Tag: Palo Alto Networks

Posted on by

Perimeter security appliances source of most ransomware hits

Compromised or vulnerable perimeter security appliances and devices – especially virtual private networks (VPNs) – formed the initial access vector in over half of observed ransomware attacks during 2024, according to data released this week by cyber security insurance provider Coalition in its latest annual threat report, covering 2024.

US-based Coalition, which began offering its so-called Active Insurance policies in the UK back in 2022, said that cyber criminals compromised such appliances in 58% of claims with which it dealt during 2024, with the second most widespread access point being remote desktop products, blamed in 18% of claims.

“While ransomware is a serious concern for all businesses, these insights demonstrate that threat actors’ ransomware playbook hasn’t evolved all that much – they’re still going after the same tried and true technologies with many of the same methods,” said Alok Ojha, head of security products at Coalition.

“This means that businesses can have a reliable playbook too, and should focus on mitigating the riskiest security issues first to reduce the likelihood of ransomware or another cyber attack. Continuous attack surface monitoring to detect these technologies and mitigate possible vulnerabilities could mean the difference between a threat and an incident.”

Unsurprisingly, the most commonly compromised products were all built by ‘household’ names in the industry, including the likes of Cisco, Fortinet, Microsoft, Palo Alto Networks and SonicWall. The most common initial access vectors (IAVs) were stolen credentials, used in 47% of such intrusions, and software exploits, seen in 29% of cases.

Coalition’s analysts warned that exposed logins were fast-emerging as an underappreciated and acute driver of ransomware risks. They claimed that the organisation detected more than five million remote management solutions and tens of thousands of login panels exposed on the public internet. It added that, according to its data, most applicants for cyber insurance (65%) had at least one internet-exposed web login panel, and securing these is a requirement for buying its products.

Out of these, the most commonly exposed admin login panels related to VPNs from Cisco and SonicWall, which between them accounted for over 19% of detected exposed panels, followed by Microsoft email services.

In 2024, Coalition also observed a significant number of exposed Citrix panels, which caused significant losses, including more than a billion dollars from the infamous Change Healthcare incident in the US, in which a ransomware gang used stolen Citrix credentials and exploited a lack of multifactor authentication to access the victim’s systems.

CVEs set to jump in 2025

As part of the set of services Coalition provides, it sends out zero-day alerts to its customers as and when new vulnerabilities are discovered, and constantly monitors for new vulnerabilities.

As such, its annual report also includes data on some of the more widespread common vulnerabilities and exposures (CVEs) it saw in 2024 – issues with Citrix, Fortinet, Ivanti and Palo Alto Networks prominent among them.

Looking ahead to 2025, Coalition’s analysts said the number of published vulnerabilities would likely increase to more than 45,000, a rate of nearly 4,000 every month, up 15% over the first 10 months of 2024.

This aligns closely with data released in February by the Forum of Incident Response and Security Teams (First), a non-profit, which suggested that CVE volumes may even top 50,000 this year.

A combination of new players in the CVE ecosystem, evolving disclosure compliance practices and a rapidly expanding attack surface are likely behind the growing number of vulnerabilities being reported on.

“This year’s report focuses on the most crucial security risks that under-resourced organisations should understand to better calibrate their defensive investments to bolster resilience,” said Daniel Woods, senior security researcher at Coalition.

“Calibration involves balancing security investment across vulnerabilities, misconfigurations and threat intelligence, while also responding to emerging threats, such as zero-day vulnerabilities exploited in the wild. That’s why Coalition issues Zero-Day Alerts to help businesses, especially SMEs with limited security resources, stay ahead of these vulnerabilities and reduce alert fatigue by prioritising those posing the greatest risk.”

Source

Posted on by

The Security Interviews: Yevgeny Dibrov, Armis

Over the past 20 to 30 years, the intelligence community has generated a stream of cyber security leaders – private cyber security companies are littered with former operatives of the American and British intelligence services.

But in Israel’s case, the intelligence-to-cyber pipeline has produced arguably the highest density of cyber security startups and organisations in the world. The likes of Check Point, CyberArk, Imperva, Palo Alto Networks and Radware can all claim links back to the Israel Defence Force’s (IDF’s) technology units.

Among these units, which likely date back to before Israel’s founding in 1948, are the highly secretive cyber weapons and tech development shop Unit 81, and the more widely known signals intelligence Unit 8200.

Israel’s astonishing concentration of cyber security talent is largely attributable to both Unit 81 and Unit 8200, whose existence has only been fairly recently acknowledged. Mossad may get international attention, but it is Unit 8200 that gets the data to support it and Unit 81 that builds the tech.

Acting as incubators for cyber security and hacking talent, these units benefit from Israel’s compulsory military service laws and intensive screening processes, which divert individuals with potential from frontline armed service, although they also scout after-school computer clubs for likely-looking candidates.

That the IDF is the wellspring of Israel’s cyber talent is these days no secret, but Armis CEO, Yevgeny Dibrov – who is allowed to say little more about the time he served in Unit 81 beyond the fact that he was there – says there’s more to the growth of Israel’s cyber community than just the hothouse conditions at the IDF.

He compares the environment to that of a startup. “When you’re a startup, when you’re building something, you don’t have much budget, but with what you have you still need to do outstanding things that differentiate a lot, that achieve a lot, and that puts you in a great place.

“We don’t have the same budget as the CIA or the NSA, maybe point one of a percent, but we have no choice. There is no other way,” he explains. “We have a lot of enemies and we want to win.”

Make the impossible possible

At first. Dibrov’s pipeline into the IT industry does not seem all that different from most other people’s – stemming from an initial schoolboy interest in computers, maths and physics – but he became hooked when he was tapped for Unit 81 as a fresh-faced teen.

“In the years I spent there I became fascinated by different capabilities, fascinated by this world, fascinated also by working hard for my country,” he says. “Twice during my service I was part of the team that won the Israel Defence Prize, which is for outstanding achievements in the technology space.

“The slogan of our unit was ‘Make the Impossible Possible’,” says Dibrov. “It’s written over the door when you enter. You see it every day, and so you kind of live towards it. It’s not just a cliché.”

Twice during my service [at Unit 81] I was part of the team that won the Israel Defence Prize, which is for outstanding achievements in the technology space Yevgeny Dibrov, Armis

But the intelligence forces serve not only as a hub for creative talent, but a hub for team-building. Indeed, of Armis’s first cohort of employees, about 50% served alongside Dibrov himself at Unit 81, and the others worked alongside his co-founder – and chief technology officer (CTO) – Nadir Izrael at Unit 8200.

“People get to know each other, and during my time at Unit 81, we were always talking to alumni that actually started companies and did great things,” says Dibrov. “I remember my team leader in the army was [Wiz CEO] Assaf Rappaport, so we were always meeting some of the alumni from our unit and learning what they had done.

“It makes you excited,” he says. “It makes you think, ‘Okay, when I’m out, here is what I want to do’. I already knew that I wanted to start a company.”

Alongside heading off to study at Technion, the Israel Institute of Technology, between 2010 and 2013, at the end of his service, Dibrov helped set up Adallom, with which Rappaport was also involved. Adallom was a cloud access security brokerage (CASB) specialising in visibility, governance and protection across business applications such as Box, Google Apps, Microsoft Office 365 and Salesforce.

The firm’s Office 365 work clearly stood out, because in September 2015, Microsoft bought the company for over $300m. Just a couple of months later, Dibrov and Izrael started Armis, with the first employees coming on board in February 2016.

Google Maps, but for vulnerable assets

Asked to “explain like I’m five”, Dibrov describes Armis as a cyber exposure management platform that essentially provides its customers with a Google Map of their IT environment, with every single asset accounted for, whether it’s something run-of-the-mill like a laptop or smartphone, to operational technology (OT) like industrial controllers, even medical equipment.

On top of this basic map, Armis provides additional layers covering security risk discovery, monitoring and management, and ultimately, remediation.

“We want to not just allow you to see your risk, but reduce it, whether through patching devices or mitigating threats with different rules in your technology environment,” he says.

Armis was earlier than many to the OT/internet of things (IoT) side of security, mapping it as a factor early on in its history, before the topic really started to hit mainstream security conversations about six or seven years ago. What was the spark that led Dibrov to make this bet?

“We really started from talking to a lot of customers, talking to a lot of CIOs, and we were hearing about the explosion of connected devices,” he explains. “We looked at the variety of different environments and we saw there was a gap.

“On the one hand, you have laptops and servers that are covered by your antivirus or next-gen antivirus, and then you have everything else. And then everything else changes in different industries. If you look at an airport, they have a big gap around a lot of operational technology stuff. They have different distribution centres, logistics centres and more. They have datacentres. They have buildings with building management systems.”

At about the same time, incidents such as NotPetya and WannaCry were exposing the precarious security of such environments – particularly in healthcare settings – and this helped push people towards a more holistic view of cyber security.

Security teams have no idea what cameras they have, and they’re 90% Chinese, potentially exploited with backdoors, and often in the most critical environments Yevgeny Dibrov, Armis

“It was a huge push across the board,” says Dibrov. “Everyone suddenly understood that they needed to have visibility into what they have in these environments – because imagine if I’m an attacker, why would I attack a laptop if the laptop has 50 agents on it? I attack the most vulnerable thing, and that’s usually devices that don’t run any agents or antivirus, devices that are mostly not updated or cannot be patched, and a bunch of old XP machines in those areas.

“These devices are often the most important in the organisation. Look at a hospital. How can you compare the importance of a laptop versus an MRI scanner?”

Customers took to this like ducks to water, and today Armis works with over 35% of the Fortune 100.

From day-to-day there is no such thing as a typical customer, says Dibrov, but they tend to be larger, distributed organisations with highly complex environments and a lot of devices. Armis claims currently to have approximately 5.3 billion connected devices in harness.

What’s the weirdest ‘thing’ he ever found? “We have things like cars that connect to the company network, to wireless air fryers – we see those a lot. And the amount of types of cameras you would never believe,” says Dibrov. “Security teams have no idea what cameras they have, and they’re 90% Chinese, potentially exploited with backdoors, and often in the most critical environments.”

Like many of its peers, Armis has also been branching out into threat research and frequently publishes its own thought leadership on diverse topics – recent ones include breaking down CISA’s most exploited vulnerabilities and the emergence of DeepSeek.

“We have so much data now, and our customers can benefit from that,” says Dibrov. “We also acquired a company in the space, some super-talented guys who merge a lot of their own data with data we generated to provide early warning, which has been very significant.”

What’s next?

Keeping in touch with Armis’s buyers is a source of pride for Dibrov, who makes a point of frequently checking in with his user advisory board and speaking to six or seven individual customers every day, whether those are long-term existing ones, new ones, or those moving through their procurement or onboarding processes.

“What do they need? What do they think like? What do we need to do different?” says Dibrov. “This is something that is ongoing for us – always listening, always developing, always running fast, and always providing real solutions to real problems.”

Dibrov declares himself particularly paranoid when it comes to the competition, and likes to try to think about 18 months ahead in terms of innovation. “This is something that is always on my mind because that’s the biggest differentiator,” he says. “You need to have first of all the best product, and then to execute from there. That’s what keeps me up at night.”

Armis recently closed a large Series D funding round, raising $200m to take it to a total valuation of over $4bn. And having made two acquisitions in the past 12 months – Silk Security in April 2024 and CTCI in February 2025 – Dibrov is open to more, as well as exploring the possibility of an initial public offering (IPO).

Beyond these goals, Dibrov is, of course, keeping a close eye on the developing threat landscape. His views on where things are going tally with those of many other observers.

“We keep seeing a lot of state actors, from Russia, China, North Korea, Iran. We keep seeing them, and we keep seeing a lot of targeting of EMEA and US critical infrastructure and manufacturing,” he says. “We see them sometimes also leveraging AI [artificial intelligence]. My guess is we’ll see that more and more, and defenders really need to be prepared.”

Source