compliance and governance

Companies often choose Hybrid Cloud to enhance data and workload control and security. Nevertheless, it’s vital to grasp how compliance and governance operate in the cloud. To safeguard data from leaving a specific geographic location, Data Residency controls are necessary. Additionally, the shared responsibility model might entail shifting some compliance obligations to the cloud provider. Hence, businesses need to update their governance and compliance approaches to maintain oversight of their cloud environments.

Security best practices for hybrid cloud

To mitigate these risks, several security best practices can be implemented within a hybrid cloud environment:

1. Understanding the shared responsibility model

The Shared Responsibility Model is the basis for how security is governed within the cloud. Not understanding it can lead to problems within a hybrid cloud environment as businesses struggle to understand who is responsible for what. It is essential to have a thorough understanding of this model that outlines the cloud provider as being accountable for the security OF the cloud and the customer as being responsible for security IN the cloud. Most hybrid cloud environments utilize infrastructure and storage services in which customers are responsible for securing the application and services hosted on top of these services. By having a firm understanding of this model, security teams can delineate their responsibilities and take advantage of the security benefits the cloud provider brings.

2. Enhancing monitoring

We mentioned visibility as a significant challenge within hybrid cloud hence monitoring becomes one of the critical pillars of an effective security strategy. It is essential to have complete visibility into the security posture of all mixed cloud workloads so that security threats can be responded to promptly. Businesses should invest in security tooling that can monitor the security posture of the hybrid cloud and take automated actions based on threat indicators. AI and Machine Learning can also greatly support such tooling due to the volume of data that gets generated.

3. Unified security controls

Standardizing security controls is essential for maintaining security in a hybrid cloud. Maintaining different levels of security across environments leads to a high level of risk and blind spots that attackers can exploit. Businesses must adopt a unified approach to cloud security in which standard security guardrails are implemented that maintain the same level of security across environments. This ensures that data is protected regardless of where it resides.

How InsiderSecurity can help

InsiderSecurity’s CSX is a powerful solution built from the ground up to address the unique security challenges of the hybrid cloud. Some of its key features are;

  1. Unified cloud security: CSX provides a unified layer that covers the security of all cloud layers, be it Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS).
  2. Unified identity and visibility: The problem of visibility within the hybrid cloud goes away with CSX’s ability to provide a single view of the hybrid cloud security posture. CSX can also generate a cloud asset inventory, providing visibility into your cloud resources.
  3. SaaS security monitoring: CSX has the unique ability to monitor the security of SaaS solutions like M365 and Google Suite, where traditional solutions might fall short. It can also leverage the power of AI and User and Entity Behavior Analytics (UEBA) to intelligently analyze the massive amount of data present and identify anomalies. This also allows it to detect insider threats, especially within SaaS services. It can flag suspicious data access and privileged activity attempts, indicating an insider threat. 
  4. Security response automation:  CSX provides the ability for automated security response for applicable use cases. This allows for instant risk mitigation and response, especially in the misconfiguration of cloud assets. By automating response and remediation, businesses can mitigate the risk of accidental cloud misconfigurations and prevent them from being exploited.

Conclusion

In summary, the hybrid cloud brings tremendous security benefits, such as increased flexibility and control, while introducing new challenges. By understanding these risks and implementing best-in-class solutions like CSX, businesses can enjoy the full benefits of a hybrid cloud safely and securely.

Hybrid cloud security – Top challenges and best practices Read More »

InsiderSecurity is now CSA STAR Level 2 certified

In the rapidly evolving landscape of digital operations, security is crucial. With so much sensitive information now being stored in the cloud, protecting it is a priority for both cloud providers and customers. We are pleased to announce that we are the FIRST cybersecurity software company from Singapore and likely Southeast Asia to achieve CSA (Cloud Security Alliance) STAR Level 2 certification. This certification demonstrates our commitment to cloud security, privacy controls, data protection, and quality. It also shows our dedication to fortifying our overall security measures through maintaining robust security systems and reliable processes.

What is CSA STAR?

The Cloud Security Alliance (CSA) is a nonprofit organization dedicated to establishing best practices for secure cloud computing. CSA Security Trust, Assurance, and Risk (STAR) program is a robust security assurance initiative for the cloud. STAR represents transparency, rigorous auditing standardisation of guidelines in the Cloud Controls Matrix (CCM).

CCM comprises 197 control objectives spread across 17 domains, forming a detailed control framework. It helps cloud customers in evaluating the overall security risk of a cloud service solution provider (CSP), ensuring a thorough assessment of fundamental security principles.

By being CSA STAR level 2 certified, organizations demonstrate their commitment to best practices and validate the security of their cloud services. This not only benefits customers seeking secure cloud solutions but also assures solution providers to prove robust controls to both current and future clients.

CSA STAR Level 1

The entry-level certification validates a CSP’s commitment to foundational security requirements and aligns with the CSA’s Cloud Controls Matrix (CCM). It is a starting point, indicating the provider’s acknowledgment of essential security protocols. Level 1 is a free self-assessment conducted internally and does not require third-party approval.

To attain CSA STAR level 1, the cloud service provider only needs to complete and submit the CAIQ (Consensus Assessments Initiative Questionnaire).

CSA STAR Level 2

CSA STAR Level 2 certification indicates a high level of maturity in the implementation of strict security protocols and practices within an organization’s cloud infrastructure. It involves a complete assessment of security controls, processes, and compliance with industry standards, performed by independent auditors. This level emphasizes not only the presence of security measures but also their effectiveness and alignment with industry best practices.

For more information into InsiderSecurity’s CAIQ and Level 2 certification, please visit the official registry at Insider Security Pte Ltd on CSA STAR.

CSA STAR and ISO 27001: What’s the connection? 

CSA STAR and ISO 27001 aims to ensure that companies protect their information. Certifications from CSA STAR can be used to enhance existing information security certification and audit programs. This simplifies the assessment process and allows companies to assess their compliance with information security standards and cloud security standards simultaneously. Now, let’s explore how STAR differs from ISO/IEC 27001.

CSA STAR Certification incorporates the fundamental requirements of the ISO/IEC 27001:2013 management system standard, integrating them with cloud-specific criteria from the CSA Cloud Controls Matrix (CCM). Moreover, the STAR Certification path involves a comprehensive maturity model assessment, evaluating the organization’s maturity against CSA’s proprietary criteria. This evaluation highlights the strengths and weaknesses of processes by utilizing CCM domains as measurable indicators. Crucially, this assessment serves as an internal report for the client, fostering a culture of continual improvement within the organization.

The significant distinction between CSA STAR and ISO 27001 lies in the concept of the Shared Security Responsibility Model (SSRM). The 197 controls necessitate a clear delineation of specific responsibilities for each control, clarifying InsiderSecurity’s accountability. The table below illustrates ownership of SSRM controls and their implications:

SSRM Control OwnershipDescription
CSP-owned  When the CSP (Cloud Service Provider) is InsiderSecurity, CSP-owned signifies that InsiderSecurity is solely responsible for the control.   This category encompasses the majority of controls outlined in InsiderSecurity’s CAIQ
Shared CSP and CSCWhen both the CSP (InsiderSecurity) and CSC (Cloud Service Customer) share responsibility for the control
Shared CSP and 3rd-partyWhen the CSP (InsiderSecurity) and a 3rd-party cloud service provider (eg. AWS or Azure where our services are hosted) share responsibility for the control.

In addition to SSRM, the inquiry delves deeper into controls specifically tailored for the cloud-native environment. For instance, the subsequent table outlines inquiries for controls frequently encountered in cloud-native settings:

DomainQuestion IDQuestionRational
CEK – Cryptography, Encryption and Key managementCEK-08.1  Are CSPs providing CSCs with the capacity to manage their own data encryption keys?Many cloud service providers host data and services within a multitenant environment. In such cases, customers may desire a distinct encryption key for their data, particularly when it is stored alongside another customer’s data in the same database.
IPY – Interoperability & PortabilityIPY-02.1Are CSCs able to programmatically retrieve their data via an API to enable interoperability and portability?A cloud service customer faces reduced risk of vendor lock-in when the data supplied by the provider is portable. Integration of multiple cloud services becomes more feasible for the customer if the provider offers API support.

Why is CSA STAR Level 2 important for our customers, partners and stakeholders?

InsiderSecurity’s attainment of CSA STAR Level 2 bears multifaceted advantages for its customers, partners, and the broader ecosystem:

  • Commitment to Security: The CSA STAR Level 2 certification shows InsiderSecurity’s commitment to robust security measures. It showcases the capability to safeguard sensitive information.
  • Support for Customers and Partners: The certification aids customers and partners in meeting their security requirements and compliance standards.
  • Enhanced Transparency: Transparency across all involved parties fosters better alignment of security practices and posture.This creates a more trustworthy environment and facilitates streamlined collaboration.
  • Efficiency in Onboarding: The certification streamlines security protocols when vetting or onboarding new business relationships. This efficiency expedites partnerships, making processes smoother and more secure.

The CSA STAR Level 2 certification process

The journey towards attaining CSA Level 2 of STAR was a challenging yet rewarding one. It involved meticulous examination of our existing security protocols, processes, and infrastructure. The process began with a comprehensive assessment of our security controls against the CSA STAR Level 2 requirements. This involved thorough documentation, evidence collection, and implementation of additional measures where necessary.

Independent auditors conducted rigorous evaluations, scrutinizing every aspect of our security framework. Their assessments gauged not only the presence but also the effectiveness of our security measures. The process involved collaboration across various teams within InsiderSecurity, ensuring that every department aligned its practices with the stringent security standards.

Throughout this journey, we fostered a culture of continuous improvement, leveraging insights from the assessment to refine and strengthen our security posture further. The dedication and collaboration of our teams were instrumental in achieving this certification, reflecting our commitment to prioritize security and safeguard data above all else.


Honored to welcome BSI for the CSA STAR Level 2 Certification presentation at our office

We had the pleasure of hosting the certification body @BSI (British Standards Institution) for the presentation of CSA STAR Level 2

InsiderSecurity is now CSA STAR Level 2 certified Read More »

InsiderSecurity is now ISO 27001 certified

InsiderSecurity achieves ISO 27001 certification, honored with Quality Excellence Award

In today’s digital landscape, safeguarding sensitive information against cyber threats is paramount. InsiderSecurity recently attained ISO/IEC 27001 certification. This accomplishment, marked by an audit with zero findings, showcases our dedication to information security, data protection, and quality through maintaining robust security systems and reliable processes.

What is ISO/IEC 27001:2022?

ISO/IEC 27001:2022 is a globally recognized standard for information security management systems (ISMS). It provides a systematic approach to managing sensitive company information, ensuring its confidentiality, integrity, and availability. Achieving this certification involves implementing a robust set of policies, procedures, and controls to safeguard data assets against potential threats, vulnerabilities, and breaches. Compliance with ISO 27001 signifies a company’s ability to implement and maintain robust security measures that align with international best practices, enhancing trust among stakeholders.

Why is ISO/IEC 27001 important for our customers and stakeholders?

Attaining ISO 27001 certification embodies InsiderSecurity’s commitment to protecting data, fortifying our infrastructure against cyber threats, and maintaining the trust of customers and stakeholders. This certification demonstrates:

  • Commitment to security: ISO27001 certification demonstrates our dedication to robust security measures and our capability to safeguard sensitive information.
  • Focus on customers and partners: Our certification helps our customers and partners to meet their security requirements and compliance.
  • Risk Mitigation: ISO 27001 mandates a proactive approach to identifying and addressing security threats. This certification minimizes the risk of data breaches, ensuring the protection of your invaluable information.

The rigorous ISO/IEC 27001 certification process

Our journey towards ISO 27001 certification was marked by meticulous planning and collective efforts across all departments. The process involved an in-depth analysis of the risk profile and existing security measures. To align with ISO 27001 standards, we implemented stringent policies and controls, guided by the framework’s 114 controls across 14 distinct categories outlined in ISO 27001 Annex A.

Throughout the certification process, several requirements needed to be met. This process enabled us to fortify existing policies and controls, ensuring an elevated level of security aligned with the expectations of our customers and external stakeholders. Here are some of the controls we have in place to meet ISO27001 requirements:

  • MDM (Mobile Device Management) solution for endpoint
  • EDR (Endpoint Detect and Response) solution for endpoint
  • DLP (Data leakage prevention) solution for endpoint
  • Physical security in the office compound
  • Inventories and asset tracking process
  • Secure Software Development Life Cycle
  • Secret management process
  • Formal due diligence process to assess the security risk of our suppliers
  • Staff cybersecurity training process

Our existing security solutions, like Automated UEBA (User and Entity Behavior Analytics) and CSX, helped us detect any unusual activity in our cloud systems, meeting the logging and monitoring requirements of the ISO 27001 standard. After the grueling certification process, we completed the audit with zero findings.

Quality Excellence Award

InsiderSecurity is honored to receive the Quality Excellence Award by BSI, recognizing the our exceptional performance in security processes. This accolade follows the successful passage of the ISO 27001 audit without any findings, showcasing our commitment to maintaining robust security systems and processes.

Kin Siong, Chief Information Security Officer (CISO) at InsiderSecurity, expressed gratitude for receiving the award during the networking lunch hosted by BSI, remarking, “It was truly an honor to be bestowed with the Quality Excellence Award.”

Received Quality Excellence Award by BSI

The award ceremony, where Kin Siong, the Chief Information Security Officer (CISO) of InsiderSecurity, received the Quality Excellence Award during a networking lunch hosted by BSI

InsiderSecurity is now ISO 27001 certified Read More »

Detecting compromised accounts in Microsoft 365 with InsiderSecurity’s free CASUAL tool

Introduction

In today’s digital age, cybersecurity is of paramount importance, with organizations facing an ever-evolving landscape of cyber threats and attacks. InsiderLab (our team of cybersecurity experts) conducts in-depth research and analysis of historical and emergent cyber threats, empowering organizations with the foresight needed to proactively safeguard their digital landscapes.


Amid recent events, the InsiderLab team has scrutinized the tactics and exploitation methods employed by high-profile threat actors. Through tireless investigations, InsiderLab has uncovered critical insights that shed light on the world of cyber threats. These findings not only raise awareness but also provide a comprehensive understanding of the evolving threats that organizations face today.


In this report, we focused on high-profile attacks, particularly those involving compromised Microsoft 365 accounts and studied the tactics used by these attackers. Each case study provides a unique window into the world of cyber threats, offering insights into the cunning methods employed by cyber adversaries and the vulnerabilities they exploit. Furthermore, InsiderLab released a free tool to aid in identifying similar classes of attacks.

Case study 1: Microsoft Storm-0558 SaaS breach

Uncovered in 2023, the threat actor behind the STORM-0558 attacks successfully accessed their victim’s Microsoft Exchange Online and Outlook accounts, completely bypassing 2FA (two-factor authentication). Notably, various U.S. government entities endured the brunt of the STORM-0558 onslaught.

These attackers were known to conduct their activity behind the SoftEther proxy VPN service, thereby masking their true IP addresses.

This was uncovered eventually discovered when the victims’ Microsoft 365 audit logs revealed that an unusual application was used to access the emails. In the blog provided by CISA (Cybersecurity and Infrastructure Security Agency), it was reported that the log entry for the ‘MailItemsAccessed‘ operations contained an unusual AppID. While it is difficult to define what is unusual, keeping track of what is typical would be useful in detecting these deviations.

For example, if the user typically uses the Outlook Express email client or Outlook.com to access their emails, a log entry with an unusual AppID (application identities) would attribute the access to a different application type, indicating a deviation in email access behavior.

The following illustration shows the difference between a threat actor and a legitimate user in accessing Exchange Online. The threat actor uses additional services such as a VPN and the Microsoft Graph API as shown in steps 1 to 3, while the legitimate user typically only uses a web browser as shown in step 4. This approach taken by the threat actor leaves an unusual AppID and client IP address in the audit trail.

Microsoft Storm-0558 SaaS Breach Path

Case study 2: SolarWinds SUNBURST attack

Moving on to another case study, we will discuss the SolarWinds SUNBURST Attack. Uncovered in 2020, the threat actor behind the SUNBURST attacks leveraged the Microsoft Graph API to perform data exfiltration. This SUNBURST attack impacted various government entities and major players within the technology sector.

The attackers searched for existing cloud applications with email access privileges, or alternatively, escalated the permissions of pre-existing applications. This cunning maneuver is meticulously documented in this research article , spotlighting the attacker’s utilization of the ‘Mail.ReadWrite’ permission within an existing cloud application to gain access to victim email content via said application.

Furthermore, an alternate strategy observed in a separate attack involved the dispatch of phishing emails by attackers. These deceitful communications were tailored to dupe victims into unwittingly granting consent to install malicious cloud applications. If the victim falls for this trick, attackers would be able to access the victim’s email and files via the malicious cloud application.

The following illustration describes the additional services such as the Graph API and the tainted enterprise application. The attacker would access victims’ emails as shown in step 1 to step 3, whereas the legitimate user would simply access the email directly via a web browser as shown in step 4. The attacker’s approach leaves an unusual AppID in the audit trail.

SolarWinds SUNBURST Attack Path

Case study 3: LAPSUS$ attacks

Now we turn to the LAPSUS$ Attacks, discovered in 2022. The attacker behind this mysterious name targeted many victims, including major tech companies. The attacker is known to access cloud resources via a VPN. A comprehensive account of this method is described in this Microsoft report, where the threat actor employs NordVPN as their conduit to hide their true IP addresses.

The attacker also added an email transport rule to forward emails from their victims to their own account.

The following illustration describes additional services such as the VPN service the attacker would use to access victims’ emails as shown in step 1 to step 2. The attacker’s approach leaves an unusual client IP in the audit trail.

LAPSUS$ Attacks Path

Threat detection with CASUAL tool for compromised accounts

Given the ongoing high-profile breaches in Microsoft 365, our team is proud to introduce CASUAL (CloudAuditSearchUAL) —a user-friendly tool designed to uncover hidden cyber anomalies in the audit trail. Download CASUAL here.

CASUAL analyzes log entries in the Microsoft 365 Unified Audit Log (UAL) and produces a JSON file that contains the following information about accesses to Microsoft 365:

  • Unique geolocations
  • Unique application identities (AppID)

With this invaluable information in hand, the security team gains the upper hand, conveniently identifying:

  • Identities accessing the cloud service from an extensive array of unique geolocations
  • Identities engaging with the cloud service through a wide range of distinct applications

Now, let us move from theory to practice.

To generate a list of identities that have accessed Azure AD and their unique geo-location within the past 90 days, execute the following command:

./ual_tool.ps1 -ops ADLogin -analyze IP -days 90

The following output shows an actual result with an identity that has accessed Azure AD from over 3 unique geo-locations.

"ACCOUT_1":  {
    "Unique IP Count":  3,
    "Unique Countries Count":  3, 
    "IP Properties":  {
        "IP RETRACTED":  {
            "Count":  3,
            "Country":  "SINGAPORE"
        },
        "IP RETRACTED":  {
            "Count":  29,
            "Country":  "MALAYSIA"
        },
        "IP RETRACTED":  {
            "Count":  29,
            "Country":  "INDONESIA"
        }
    }
}

To generate a list of identities that have accessed Azure AD and their unique application accessed within the last 90 days, execute the following command:

./ual_tool.ps1 -ops ADLogin -analyze AppID -days 90

And the following output shows an actual result with an identity that has accessed Azure AD from over 7 unique application types.

"ACCOUNT_2":  {
    "Unique Count":  7,
    "AppID Properties":  {
        "4765445b-32c6-49b0-83e6-1d93765276ca":  {
                "Name":  "OfficeHome",
                "Count":  3
            },
        "89bee1f7-5e6e-4d8a-9f3d-ecd601259da7":  {
                "Name":  "Office365 Shell WCSS-Client",
                "Count":  18
            },
        "7eadcef8-456d-4611-9480-4fff72b8b9e2":  {
                "Count":  1,
                "Name":  "Unknown"
            },
        "c9a559d2-7aab-4f13-a6ed-e7e9c52aec87":  {
                "Name":  "Microsoft Forms",
                "Count":  2
            },
        "fb78d390-0c51-40cd-8e17-fdbfab77341b":  {
                "Name":  "Microsoft Exchange REST API Based PowerShell",
                "Count":  4
            },
        "243c63a3-247d-41c5-9d83-7788c43f1c43":  {
                "Name":  "Office Online Core SSO",
                "Count":  2
            },
        "00000003-0000-0ff1-ce00-000000000000":  {
                "Name":  "SharePoint Online",
                "Count":  2
            }
    }
}

The results can be sorted further based on the value of ‘Unique Count’. This will help analysts in identifying the identity with the most unusual access pattern.

The table below lays out an array of ‘ops‘ parameters, serving as a guide for analysts seeking to uncover anomalies across numerous services:

Parameter optionsServices
ADLoginAzure AD
OD_AccessOneDrive
SP_AccessSharePoint
EXO_AccessExchange
Table1: An array of ‘ops‘ parameters

In the CASUAL PowerShell script, you can find the mapping of operations to the parameters. And since Microsoft has pledged to expose more audit log types which are previously available only to organizations with the E5 licenses, the tool will be able to provide more visibility soon.

As you navigate through the intricacies of digital security, CASUAL can be an invaluable tool, streamlining your quest to find compromised identities. We hope that this tool empowers you and facilitates a smoother and more effective pursuit of cybersecurity excellence.

Limitations of CASUAL

  1. Unusual Application types are not automatically identified
    CASUAL simply generates a list of identities discovered in the UAL and the AppIDs used by those identities. An AppID that may be considered unusual for one identity may be normal for another. For example, an account belonging to a security team member might be expected to use PowerShell to access the cloud services, but this could be unusual for someone in the finance team. It is important to apply proper context when analyzing the results. One way is to start building a baseline with the data generated by the tool.
  2. Geo-location information may be inaccurate
    The geo-location could be misreported by the IP lookup service, or unresolvable due to the lookup cap enforced. If the tool reports an identity accessing the cloud service from an unexpected geolocation, verify the location by checking the IP with a reputation lookup service.

CSX – Simplifies cloud security

Unlike CASUAL, CSX (Cloud Security X) is designed to overcome the limitations mentioned above, making it an essential subscription for any organization serious about its cybersecurity posture.

CSX is an innovative solution that makes comprehensive and easy-to-use cloud security available. Leveraging innovative analytics and AI, CSX enables strong security across all layers of the cloud, covering IaaS, PaaS, and SaaS. CSX was also a project awarded by the Cyber Security Agency (CSA) of Singapore on CSA’s Cybersecurity Innovation Day 2022.

CSX reduces the personnel burden in cybersecurity. It saves costs for businesses while providing strong cloud security.

By subscribing to CSX, you are equipping your organization with cutting-edge technology that leverages AI, advanced analytics, and contextual awareness to provide a higher level of security intelligence. Embrace the limitless potential of CSX to safeguard your cloud assets and maintain a strong defense against ever-evolving cyber threats.

Mark your calendar: CSX will be launched in December, bringing in a new era of simplified yet comprehensive cloud security. Are you ready to embrace the future of cloud security?

Detecting compromised accounts in Microsoft 365 with InsiderSecurity’s free CASUAL tool Read More »

7 Common causes of data breach: Safeguarding your digital assets

Data Breach is an ever-present threat to enterprises in today’s connected world. Whether you are a small SME or a large multinational company, the risk of a data breach and the company becoming another headline is a constant concern for senior management. It is not just financial loss that worries management but the loss of reputation and customer trust that can take years to recover if a data breach happens. This article reviews seven key issues that lead to a data breach and what can be done to mitigate these risks.

1. Weak and stolen passwords

Passwords remain the most popular security control and the entryway into applications and platforms in the modern era. While password controls have matured in recent years by incorporating features like password vaults, managers, and single sign-on technologies, they remain susceptible to attacks. Poor security awareness can cause users to share their passwords, reuse the same across applications or simply choose poor ones that are easily crackable, giving attackers an easy way into an environment. The most well-made cybersecurity framework can be compromised due to one password being shared by users.

To mitigate this risk, companies should invest in multi-factor authentication, improve their password guidelines and increase security awareness amongst users.

2. Insider threats

One of the most challenging threats in cybersecurity is insider threats. The possibility of a trusted individual misusing their approved access can be difficult to identify and mitigate. It is also not always malicious employees that cause a security breach ; negligent actions can lead to a security loophole being exploited, for example, a staff not following security policies, misconfiguring system settings, etc.

Insider Threats can be mitigated by deploying technologies like User Entity and Behavior Analytics (UEBA) that leverage on machine learning to identify anomalies, and Zero Trust Architectures that operate on the assumption that the network is potentially compromised and every action must be authorized.

3. Misconfigurations

Misconfiguration (due to human mistake or lack of knowledge) is a major source of data breach. Misconfiguration in infrastructure or software creates vulnerabilities. These lead to the security posture of a company being degraded, default passwords being used, open network ports, etc. This risk can be amplified in cloud environments where changes can quickly propagate to production environments via automated pipelines.

To mitigate these risks, companies should regularly review their infrastructure and software configurations, and continuously monitor their infrastructure.

4. Human error

Apart from negligence, genuine human error is another cause of data breach that is difficult to mitigate. A person accidentally emailing out sensitive information, clicking on malicious links, losing their laptops etc, are all risks that can cause severe security incidents for an organisation.

Along with awareness, cybersecurity teams should assume human errors will happen and implement controls such as data leakage policies, encryption, anti-phishing technology, etc., that can mitigate the impact of a human error.

5. Malware

Malware has been an ever-present threat since the early days of the Internet and is expected to remain so. Malware attacks continue to increase in sophistication yearly, with cybercriminals leveraging new technologies like AI to improve their attacks further.

To mitigate these risks, a multi-thronged approach is essential via a combination of user awareness, anti-malware controls, email filtering, and hardening the environment against vulnerabilities that will allow malware to gain a foothold. Regular patching is necessary, as unpatched systems are typically how malware can gain privileged access within an environment to execute further attacks. Backups can also serve as one defense against attacks like ransomware, and it is important to keep backups separate from the immediate environment to prevent the infection from affecting the backups.

6. Social engineering

Social Engineering attack is older than the Internet but was amplified in the digital era once cybercriminals realized how easy it was to abuse the anonymity offered by the Internet. Social Engineering refers to tricking people into disclosing sensitive information or carrying out actions that result in security compromises. It abuses human trust, the desire to be helpful, and the fear of getting into trouble.

The most common type of social engineering attack is phishing, which comes in various forms such as email, text messaging, chats, etc. The method is usually the same i.e. creates a sense of panic or urgency in the user that makes them divulge information or click on a malicious link/attachment. Awareness of existing and emerging types of social engineering attacks remains the best way to protect against this ever-present risk.

7. Supply chain issues

The Supply Chain can be a significant blind spot in a company’s cybersecurity defenses. Supply chain refers to the partners, vendors, and tools that are involved or connected to the company’s infrastructure. Attackers have realized that compromising the supply chain can give them a foothold in a company’s network far more quickly than attempting a direct compromise.

To mitigate these risks, companies must include their partners and software dependencies within their security risk management scope. Partners and Service providers should be vetted to meet a minimum baseline before connecting to a company’s environment.

Final thoughts

Cybersecurity is an ever-evolving field, and it is essential to be aware of the main threats vectors that can lead to data compromises. Companies can improve their security posture by prioritizing these risks and implementing mitigations against them. Implementation of technical and human-based controls are essential for a comprehensive cybersecurity strategy. Security is an ongoing process and we can expect new risks to appear in the near future.

How User and Entity Behavior Analytics (UEBA) can help

User and Entity Behavior Analytics (UEBA) plays a crucial role in helping organizations mitigate the risk and impact of data breaches. InsiderSecurity’s Automated UEBA leverages machine learning algorithms to analyze user behaviour, detect anomalies, and identify potential insider threats. By monitoring user activities, InsiderSecurity detects unusual patterns, such as unauthorized access or abnormal data transfers, which may indicate malicious intent or compromised user accounts. InsiderSecurity’s UEBA offers valuable insights into user behaviour, allowing organizations to detect and respond to potential data breach risks effectively.

7 Common causes of data breach: Safeguarding your digital assets Read More »

Join InsiderSecurity at Booth 4K21 during the Singapore Fintech Festival

Complying with MAS-TRM and CCOP 2.0 requirements with InsiderSecurity

How does InsiderSecurity meet MAS-TRM and CCoP 2.0?

InsiderSecurity helps to meet key MAS-TRM and CCoP 2.0 requirements that are challenging and tedious to comply with. As a leader in automated log analytics, InsiderSecurity helps to reduce compliance costs.

InsiderSecurity does the following:

Simplify database security monitoring

Harness the power of AI to monitor your on-premise, hybrid, and cloud environments with ease

Simplify the review of user activity logs

Manual review of user activity logs is tedious and often impractical due to the high volume of log events. With InsiderSecurity’s smart log review, users no longer have to manually review an overwhelming volume log events or alerts. InsiderSecurity makes sense of the logs and solves the challenge of manual log review

Monitor for anomalies in user behaviour

InsiderSecurity’s automated user behavior analytics flags out anomalies in behaviour patterns and detects early signs of breach

Built-in workflow to support governance and audit

InsiderSecurity provides a built-in workflow in log review that improves IT governance and support audits

Trusted by government agencies

InsiderSecurity’s solutions are deployed and trusted by government agencies and healthcare institutions

IMDA Accreditation

InsiderSecurity is the only company accredited by Singapore’s IMDA in the field of user and entity behavior analytics. Our solutions have been evaluated to meet IMDA’s high standards for deployment in enterprises and government agencies

Key Details of Singapore Fintech Festival 2023

  • Date: 15 – 17 Nov 2023
  • Time: 10:00 am to 6:00 pm
  • Location: Booth 4K21 | Hall 4, Singapore EXPO

Join us at Booth 4K21 during the Singapore Fintech Festival!

Discover how InsiderSecurity’s solutions can help your organization comply with regulatory requirements and enhance its cybersecurity posture. Engage with our team of experts and be sure to attend our enlightening presentation on achieving compliance with MAS-TRM through InsiderSecurity.

Complying with MAS-TRM and CCOP 2.0 requirements with InsiderSecurity Read More »

Solve the world’s cloud security challenges with Singaporean technology

SINGAPORE, October 13, 2023 – InsiderSecurity, a Singaporean developer of innovative cybersecurity SaaS used by many government agencies and enterprises, is excited to unveil its latest cloud security product codenamed CSX, at Govware 2023. CSX already won an award at CSA Cybersecurity Innovation Day 2022.

CSX is a good example of homegrown cybersecurity products that help position Singapore to be a cybersecurity hub in the digital economy.

Founded by local cyber experts, InsiderSecurity has been building advanced cybersecurity software products for the past 8 years. CSX is a cumulation of its expertise in cyber security, user behavior analytics and product development.

CSX is a game-changer in the market as it does one important thing: simplify cloud security.

As more businesses shift to the cloud, attackers are increasingly targeting cloud data and assets. Every now and then, a company appears on the news due to a cyber breach – a cyber breach has become a matter of when, not if. Chief Information Security Officers (CISOs) are held accountable for breaches and some even face criminal charges for lack of oversight.

This brings up the question – how can I be sure that the business’s cloud data and infrastructure are secure and have not been compromised?

Leveraging state-of-the-art analytics and artificial intelligence, CSX offers robust security coverage across the whole cloud stack, encompassing Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).

CSX flags out anomalous behaviors within cloud environments, providing actionable insights through an intuitive dashboard. CSX empowers businesses to enhance their security posture by minimising the need for extensive security expertise or large security teams. CSX makes cloud security accessible and cost-effective, even for small enterprises.

“We are very excited to release our newest cybersecurity solution for the cloud – CSX,” said Justin Tay, Product Manager at InsiderSecurity. “With CSX, we want to help businesses from Singapore and abroad to get assurance of the security of their cloud products and services.”

One of the standout features of CSX is its simplicity. For example, users can seamlessly onboard their IaaS, PaaS, and SaaS services through the user-friendly dashboard. Adding a new cloud service for monitoring is as easy as clicking “Add” and following the automated steps. This streamlined process simplifies security management and minimizes the time and effort required to ensure the security of cloud products and services.

“I can’t wait to onboard all our products when CSX is released,” said a CEO at an SME. “Recently, one of our employees had their mobile phone compromised and lost access to their mobile banking app. Since they also had our company work productivity tools products installed on the same phone, I was extremely worried that our cloud services have also been compromised. At the time, the only way I could be sure there was no major breach was to incur significant costs reviewing each of our security tools – CSX would have made that so much easier and more affordable!”

Put your cloud security worries to rest and secure all your clouds with CSX today. To learn more about InsiderSecurity, please visit InsiderSecurity.

Key details of GovWare Conference & Exhibition 2023

  • Date: October 17 to 19, 2023
  • Time: 9:00 am to 5:30 pm
  • Location: Booth H32 | Sands Expo and Convention Centre

Join us at Booth H32 during GovWare 2023 to experience CSX firsthand! Discover live demonstrations of CSX, engage in in-depth discussions about cloud security challenges and connect with our team of experts. Don’t miss this opportunity to explore the future of cloud security.

About InsiderSecurity:

InsiderSecurity helps organisations to uncover cyber breaches very early, so as to avoid serious data loss. Our products include CSX for simplified cloud security, Database Activity Monitor for database security and Smart Log Review for log review compliance.

Founded in 2015, InsiderSecurity has won several awards for our technology. We are the only organisation to be accredited by Singapore’s IMDA in cybersecurity behavior analytics, having met high standards for deployment in government and enterprises. We are also a two-time winner on CSA’s Cybersecurity Innovation Day.

Today, InsiderSecurity’s products are trusted by many large enterprises, government agencies and SMEs.

Solve the world’s cloud security challenges with Singaporean technology Read More »