The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q2’s research here.

Video Transcript

Introduction

Ransomware activity in Q2 of 2025 showed a significant decline compared to the previous quarter. We observed a total of 1488 successful ransomware attacks between April 1st and June 30th, compared to the 2461 we observed in Q1. This represents a 40% decline in activity. Despite the reduction, ransomware remained a persistent threat, with an average of one successful attack occurring approximately every 87 minutes during Q2.

We observed a total of 75 ransomware groups operating within Q2, up from 74 in Q1. There appears to have been a focus on sectors with sensitivity to operational disruption this quarter – healthcare, manufacturing being two of the top three industries hit – along with education, government and energy all showing growth as well, to a smaller degree.

Qilin is the threat actor with the most successful ransomware attacks this quarter – with 176 total, followed by Akira with 139 and Play with 124. Qilin was most active within the healthcare industry and technology sectors.

While Cl0p was extremely active last quarter, they have not been as active recently – this may be due to them still working through the backlog of victims from exploting Cleo Harmony back in February.

Lockbit Updates

In recent months, two major ransomware groups were quietly hacked, and both attacks featured the same message: “Don’t do crime, xoxo from Prague.” No one has come forward to take responsibility.

In April, the Everest groups leak site was defaced, and then in May Lockbits affiliate panel was also updated with the odd message. The lockbit breach also leaked internal data and crypto wallet addresses.

Theories are circulating that it may have been a rival gang or law enforcement, however no one has officially taken credit for either attacks, which are very likely by the same individual (or group!).

HealthCare

Between April 1 and June 30, 2025, the healthcare sector experienced 95 ransomware attacks, making it the third most targeted industry during this period, following Manufacturing and Tech at 157 and 136 respectively.

Across the broader ransomware landscape, a healthcare organization is now hit with a successful attack roughly every 22 hours. Groups like Qilin and others continue to exploit healthcare’s operational urgency pressuring victims to pay quickly to avoid disruptions to patient care or data exposure.

The impact of each incident tends to be disproportionately high compared to other industries; leading to care delays, system outages, and regulatory complications.

Qilin:

Qilin have been the most prolific group this quarter, primarily targeting high-impact and operationally critical industries.

Manufacturing led all sectors, followed by Technology and Healthcare, reflecting Qilin’s focus on data-sensitive and disruption-prone environments. Transportation/Logistics and Education were also notable targets.

A full breakdown of their operational target industries can be seen in the full report.

Qilin have demonstrated consistent growth throughout the first half of 2025, with attack volumes rising steadily each month. Starting with a relatively low number of incidents in January, activity nearly doubled by February and remained stable through March and April. A sharp increase followed in May, and June marked the group’s most active month to date, with over 75 recorded attacks.

The vulnerabilities we have observed the group using are as follows:

• CVE-2023-4966 aka CitrixBleed
• CVE-2023-27532 in Veeam Backup Credential Access
• CVE-2025-31161, an authentication bypass in CrushFTP
• CVE-2025-31324 in SAP NetWeaver (which interestingly was exploited at least 3 weeks before public disclosure – showing that the group had early access to a 0day).
• CVE-2025-32756 which allows unauthenticated RCE in several Fortinet products.

The full list of exploited vulnerabilities is also available in the report, along with a breakdown of their currently active infrastructure.

Q2 Conclusion

The second quarter of 2025 marked a complex and transitional period in the ransomware landscape. While overall attack volume declined significantly, threat activity remained widespread, with critical sectors such as healthcare, government, and education continuing to face sustained pressure. Despite the slowdown in raw

numbers, the frequency of attacks and the strategic focus of top ransomware groups indicate that the threat remains both adaptive and persistent.

Qilin emerged as the most active ransomware group this quarter, steadily increasing its operations and overtaking previously dominant group such as Cl0p. Their consistent targeting of high-impact industries, exploitation of newly disclosed vulnerabilities, and technical adaptability demonstrate a clear evolution in capability and reach. At the same time, the temporary absence of Cl0p from top rankings despite its history of impactful, exploit-driven campaigns highlights the cyclical and opportunistic nature of ransomware group activity.

Sectors like healthcare continue to experience frequent and damaging incidents, underscoring the need for targeted resilience strategies. Meanwhile, the recent breaches of ransomware infrastructure such as the defacements of Everest and LockBit hint that threat actors themselves are not immune to disruption, though the sources of these countermeasures remain unknown.

In summary, Q2 2025 presented fewer attacks overall, but increased complexity in attacker behavior, tooling, and targeting. Organizations must remain proactive, adaptable, and intelligence-driven in their defensive strategies as ransomware continues to evolve.

Read the full report.

The post Ransomware Research Report | Q2 2025 – Audio Blog Interview appeared first on CyberMaxx.

In this video series, we’re here to peel back the curtain and show how the “tricks” in cyber are done so we can all have a better understanding.

Tom Pioreck, CyberMaxx’s CISO, will be diving into all things EDR & MDR. In this episode of “Demystifying Cyber,” we’ll unlock the mystery and clear the confusion surrounding EDR & MDR.

For your convenience, we’ve included a transcript of the 17-minute episode below. Feel free to watch the video on YouTube.

Transcript

Organizations keep hearing that they need to detect and respond, and EDR, or a trusted MDR provider, is one of the best ways to do that.
That’s all well and good, but what do EDR and MDR mean? What does an organization need to know and consider when determining which option is the better choice for them?

If security professionals keep saying EDR should be a standard part of our security program, then it’s probably a good idea if we understand the abbreviation, the terms it contains, and what we’re really saying when we talk about EDR and MDR.

Hello, I’m Thomas Pioreck, cybersecurity professional with close to 20 years in the industry and self-professed most paranoid person in the room. On this episode of Demystifying Cyber, we define EDR, MDR, and considerations for which one to select as an organization.

The famed author, Arthur C. Clarke had three laws when it came to science fiction, his third law is, “any sufficiently advanced technology is indistinguishable from magic.” We’re here to peel back the curtain and show how the “tricks” in cyber are done, so we can all have a better understanding. This, is “Demystifying Cyber.”

EDR and MDR. In a world of abbreviations, what’s two more? If EDR and MDR are so similar, which seems to be the message out there, then why the need for both terms? Let’s start by breaking down the abbreviations, EDR and MDR.

And since both have “D” and “R,”, let’s start there. The good news is that the D and the R have the same meaning in each abbreviation. The D is for “Detection” and the R is for “Response.” So, that’ll help keep things a little simpler. We will get into what each term means a little later, but what about the E versus the M?
E is for Endpoint. Just like C is for Cookie. Endpoint, endpoint, endpoint start with E. Well, that’s simple enough, isn’t it. Hmm? What’s an Endpoint? Yeah, that’s a good question.

We kind of just throw the term “endpoint” out there and figure everyone knows exactly what we’re referring to when we say “endpoint.”
There’s mostly two different ways people interpret the term “endpoint” and that can create confusion when we’re talking about EDR.

The broadest definition of an endpoint is, “any device that operates within your corporate environment.” And that really means any device; mobile phone, tablet, servers, desktops, switches, laptop, point-of-sale systems, automated inventory systems, smart TV, smart fridge, smart coffee maker (a critical asset, if ever there was one), an “endpoint” is anything and everything.

When we ask an organization about asset inventories and we ask them to account for all of their endpoints, this is the breadth we want you to consider and document. Generally, though, when a company is considering EDR (and this applies to MDR too), we tend to narrow the scope just a bit.

Your EDR “endpoints” really comes down to computers, whether laptop, tower, or desktop, and your servers, physical or virtual. Why such a narrow scope? The reason is what’s available on the market as of this recording. It’s these endpoints that have available agents that are tried and true. Yes, some solutions on the market have an agent for phones and tablets, and depending on what runs your point-of-sale system, an agent for that, maybe an agent for a smart device, like that TV in the boardroom, but they don’t have the operational history like the agents for servers and computers do.

Let’s take that term “agent.” That word gets thrown around a lot too. Single agent, agentless, consolidated agent, call my agent, almost all solutions out there have some kind of “agent” associated with them. Even AI is getting in on the game with “agentic AI.” So, what’s an agent?

Let’s say you’ve decided to go with an EDR solution, which we’ll just call The Farm. The main component, the brains if you will, exists as some kind of central headquarters. That headquarters could be something you build, install, and run in your own data center, or it could be a cloud-platform solution, often called the “console,” that The Farm provides.

That console is where all the data and information is visible to you. It’s where you login to see data, alerts generated and where you go to triage those alerts, set your configurations, the real functional aspect. All of the intelligence you’re gathering comes back to this central location. It serves as a central intelligence hub. Here’s where central intelligence’s agent comes in.

The agent works for The Farm. Its job is to monitor what happens on the single endpoint it’s been deployed to and report back on all the activity that it sees, so that modules within The Farm can perform an analysis and decide if what it’s seeing is “suspicious, malicious,” or “benign.” The agent is basically a small piece of software that gets deployed on every endpoint. Once it’s deployed, it’s perma-linked to that endpoint and reports back to headquarters, or the mothership, so to speak, pretty much in real-time. Agents can function on their own, but their operating parameters are defined by the mothership, kind of like the alien ships in Independence Day.

So now I have an agent deployed on the servers and computers, my “endpoints,” that operate across my environment. The activity that occurs on each endpoint reports back to the console, where the “magic” happens. Congratulations, you’ve implemented the first step in monitoring your environment. You are getting insight into the activity that is occurring on each endpoint and can be alerted when malicious, or at least suspicious, activity is Detected.
And that’s the D in EDR. Detection. By being able to ingest the activity and analyze it, we’re then able to detect unwanted behavior. There’s a bit more that happens than just “detecting” though.

EDR systems have some form of alerting or notification whenever something is detected that you need/want to be aware of, see what’s really going on. So the D for Detect really has a silent N for Notify or silent A for Alert.

Great, so I’ve monitored, detected, and been notified, but I want to do something about it. That activity you alerted me to is bad, make the bad thing stop, I need to Respond to the bad thing. I don’t want to be aware that it’s happening and just sit there while it wreaks havoc on my company, I want to Respond. And there’s our R.
R is for Response. You want to be able to Stop the activity. You’ll hear the word “Kill” used here a lot with EDR vendors. You can set parameters where the EDR solution itself will Kill and/or Quarantine (exactly what you think it means) that activity or process. The really cool part is you can set a lot of the Response actions to happen automatically within the system and not give up manual review or human decision–making.

If the system seems to be killing too many legitimate actions just because they seem sketchy, you can tune its behavior. Or tell it to alert you but take no further action until you tell it to do so.

Most EDR solutions can isolate that endpoint. Meaning, nothing that’s happening on that one endpoint can get to any other system on the network or even anywhere on the Internet. The only communication an isolated endpoint can have is back to the mothership. The endpoint can only phone home. So, we have any number of response capabilities ready for us to implement now.

Ok, that’s EDR in a nutshell, so what’s MDR? The D and the R are the same, Detection and Response. The M is for Managed, so MDR is Managed Detection and Response. So, what’s the difference between EDR and MDR? The difference lays in who manages the solution.
See, MDR is really Managed EDR. You select a vendor to manage the EDR solution that’s been implemented. The functionality of the EDR doesn’t change, it’s the same for EDR and MDR, but with MDR, you’re offloading the management of the system to a trusted security partner. And that partner is usually an MSSP, a Managed Security Service Provider, specifically an MDR vendor. Notice the M means the same thing in MDR and MSSP? That’s how you can remember the connection and meaning, plus the difference between MDR and EDR.

Your next question is likely, is EDR or MDR better for my organization? That’s a fair question. And it may seem like a simple question of do I want to outsource it or do I want to run it in-house? There’s actually a lot that goes into that decision.

Managing an EDR is a 24/7 job. That’s just the time. That whole Detection component? It requires constant tuning and maintenance, tweaking it until you find that perfect sweet spot where the alerts you’re getting are mostly just the signal amongst the noise. The cyber world changes so rapidly that your tuning is never truly complete. You’re always going back and tuning as the threat landscape changes, as new attack techniques are identified and shared, as your business evolves and changes. Once you have the system tuned, you still need to investigate each alert that is generated for risk and actual legitimacy.

And you can’t do any of that without staffing, and staffing means a knowledgeable team of professionals that have experience and can put items in context. Folks that can really apply critical thinking to the deluge of notifications and intelligence that all these solutions present.

Think of it like this. You own a home. Not an especially large home, but what most folks think of when they think of a typical American home in the suburbs. That home has a lawn, likely some bushes, maybe even a couple of flower beds. You want your home to have a beautiful yard. Well, that means mowing, edging, weeding, and pruning. That’s just the regular maintenance you have to do every week. Then there’s knowing when to plant, managing the soil, being able to identify crab grass, grubs, rot, plant infections or whatever they’re called, knowing when to plant what plants at what time of year, in what soil and maintain the pH of that soil, in a location where they’ll get the right amount of sunlight and shade. That’s a lot of work, a lot of time, and a lot of knowledge you need to have or obtain. Can you really afford to do all that yourself AND have the outcome you want? Oh, and have time for the myriad of other things going on in your life?

Like many suburban homeowners, you’d likely hire a landscaping service. Professionals who have the experience and know the answers to those questions, who can recommend treatments, how to plant and what to plant, lay new seed, mitigate the grubs and other bugs, identify when foliage seems to have become infected and treat it, recommending future steps to avoid it from happening. And when they do the maintenance, the mowing, the edging, the pruning, they know just how to do it, so that the yard remains and looks healthy. Trusting them to carry out that work means you get two things. One, you feel better knowing that this thing of importance to you, your yard’s health, is entrusted to professionals with years of experience. And second, you free up your time that would be spent performing these tasks and research to gain the knowledge required to achieve the results desired, to focus on other areas of importance for your life. You’re gaining in two places, not just one.

That, admittedly somewhat loosely, is what you get when you elect to go with an MDR to implement an EDR solution. And just like with the landscaper, there are additional costs when you do it yourself that you incur when trusting it to experienced professionals.

All that equipment that landscapers use, you would need to buy for yourself. That includes the fuel, replacement blades, sharpening the blades, pruners, trimmers, edgers, seed, insecticide, plant formula, all of it. Those costs recur; they don’t go away. Same is true with implementing your own EDR. All the tools, watchlists, implementations, API’s, workstations, sandboxes, all the utilities that you may not even think of, are a recurring cost. And that doesn’t cover the cost of staffing and training that you would have to incur. Plus, you get the benefit of all the knowledge they gain from working on all the other houses that they service, which allows them to see and diagnose potential issues faster or make recommendations to get ahead of an issue they’ve encountered at another home recently. They’re aware of trends because it’s just a part of what they do. Of course, that will all depend on the value that they provide. Are they doing the bare minimum, mow, trim, prune, preseason clean, postseason clean? Or are they a committed partner? I know which one I’d prefer.

Endpoint Detection Response, EDR, and Managed Detection Response, MDR, are an integral component of what we call, “Continuous Security Monitoring.” Real-time insights, data points for correlation and aggregation, and ability to respond to threats as they’re occurring, a lot of times at the point of attempted entry, before they get to taking action within a system. Frankly, in today’s business world, having them is table stakes. Insurance carriers will ask if you’ve deployed them, your partners will ask about it, and many of your clients and prospects will ask about it. The days of rolling out an antivirus solution alone are over. Going back to our suburban home analogy, having an alarm system is pretty much the same thing. It doesn’t mean we stop putting locks on the doors and windows, it just means that we acknowledge that times have changed, and having someone be able to monitor our valuable assets for us 24/7 is a must-have. And we trust a service provider to enhance the capability and manage the monitoring, detection, and response for us. Think about it, do you really want to, can you really afford to, monitor and respond to your doorbell camera every time it goes off? 24/7?

And hopefully now you have a better understanding of what everyone means when they’re talking about EDR and MDR, what they provide you, and how they differ when you’re determining which is the best option for your organization. I think EDR is incredibly vital to a security program and hope you do now too.

Until next time, I’m Thomas Pioreck for Demystifying Cyber.

The post EDR & MDR appeared first on CyberMaxx.

Hosted by CyberMaxx and HS-ISAC, this session will provide context and stories from cybersecurity experts and healthcare customers, validating the real-world impact of cyber threats happening daily, targeting medical and dental organizations of all sizes.

This webinar will cover the following:

• The Dilemma: Understand the critical data points and statistics highlighting the increase in ransomware attacks targeting healthcare institutions.
• Expert Perspectives: Discover our official stance on essential cybersecurity measures, including adopting Zero Trust architecture and Multi-Factor Authentication (MFA).
• Real-Life Stories: Hear from a cybersecurity healthcare professional who will share firsthand experiences and challenges faced in protecting patient data.
• Tactical Insights: Gain practical advice from security experts on implementing robust cybersecurity tactics.

The post On-Demand Webinar: Improving Healthcare Cybersecurity So Patient Data Doesn’t End Up on the Dark Web appeared first on CyberMaxx.

In this video series, we’re here to peel back the curtain and show how the “tricks” in cyber are done so we can all have a better understanding.

Tom Pioreck, CyberMaxx’s CISO, will be diving into all things password managers. In this episode of “Demystifying Cyber,” we’ll unlock the mystery and clear the confusion surrounding password managers.

For your convenience, we’ve included a transcript of the 16-minute episode below. Feel free to watch the video on YouTube.

Transcript

Password managers, or password vaults, are regularly mentioned by security professionals as a critical tool for securing our accounts. But what are they? How do they ease the burden and confusion for managing our accounts? How do they help us follow current “best practices” for our passwords? And is a digital vault really the only “secure” method? Hello, I’m Thomas Pioreck, cybersecurity professional with close to 20 years in the industry and self-professed most paranoid person in the room. On this episode, we’ll unlock the mystery and clear the confusion around Password Managers.

The famed author, Arthur C. Clarke had three laws when it came to science fiction, the third law is, “any sufficiently advanced technology is indistinguishable from magic.” We’re here to peel back the curtain and show how the “tricks” in cyber are done, so we can all have a better understanding. This, is “Demystifying Cyber.”

It’s probably no surprise to anyone that the average person is responsible for managing over 100 accounts, when we consider what we manage and maintain for work and home. That’s an awful lot of identities to remember, enough to make Jason Bourne confused. Add to that the latest and greatest “best practice” recommendations for credential creation. Create a unique password per account, with each password having a not so insignificant number of characters, at least 15 but better to get into the 20s, usually requiring a complexity component, that’s when we’re told the password needs to contain uppercase, lowercase, numbers, symbols, but not all symbols, only these six or seven, which change depending on the platform. Oh, and don’t use passwords, use passphrases, but make sure those are random words too, nothing personal, like “I like turtles” or anything. Random, everything completely random. Then, don’t forget a single one. It’s total chaos, anarchy, dogs and cats living together- mass hysteria! And some security practices even recommend varying your username per platform, not just going with the same email address as an account name. That one email address that you’ve used to sign up for almost all those accounts. None of this takes into account that human brains aren’t designed to function this way.

And a lot of those accounts, they want us to set up “security questions,” questions that only we should know the answer to, in order to verify our identity to gain access to the account when, inevitably, we forget which of the hundreds of variations of “YankeesRule2010” we used, or act as some kind of weak MFA process (check out our episode on MFA, multifactor authentication, not so shameless plug). The solution to that, according to privacy paranoid security wonks such as yours truly, is to vary those answers too. Make ‘em up. Lie. See, the bank, credit card company, gambling site, gamer site, whatever, doesn’t actually know your mother’s maiden name, or the street you grew up on, or who your favorite elementary school teacher was, they just want to have a question to verify you against, so they’ll accept whatever answer you give them. (Let’s put aside the fact that most of the real answers are so easily discoverable thanks to social media, it’s trivial to bypass them.)

So, with all that going on, how is one person supposed to keep all that straight in their head? It’s not like you don’t have a great variety of info rattling around the ol’ gray matter and there’s only so much capacity. If you’re going to remember more, then something is likely to get pushed out. I don’t know about you, but I don’t think I could get away with forgetting an anniversary or birthday with the explanation, “Look, I needed a login for the LEGO site to open an account and get VIP points, once that went in the old cranium, something less critical had to go.” Luckily, there is a solution that covers almost the entire conundrum in its entirety. Password managers.

Password managers, also known as password vaults, allow you to manage all the login and account information and data we just covered, in a single location. In fact, given that there’s more than passwords, sorry, passphrases, that they help you with, I argue that we should really refer to them as credential managers or identity managers. But I also didn’t hate New Coke as a kid, so take that idea with the requisite grain of salt. To keep things simple, we’ll just refer to them as password managers in this episode, but remember, they can do a lot more than help you just manage the passwords.

Sounds great, dude, so what is it? I’m glad you asked. Password managers are applications that allow you to generate random passwords or passphrases, on demand, and save them to what is typically called your vault. The random generator component can also simply be copied and pasted, which is where we’re able to utilize them to generate random answers to those ridiculous security questions. We all know those, you enter username and password, and you get the computer version of, “none can pass by me, unless you answer my questions three.” You can use the same random generator utility to create those unique usernames, provided that the account you’re signing up for isn’t forcing you to use an email address (and seriously, if your company has decided to force email addresses as usernames, stop it. Like eating other people’s lunches, stop it.) There’s also usually a notes field, which means you could save the security question and your random answer to the same entry as the account itself, we’ll cover all the eggs in one basket thing later. What’s more, the password manager will connect the URL, that’s the web address, for the site where you’re connecting the account as being associated with that account, and only prompt to fill it in automatically, oh, yeah, a lot of them will do that with a nice browser plug-in, so you don’t even really need to know if you’ve already created an account for said site, the password manager will just offer to enter the proper username and password combo. So, if you encounter a malicious, imposter site that looks like the web site you have an account on, the password manager wouldn’t find a match to the URL and wouldn’t offer to input your real credentials, thus adding a layer of protection when it comes to a component of many phishing attacks. Something I know everyone in my company is going to receive at some point. And as a business, that extra layer of defense boosts security without impacting productivity. You’re now adding a layer of protection with URL recognition that mitigates when someone clicks on a malicious link and takes them to a login impersonation site.

But wait, there’s more! Do you have personal Wi-Fi at home or at the office? Sure, you do, we all do. Did you know you should create a custom name for the wireless network and change its password as a best practice? But again, you don’t want to create something simple? That’s right, the password manager and its random generator can help you here too!! And many password managers have a simple “sharing” feature, where you can select certain individuals to share specific accounts with (yes, you should do this sparingly) and you can just provide access to that folder to the others living in your house. This is usually part of their family plans. For a business? I can have the Wi-Fi for the office changed whenever necessary, simply updating it in a company-wide share and just send a message to everyone that the password is updated in the folder. Personally, I prefer to enter the creds into each device or just share the password one-time verbally, but my family already knows I’m paranoid and nuts, but they love me, so they humor me. (There’s a lot of nodding to me, then I’m pretty sure I’ve detected a lot of shared eye rolling when I look away, but again, I’m a paranoid kind of guy.) But to take that same one-to-one communication of the password change within a company? Yeah, no thanks.

That’s a lot of good for one solution to provide, isn’t it? Granted, a lot of that convenience comes from it being a technology-based solution, and yes, there are risks which we’ll get to later, but let’s talk “digital.” There was a time, quite a few years ago, when a lot security folks, and I’ll admit that I was one of them, would see physical password diary books for sale in a bookstore (I know, right, I go to actual, physical bookstores, just to look around, and sometimes, crazy as it sounds, buy physical books. God, I feel old.) We were equating writing something into a physical record book with leaving your password on a Post-It note at your desk in the office. Both were about writing something down in a physical location, so both had to be bad, right? We were wrong and close-minded. Yes, leaving passwords written down around your desk at work is a bad idea. There’s too much uncontrolled and random access there for you to presume that no one is ever going to see that handwritten note. But these password diaries were sold as something for you to keep at home or carry with you in a bag (though I don’t like that part). Do they have the random generator? No, of course not.

However, you can still create random passphrases when you’re at home and using a physical notebook. Just pick up a couple of random books or magazines you have laying around the house, really anything with text, pick no less than one word from three of them at least, and string them together in your little notebook. Bingo, bango, you’ve got a random passphrase. Same for creating a random answer to a security question, Wi-Fi password, security phrase for your alarm company.

What you don’t get with the physical notebook that you do get with its digital counterpart is that URL recognition, so you need to be more mindful when going to websites and entering in the credentials from your book. So why did so many of us acknowledge the error of our ways and come to appreciate the Prequels- sorry, I meant, physical password books. It’s all about threat modeling (which is a whole topic on its own). Basically, you need to look at the entirety of what the threat is that will realize the risk you’re protecting against. The people who prefer the physical notebooks are likely not technically inclined, which also likely means they’re only using their passwords on their home computer at their home. So, the only way for their written passwords to be discovered is if someone breaks into their home, rummages through the desk, and finds the notebook. Not an impossible scenario, but I argue if that were to occur, you’d have a lot more concerns than just that one notebook. It’s the same reasoning I don’t cover my webcam *gasp*

I know! Sacriliege. But here’s why. If a threat actor is watching me through that webcam, in my view, I have bigger problems. That means they’ve somehow compromised my computer to gain control and access the webcam. That’s a much bigger issue for me than someone seeing my regularly confused face as I look at my screen.

The long and the short of it is that the paper version of these managers got a bad rap, and a lot of security folks are to blame. Now, leaving passwords written down around your desk is still a very bad practice but it’s not the same as a book at your home, locked away in your desk. Having a spreadsheet saved with our credentials also isn’t good because once the computer is compromised, our passwords are gone too.

Now, for all of you yelling at the device you’re seeing or hearing this through, let’s address the “all your eggs in one basket” question. Yes. Yes, if you do this, yes, you are putting all of your eggs in one basket. And given today’s prices, we’re hesitant to risk all of them in one location. I get it. How’s it any different than ye olde spreadsheet? Well, the password manager will sync across devices. It’ll also identify the right URL according to what you’ve set for the account. It is more likely for your computer to be compromised than the vendor’s vault system, though, if we’re being transparent, there have been a couple of hiccups over the years. But we have MFA to apply to the account. And it allows us to quickly change our master password, then go account by account to change those. Or you can get a little creative.

Let’s say you don’t want to put your faith and trust entirely in the credential vault, what are some things you can do additionally? Two quick examples of practices that I know a few people follow.

One, have a custom suffix you add to the generated password saved in your vault that only you know. It’s not the same as using the same password across all accounts, we’re just manually adding a few characters at the end of that randomly generated password. The other method is having two password managers and using them in tandem. Huh? Yup, two of them. You have Vault A and Vault B. They don’t know about each other, but you do. As far as the vaults are concerned, they’re the only one. A strong method for improving password security, lousy method for managing personal relationships. You store the first half of a password in Vault A and the second half in Vault B. Sure, it’s double the copying for when it’s time to login but this method does provide that extra layer some folks are looking to have. Again, the level of complexity and extreme all comes down to your personal threat model.

I think we can all agree that the number of accounts we’re going to need to manage is only going to increase and not insignificantly. The generations after us are only going to have it worse. I think password managers are a great tool and they’re relatively simple. There are more than a few “normies” that I’ve shown them to, helped them set up and use them, and they haven’t looked back since. And the younger generation are extremely tech-inclined, so starting them early shouldn’t be an issue at all. Let them learn and remember safe browsing habits, how to maintain privacy online, and not have to keep all those ridiculous passwords in their heads like so many of us struggled with.

Are passwords the best solution for securing accounts? Almost all signs point to “no,” but they are the most prevalent. So, we’re not doing ourselves justice by scoffing at them, and telling folks to move on to passwordless, passkeys, or whatever the new hotness is, that’s even more technical.

So, in the meantime, for ease and convenience, we have password managers. They’re simple and effective. And hopefully today, we’ve “unlocked” their secrets for you. See what I did there?

Until next time.

The post Password Managers appeared first on CyberMaxx.

Hosted by CyberMaxx and HS-ISAC, this session will provide context and stories from cybersecurity experts and healthcare customers, validating the real-world impact of cyber threats happening daily, targeting medical and dental organizations of all sizes.

Date, Time: May 7th, 2 pm ET.

Attend live, or register for on-demand here.

The post Webinar: Improving Healthcare Cybersecurity So Patient Data Doesn’t End Up on the Dark Web appeared first on CyberMaxx.

During this 30-minute webinar, Neil McCann and Steve Wilson, CyberMaxx Sales Engineers, will be reviewing and discussing several common case studies our clients have experienced.

While we won’t be sharing the client for obvious reasons, we will be diving into the issues, the solutions, and how we tackled these challenges. We will also cover the process from detection or alert to resolution. They will also dive into the importance of the human element of MDR, and why a 24x7x365 SOC is critical to quick resolutions.

This webinar covers the following topics:

• Malware Detections, ransomware, abnormal traffic, and business email compromise
• MDR overview
• How to get to resolution fast

The post A Few MDR Case Studies: On-Demand Webinar appeared first on CyberMaxx.

Using Proactive Security to Stay Ahead of Adversaries

As cybercrime and nation-state hacking teams continue to evolve to evade detection, security operations teams must ensure they stay one step ahead of adversaries by employing proactive security practices.

Proactive security is an evolution beyond simply trying to prevent risks and react to them after they occur. Rather, it focuses on reducing cybersecurity risk by trying to anticipate risks before they occur. Typically, this approach involves modern technologies such as attack surface management, incident simulation, and vulnerability management.

It also requires organizations to understand the value of their assets from the perspective of adversaries so they can prioritize the protection of the most important assets instead of simply deploying security tools.

Prioritizing Resources According to the Threats Faced

Organizations may need to plan and prioritize differently according to whether they are facing threats from nation-state actors or financially motivated criminals.

However, Zack Hoffman, Director of Professional Security Services at CyberMaxx, points out that these threats are not always as different as they may seem. He underscores the importance of continually monitoring activity on the dark web and looking closely at the risks that users are being exposed to.

“Doing regular tabletop exercises and actually practicing what you would do in some of these different attacks is instrumental in making sure that your organization and your teams are prepared,” says Hoffman. “Actually putting your policies into practice and testing them is the best way to kind of prepare your own teams for that activity,”

Proactive Security for Small Organizations

While large organizations often have ready access to the budgets and resources required to carry out these exercises, smaller organizations often find it challenging to justify security budgets.

Organizations that haven’t experienced major incidents may find justifying their budgets to management to be especially challenging.

However, proactive measures like penetration testing and continuous automated red teaming can help these organizations build the case for increased security investment.

Emerging Attack Techniques That Organizations Should be Simulating

Organizations can get ahead and figure out what kind of emerging attack techniques they should be simulating by staying up to date with industry news.

For instance, in recent years, attacks on the cloud environment have been on the rise. Hoffman says that securing Azure, AWS, and GCP Cloud services is vital for organizations. “Being able to simulate and do assessments against the cloud infrastructure is huge,” he says. “Emulating different Red Team operations in cloud environments is probably the place where I would start.”

Detecting Adversaries by Monitoring Common Entry Points

Organizations can also benefit from deploying deception technologies to monitor and detect unauthorized access to IoT and OT devices, as these can often be overlooked and unprotected and can provide entry points for adversaries.

“A lot of times, we deploy deception hardware out into customers’ environments to mimic their IoT devices so that if somebody’s accessing those and is unauthorized, we get alerts on it,” says Hoffman. “Then we know to go hunt for that activity in their environment on their other IoT devices or from a network traffic perspective.”

Overcoming Budget Limitations Using Existing Tools

Some organizations are getting creative by using their existing security information and event management (SIEM) and endpoint detection response (EDR) tools for threat hunting in an effort to be proactive, even if they don’t have the budget for more advanced proactive security solutions.

However, this requires highly specialized security analysts, which are in short supply. Even if they do end up hiring experienced analysts, this can be a long process. “It takes time for threat hunters to understand your environment and know what they’re looking for or what the anomalies are,” says Hoffman.

Hoffman also highlights the benefits of vulnerability risk management programs. “Knowing what your assets are, and also knowing which ones are vulnerable, where patches may need to be applied, and prioritizing your vulnerabilities to help reduce your risk surface is an important part of being proactive as well as reactive,” says Hoffman.

The Benefits of Managed Service Providers

Managing and utilizing these tools to their full potential and using them to carry out threat hunting effectively requires an immense amount of skill.

As a result, more organizations are turning to Managed Service Providers (MSPs) to protect their organizations against threat actors by carrying out real-time monitoring. This approach provides 24/7 coverage against threat actors, who are working around the clock to take advantage of vulnerabilities.

Using AI to Detect Suspicious Behavior

Many vendors are now incorporating AI-driven solutions such as Natural Language Processing (NLP) to identify suspicious behavior that falls outside the baseline of normal activity.

“AI is a force multiplier. It can pull more relevant data associated with the alert that analysts are looking at,” says Hoffman. “It incorporates the different feed data and threat intelligence data that you may have in your databases to immediately give that analysts a snapshot of activity that may be related.”

Despite progress in AI, Hoffman says he does not believe it will ever get to the point where it can replace the need for important manual threat analysis work.

Improving Organizational Resilience with MDR

As the panel draws to a close, Hoffman reiterates the benefits of using MDR providers. “It’s a great source of talent for organizations that don’t have the time or know-how to recruit that kind of talent,” he says. “It really enables you to have a more security posture.”

Finally, he underscores the importance of regular internal and external penetration testing for all organizations. “I think it’s a necessity in this day and age to really make sure that your business is resilient,” he says.

The post Proactive Security as a Weapon appeared first on CyberMaxx.

They’ll discuss what they are seeing and what’s keeping them up at night, the current threat landscape, and how things are evolving in 2024 and beyond.

Meet The Speakers

Aaron Shaha, CISO

CyberMaxx

Strategic Information Security Executive and subject matter expert with a record of pioneering cyber security trends by developing novel security tools and techniques that align with corporate objectives. Known for building and leading strong teams that provide technology enabled business solutions for start-ups, industry leaders (Deloitte and its Fortune clients) and government agencies (NSA). Skilled at developing information security strategies and standards, leading threat detection and incident response teams to mitigate risk and communicating effectively across all levels of an organization.

John Caruthers, Exec VP & Chief Information Security Officer

Triden Group

EVP – CISO at Triden Group and the Founder of his own company. John is passionate about helping businesses protect their data, reputation, and customers from cyber threats, and creating innovative solutions that align with their goals and initiatives.

Jarod Thompson, Director of Customer Engineering

CyberMaxx

Experienced Senior Solutions Engineer with a demonstrated history of working in the computer and network security industry.

The post What’s Keeping These CISOs Awake at Night? A Fireside Chat appeared first on CyberMaxx.

From the perspective of security leaders, we will explore the promises AI has made and the reality it has delivered. Through real-world scenarios and practical examples, we’ll examine how security teams are poised to leverage the power of AI across the spectrum of threat detection and incident response.

This 20-minute on-demand webinar is an insightful conversation between two industry experts, Stephen Morrow, Vice President of Solution Engineering at Devo, and Gary Monti, Senior Vice President of Operations Defensive Security at CyberMaxx.

During this 20 minute webinar, you’ll gain insights into:

• The benefits and limitations of AI in Security Operations
• A view into the potential of today’s technology to security challenges
• Understanding the importance of combining human ingenuity with AI to effectively combat cyber threats

As a teaser, here are a few of the questions Gary and Stephen will be discussing:

1. What are some examples of how you have used AI in your Security Operations Center?
2. 96% of security professionals are not fully satisfied with their automation’s use of automation in the SOC. Reasons for this include – limited scalability and flexibility of the available solutions, costs of implementation and maintenance, and a lack of expertise and resources to manage the solution. What are some ways that you and your team have tried or are trying to overcome these challenges?
3. A growing concern in the industry is the usage of unauthorized AI. In a survey conducted by Wakefield Research on behalf of Devo, 96% of IT security professionals admit to someone at their organization using AI tools not provided by their company. How can management help to combat this issue?
4. How do you balance the use of AI as well as human ingenuity in your operations?

The post Decoding AI in Security Operations​: Realities, Challenges, and Solutions appeared first on CyberMaxx.

Understanding the Flexibility and Partnership of an MDR Provider

The working relationship with an MDR provider is just as vital as the monitoring, threat detection, and incident response services. Your MDR vendor should seamlessly fit into your organization and act as an extension of your team. Instead of viewing MDR as a one-sided client-service relationship, consider it a collaborative partnership. In this partnership, both parties prioritize the other’s best interests and maintain open communication to achieve optimal security results.

Solution flexibility is paramount in MDR services. During procurement, look for the red flags. Is the provider too rigid? Will they stay strict with the contract’s deliverables, or can they quickly add ad-hoc services based on your needs? This type of responsiveness is vital to successfully integrating MDR into your business.

Consider the ramifications, say, during an actual cyber attack. Imagine a scenario where your company is amid a critical incident response. If, in such a situation, your MDR provider delays assistance to review service terms, the consequences could be catastrophic. Treat MDR like a staff member. If you get pushback when assigning or needing specific tasks, that’s a red flag.

Check out our panel discussion with Mike Cena and Richard Weiss in the video below on the importance of MDR responsiveness to your needs.

(Watch the full Panel Discussion Series on our YouTube)

Managing and Utilizing Logs in MDR Services

Security logs play a crucial role in MDR services for network visibility. These solutions enable providers to investigate abnormal activity and identify threats. They also help providers ensure their controls work as intended and spot areas on the network that need security improvements. Without access to this data, there’s no way an MDR can effectively provide their services.

Though necessary, these logs come with their fair share of challenges. Companies are constantly undergoing digital transformations. These changes can involve investments in new software like SaaS products or major shifts in their IT infrastructure, such as switching cloud providers. If you don’t inform your MDR provider about infrastructure changes, they will lose access to new log data. This lack of information will leave them blind to potential security threats on your network.

As mentioned, the working relationship and MDR partnership contribute to optimizing your logs. Keep in touch with your MDR provider through routine meetings to get clear guidance on managing logs and maintaining visibility. They can even make recommendations that expand your security capabilities, such as application programming interfaces (APIs) or hooks.

For more detailed insights from our expert panel on MDR log management, check out the video below.

(Watch the full Panel Discussion Series on our YouTube)

The Importance of Industry-Specific Experience in an MDR Provider

Because so much of cybersecurity and compliance management are intertwined, it’s essential to consider industry-specific experience in your MDR selection process. You need an MDR provider who can differentiate themselves by specializing in your industry niche. They must have expertise in meeting unique regulatory requirements, infrastructure needs, and business goals.

Bringing in an MDR vendor to check off a box can be detrimental. That’s especially true in highly regulated industries like financial services or healthcare. Non-compliance or incidents can result in hefty fines and harm your brand’s reputation. Regardless of whether or not there are strict data security regulations in your industry, every company is now a technology business at its core.

For incident response, you need fundamental controls like identity management, firewalls, endpoint security, and operational capabilities like MDR. In addition to the solutions, ensure your MDR provider complements your technology stack. They should have a pricing model that fits your budget. Check if they offer service packages tailored to your needs, like complete or co-managed MDR services.

The video below explains the benefits of finding an MDR partner with industry-specific experience.

(Watch the full Panel Discussion Series on our YouTube)

Enhancing Security Investments Through MDR Platforms

MDR enhances existing security solutions like network firewalls, endpoint security tools, and SIEM systems. This enhancement boosts the overall value of your security investments. In addition to its primary services, MDR offers more. It provides 24×7 monitoring for threat detection and incident response. MDR also allows you to consolidate your data sources. This feature enables centralized reporting on activity, security performance, and potential risks.

These singular reporting systems provide a comprehensive view of your security program. This comprehensive view offers critical insights that enable you to manage controls by:

• Comparing key performance indicators (KPIs) to your security metric goals
• Running quarterly reviews to ensure government policies are effective
• Reviewing threats your security tools spotted (or failed to spot)

Check out the video below for our panel discussion on the value of MDR platforms in your security reporting.

(Watch the full Panel Discussion Series on our YouTube)

Decoding the MDR Provider Selection Process

When evaluating MDR options, find a vendor who can expand past the service provider role and be a true business partner. When evaluating MDR providers, consider several key differentiators. First, assess their ability to rapidly respond to changes in your needs, including ad-hoc services. Second, determine how they can enhance your existing security controls. Lastly, ensure they meet industry-specific requirements. These factors are critical in differentiating providers in the MDR marketplace.

Download our Managed Detection and Response Buyer’s Guide to sort through the noise and get insights on finding an MDR vendor that serves your priorities and regulatory needs while aligning with today’s security analysis best practices.

The post Sorting Out the Crowded Marketplace: Finding an MDR Provider that Meets Your Needs appeared first on CyberMaxx.