Matt Ramberg is the vice president of information security at Sanmina, a sprawling electronics manufacturer with close to 60 facilities in 20 countries on six continents and some 35,000 employees spread across the world.
Like most enterprises, Sanmina, a big name in contract manufacturing, is also adapting to a new IT environment. The 42-year-old Fortune 500 company, with fiscal year 2021 revenue of more than $6.76 billion, was an early and enthusiastic adopter of the cloud, taking its first step into Google Cloud in 2009.
With manufacturing sites around the globe, it also is seeing its technology demands stretch out to the edge.
7,500 employees work remotely and, in the wake of the COVID-19 pandemic, that number keeps growing.
With this in mind, when Ramberg thinks about security, what first comes to mind is the company's data. In particular, he wants to make sure the company knows exactly where that data is.
"Where we focus the most is IP," he told The Register during an interview here at cybersecurity vendor Zscaler's Zenith Live 2022 conference in Las Vegas. "You get that intellectual property, especially in manufacturing – and we touch a number of industries, automobile and communications and defense and aerospace – and the biggest concern we have … is that of data loss prevention. DLP is a very difficult area. It's data [that is the focus] expressively because of the influx of cloud-based solutions."
Sanmina employees have long used Google Workspace – formerly Google G Suite – a collection of cloud-based business applications and collaboration tools.
"But now you've got this roaming workforce, this mobile workforce," Ramberg said. "There's Box, there's Dropbox, there are 8,000 file-sharing sites and you can do training until you're blue in the face, but there's concern that somebody – and I don't even mean from a malicious standpoint – they'll put [data] in Dropbox because they have an account there and they want to keep it safe. You just released our IP."
Even Sanmina customers use varying file sharing tools, creating another data sprawl issue company has to adapt to. He doesn't necessarily call it a worry – he believes Sanmina has it under control – but in such a highly distributed corporate environment, making sure they know here the data is is his largest focus.
With so much data, the shift to the cloud, and a highly mobile work environment, there are many avenues of threats to consider – everything from ransomware to phishing – issues of data sovereignty and a growing list of regulations around data and privacy, from the European Union's GDPR and the California Consumer Privacy Act (CCPA). In addition, the various Sanmina plants around the world have to talk to each other regardless of what country they're located in and how that country manages data and cyberthreats.
Given all that, Sanmina became an early adopter – and now a vocal advocate – of the growing movement toward zero-trust frameworks. Given the venue, it's not surprising that the company relies heavily on Zscaler technology for its zero-trust technologies, but for Ramberg, zero trust is the right fit for his increasingly decentralized company.
"We really embraced it," he says. "Early on, it was a buzzword. 'Here's the latest and greatest thing.' We really looked at it and it made sense. If there are five servers and I literally only have access to one – have credentials only to one – why should I even see the other four? It just made complete sense. The fact that is it eliminated lateral movement. When I'm set up to only talk to that one server and can't laterally move anywhere, this sounds pretty nice, this whole zero-trust thing."
With so much data and so many applications being created and accessed outside the central corporate datacenter, the traditional security architectures of firewalls and castles-and-moats, designed to keep threats out, are increasingly outdated. They work well if the user, applications and data are inside the firewall, but that's often no longer the case.
Zero-trust frameworks assume that no user, device, or application on the network can be trusted. Instead, they rely on identity, behavior, authentication, and security policies to verify and validate everything on the network and to determine such issues as access and privileges. Most cybersecurity vendors are building out their zero-trust capabilities and Zscaler has based its entire strategy on the idea since its first product rolled out in 2008.
About eight years ago, Sanmina adopted the Zscaler Internet Access (ZIA), a collection of cloud services that use artificial intelligence (AI) techniques to inspect all internet traffic – including SSL decryption – to protect against ransomware and other threats. In 2017, the company brought in Zscaler Private Access (ZPA) to replace the VPNs it was using for its mobile workers. ZPA gives users access only to the data and applications they have credentials for rather than access to the network, reducing the chance for cybercriminals to gain access to the network and move laterally through the company.
"We looked at them and said, 'VPNs stink. They just stink,'" Ramberg says.
Along with the list of VPN security concerns, there were also limitations on the number of connections they could manage, which slowed network performance and users had to constantly reauthenticate to use them. Sanmina had 13 VPN appliances around the world that had had to be managed, updated and patched and, when they hit end-of-life, had to be replaced with more hardware.
ZPA "is providing the same tunnel, but not putting anyone on the network. That was one of our biggest concerns with VPNs. When you give someone VPN access, what can they get to?" he said, adding that attackers can often get credentials for a server. With ZPA, "if you don't have credentials for that server, you shouldn't even be able to see it. If I'm not going to issue a key to that door, why am I even going to allow you to see that door?"
Sanmina also uses ZPA to manage what vendors and partners have access to, he said.
Since then, the company has added other Zscaler services, including SLL Inspection and Cloud Browser Isolation, and is looking at new capabilities the vendor is adding, including a service for Internet of Things (IoT) and operational technology (OT) announced at the event this week, which Sanmina will use for communications within its manufacturing plants.
Ramberg says he understands that zero trust in some ways is similar to what virtualization and cloud were when they were new – vaguely defined terms that vendors were putting on a lot of their products. However, as Sanmina was adopting the cloud, it became apparent that the company's attack surface was expanding and it needed to adapt its security capabilities to address that.
The first step was to put full disk encryption into laptops, but that was a stop-gap measure. The move to a zero-trust architecture is addressing the security needs as Sanmina's workforce and data become more distributed.
"We had to adjust, but liked the whole idea of it," Ramberg said. "We jumped in with both feet and haven't looked back. We really embraced it." ®
Zscaler is growing the machine-learning capabilities of its zero-trust platform and expanding it into the public cloud and network edge, CEO Jay Chaudhry told devotees at a conference in Las Vegas today.
Along with the AI advancements, Zscaler at its Zenith 2022 show in Sin City also announced greater integration of its technologies with Amazon Web Services, and a security management offering designed to enable infosec teams and developers to better detect risks in cloud-native applications.
In addition, the biz also is putting a focus on the Internet of Things (IoT) and operational technology (OT) control systems as it addresses the security side of the network edge. Zscaler, for those not aware, makes products that securely connect devices, networks, and backend systems together, and provides the monitoring, controls, and cloud services an organization might need to manage all that.
Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.
The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.
"While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.
In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.
Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.
The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.
QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.
The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.
The previous attacks occurred in January, March, and May.
Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.
The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.
In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.
Healthcare organizations, already an attractive target for ransomware given the highly sensitive data they hold, saw such attacks almost double between 2020 and 2021, according to a survey released this week by Sophos.
The outfit's team also found that while polled healthcare orgs are quite likely to pay ransoms, they rarely get all of their data returned if they do so. In addition, 78 percent of organizations are signing up for cyber insurance in hopes of reducing their financial risks, and 97 percent of the time the insurance company paid some or all of the ransomware-related costs.
However, while insurance companies pay out in almost every case and are fueling an improvement in cyber defenses, healthcare organizations – as with other industries – are finding it increasingly difficult to get insured in the first place.
RSA Conference IBM has expanded its extensive cybersecurity portfolio by acquiring Randori – a four-year-old startup that specializes in helping enterprises manage their attack surface by identifying and prioritizing their external-facing on-premises and cloud assets.
Big Blue announced the Randori buy on the first day of the 2022 RSA Conference on Monday. Its plan is to give the computing behemoth's customers a tool to manage their security posture by looking at their infrastructure from a threat actor's point-of-view – a position IBM hopes will allow users to identify unseen weaknesses.
IBM intends to integrate Randori's software with its QRadar extended detection and response (XDR) capabilities to provide real-time attack surface insights for tasks including threat hunting and incident response. That approach will reduce the quantity of manual work needed for monitoring new applications and to quickly address emerging threats, according to IBM.
A state-sponsored Chinese threat actor has used ransomware as a distraction to help it conduct electronic espionage, according to security software vendor Secureworks.
The China-backed group, which Secureworks labels Bronze Starlight, has been active since mid-2021. It uses an HUI loader to install ransomware, such as LockFile, AtomSilo, Rook, Night Sky and Pandora. But cybersecurity firm Secureworks asserts that ransomware is probably just a distraction from the true intent: cyber espionage.
"The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the company argues.
Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.
The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.
This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.
Someone is trying to steal people's Microsoft 365 and Outlook credentials by sending them phishing emails disguised as voicemail notifications.
This email campaign was detected in May and is ongoing, according to researchers at Zscaler's ThreatLabz, and is similar to phishing messages sent a couple of years ago.
This latest wave is aimed at US entities in a broad array of sectors, including software security, security solution providers, the military, healthcare and pharmaceuticals, and the manufacturing and shipping supply chain, the researchers wrote this month.
The Register - Independent news and views for the tech community. Part of Situation Publishing
Biting the hand that feeds IT © 1998–2022