Millions of euros are lost to cyber crime each year and online security is a growing concern for businesses. As the cyber threat evolves and the incidence of attacks increases, maintaining preparedness and situational awareness is vitally important. Customised malware, DDoS attacks and the vulnerabilities of mobile and enterprise networks all present real challenges. The threats are advanced and adopt a revolutionary approach using sophisticated techniques, analytics and intelligence. For this reason Yoroi has created its own Defence Center. Our approach is the same pioneered to defend nations. We protect companies from known attacks, while our intelligence also keeps identifying unknown attacks and quickly initiate countermeasures.
The Defence Center plays a paramount role in the protection of infrastructures. Through the installation of special cyber probes in our clients networks, we detect and manage risks and security incidents. Our team constantly analyses, categorises, evaluates, compares and integrates the information flow in order to identify threats and attacks:
Yoroi supports and manages mitigation through 'lean' procedures, aiming to maximise the efficacy and efficiency of interventions in terms of required intervention time and downtime. Our Defence Center team uses and implements HP, EPRI and SAS guidelines.
Genku is our cyber sonde, a complete system for the analysis and mitigation of cyber threats developed to defend our clients. Key features of Genku are:
Genku integrates seamlessly with the corporate Active Directory and identifies vulnerable users. It provides tools to analyse what happens in the corporate networks: possible leakage of information, targeted attacks, opportunistic malware and unwanted programs that slow down the overall company performance. Genku combines dynamic analysis on the malware propagation with static analysis of enterprise vulnerability, by continuously scanning the company devices. It can integrate with several systems: AlienVault, Fire Sight, Splunk, Fortinet, Last Line, Source Fire, Websense, Blue Coat, CheckPoint, IronPort, RSA OpSec, and much more.
Kanshi is the Yoroi response to Ransomware threats. Our proprietary system, in constant dialogue with the Defence Center, implements heuristics methods on behavioural methods in order to detect the presence of Malware belonging to the ransomware family. This tool has the ability to detect abnormal system calls and stop the process before it performs irreversible damage on the infected machine. An analyst is always called in for a 'second opinion' and he gets to decide if the process is benevolent or not and how to proceed.
Cyber criminals are beginning to learn and understand more about the most common methods of security detection and are specifically focusing their efforts on them. What sandbox technology does is help to expose invasive new threats, as well as old threats in new disguises. What sandboxing does is providing an additional security layer to the modern-day threat environment. A network security sandbox in fact is an analysis environment in which a suspicious program is executed ('detonated') and its behaviour observed, noted, and then analysed.
Traditional sandbox technology is ineffective if the attacker adopts evasion techniques able to recognise the environment simulated by the sandbox and deny their true intentions in future runs.
Yomi, unlike traditional sandboxing techniques, has been conceived and developed according to a different method of analysis which provides, within the controlled perimeter, the presence of multiple sandboxes where the suspicious code will be injected in parallel. By checking all the different sandboxes responses our analysts will be able to evaluate if even one of them has shown an abnormal behaviour. The presence of the tiniest difference between the parallel results will raise the threshold of potential hazard and a more in depth analysis will then be carried on, including - if necessary - reverse engineering.
The sophistication, complexity and frequency of targeted attacks, Advanced Persistent Threats (APTs), advanced malware, unknown malware, zero-day threats and the like can be overwhelming.
An ever-increasing attack surface, extremely motivated, well-trained and well-funded criminals targeting organizations with bespoke tools and new technologies, make securing the modern enterprise exponentially more difficult. Traditional approaches, such as defending the perimeter, are only some of the many techniques needed to address today's complex security landscape.
Advanced and multi-faceted attacks cannot be prevented by a single control point, these types of attacks require a coordinated strategy.
Yoroi Managed Advanced Threat Protection defends the clients network perimeter from elusive and advanced threats by adopting the most advanced detection technologies available on the market. Our analysts have a solid background in reverse engineering, malware evasion and communication protocols. They monitor, analyse and mitigate advanced threats far before traditional solutions are able to detect them.
Our service prevents even the most sophisticated attacks, it detects stealthy threats across the entire clients infrastructure and is able to quickly respond to security incidents.
Considering today's threat environment and the increasing openness and connectivity of digital infrastructures, security teams must assume that their IT environments are subject to periodic compromise and demand superior response capabilities. In such an environment, where attacks are becoming more frequent and more sophisticated, one of the steps that enterprises can take to ensure business continuity is considering an early warning system.
Yoroi early warning service identifies, analyses and promptly notifies approaching threats before they can affect operations and provides a mitigation strategy. The service is based on the collection and analysis of information from endogenous and exogenous sources appropriately classified according to their reliability. It includes an ongoing view of unconventional sources searched for information related to the monitored clients networks, in order to understand whether there are traces of abuse or compromise.
Our analysts provide information not only about the vulnerability, but also about best-practices countermeasures to keep systems protected. A detailed analysis is provided in each alert and update, describing its severity and potential impact, technical makeup, the systems that might be affected, available patches or workarounds and comprehensive mitigation strategies.
More and more threats are propagated by using e-mail as vector. Recent studies show that about 70% of e-mail traffic through the major Internet nodes can be classified as spam.
The goal of Yoroi e-mail protection system is to increase the level of protection on the e-mail carrier, using three main techniques:
Digital surveillance has assumed importance in the context of misuse and abuse of the internet, unauthorised access to data, forgery of digital signatures, infringement of intellectual property rights covering patents and trademarks, fraudulent subversion of electronic payment systems, wars over domain names, browsers and portals and growing menace of intruders, masqueraders and saboteurs in cyberspace.
Yoroi digital surveillance service is designed to protect our clients most sensible data.
Our analysts systematically observe the cyberspace by surfing, sniffing, snooping with a view to locating, identifying, determining, profiling, and analysing by all available means the transmission of e-mail, movement of packets, file transfer, transactions containing specific information or alphanumeric strings belonging to our clients. Once a match is found and verified, the client is alerted and the type of action to be carried on agreed.
Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid. Ransomware spreads through e-mail attachments, infected programs and compromised websites. A ransomware malware program may also be called a cryptovirus, cryptotrojan or cryptoworm... Ransomware trap is the 'set of policies and technical actions suggested and implemented' by Yoroi to protected organisations and mitigate threats belonging to the ransomware family.
SCADA (Supervisory Control And Data Acquisition) are complex systems involving a large number of components such as sensors, logic programming units, RTU, programmable switches, servers, backup systems and NAS. All these components are orchestrated by a software apparatus to achieve a common goal.
SCADA systems are increasingly complex, digital and connected. Whilst in the past they were isolated from other networks, today's operators typically require data to be transferred between industrial and external networks, creating the potential for malware and hackers to gain access to and disrupt real time control systems and dependent infrastructures.
Yoroi SCADA security service prevents the malware infection by using bespoke technologies to detect the threats. Through a sensor or a virtual or physical ‘probe' installed in the system and a client host inside the machine interconnection network, our analysts are able to monitor the SCADA communication infrastructure and identify malicious communication flows, unidentified callback and unauthorised attempts to gain control.
With the increasing use of online services and retailers, scams have now grown from being a danger mostly associated with investments, banking and insurance, to including the online scams and cybercrime that have to be fought daily.
Scams are becoming increasingly prevalent across different types of websites, through viral e-mails and across social media.
A fraud attempt can be very complex to identify. There isn't any conventional tool able to identify and stop scams. The reason lies in the mutability, complexity and variability of attempted frauds.
Yoroi offers as a scam protection service a suite of services, technologies and best practices advice.
Our proprietary sonde Genku analyses our clients’ e-mails and sends the suspicious attachments to our sandbox Yomi for detonation, whilst our analysts investigate IPs, provenance, destination, subject in order to identify the best possible action.
Being able to detect and block an attack is not always enough. In some circumstances, such as multiple attacks coming from the same geographic region, attacks carried on by the same vector, attacks on specific targets or compromising determined assets, more information on the attacker is much needed.
The kickback attack service aims to get more information on the attacker using counter-cyber espionage techniques and the Yoroi Red Team specialised in counter and reverse attacking.
Servers and endpoints, business-critical systems, security appliances generate daily extensive event logs that have to be centralised and carefully monitored and managed.
Logs centralisation allows constant corporate assets access, errors and malfunctions monitoring. Yoroi collects, analyses and archives EventLog from Windows and syslog host from Unix/Linux hosts, routers, switches, AS/400 logs, application and services logs such as IIS, FTP, IIS, MS SQL, Oracle, DHCP, DNS servers, Apache, AdHoop and VMWare.
Yoroi offers a cloud solution through the generation of a Virtual Private Server (VPS) specific to each client, allowing them to offload management and maintenance while retaining full access to the appliances.
The high profile data breaches and Internet of Things attacks have put companies under extraordinary pressure to ensure that their systems are secure and their data protected.
Before purchasing specific security products, Yoroi suggests to assess weak spots and gaps in the client's security by carrying on a penetration test, because technically assessing systems and networks gives insight into what businesses actually need to best protect themselves.
Our team of testers works closely with our clients to formulate penetration testing based on their organisations' unique security goals. Once penetration testing and analysis have been completed, our clients receive a detailed report on findings, that includes actionable recommendations for addressing vulnerabilities.
Due to the growing complexity and diversity of information systems, the possibility of security weaknesses is increasing and getting harder to detect. The security of the entire IT infrastructure depends on the weakest link, that alone can adversely affect many security measures in place.
The test carried on the client's infrastructure is a service designed to check the effectiveness of the security in place. The process consists of three main stages: anti-malware and anti-phishing testing, firewall perimeter testing and auditing.
The service is performed by highly-skilled security experts. Our team always methodically outlines and presents to our clients the 'status quo' and a series of specific, actionable steps they recommend to improve the company overall security posture. The outcome of the Security Infrastructure Assessment is a document reporting both results and advice for improvement and future possibile implementations.
Security Iinformation and Event Management (SIEM) is an approach to security management that seeks to provide an holistic view of an organisation’s information technology (IT) security.
The underlying principle of a SIEM system is that relevant data about an enterprise’s security is produced in multiple locations and being able to look at all the data from a single point of view makes it easier to spot trends and see patterns that are out of the ordinary. SIEM combines SIM (Security Information Management) and SEM (Security Event Management) functions into one security management system.
Yoroi offers a configuration and management service of a SIEM system based on Splunk. Splunk stores all the logs and provides very fast search capabilities roughly in the same way Google does for the internet. Our analysts write then the correlation searches using SPL (Search Processing Language) to make the most of the data collected with Splunk. The correlated data are then collected and shown as dashboards.
Companies today are under constant attack from criminal hackers and other malicious threats. As their networks have become more secure, attackers have turned their attention to the application layer, which now contains the majority of all vulnerabilities. To increase protection, security managers must perform detailed source code analysis when developing or buying software.
Yoroi offers a revision of the code activity that pays particular attention to intrinsic vulnerabilities. In accordance with ISO/IEC 9126 standards, we analyse the quality of the developed software by identifying and evaluating the so-called 'bad smells' (rigidity, fragility, stillness, viscosity and opacity) and then look at the code security analysing absence of checks, use of vulnerable libraries, arrays of incorrect authentication, XSS, buffer overflows, broken authentication, session management, insecure object references, misconfiguration, sensitive data exposure and CSRF.
As attackers increasingly use more sophisticated techniques to gain a foothold within a company, there is a heightened need for businesses to evaluate and improve their defensive measures. Effective targeted attack simulations requires not only a strong testing capability, but also a good understanding of attacker tradecraft.
The targeted attack simulations performed by Yoroi include an in-depth study of the goals considered critical by the client, in order to create attack tools and bespoke malware to test security systems and security policies in use at the limit of their capabilities. The purpose of the simulation is to highlight normally hidden weaknesses to common broad range threats and provide as much information, guidance and support to mitigate risk and the identified attack vectors in order to achieve the best security posture for the entire organisation. A targeted attack simulation performed by Yoroi provides clear guidance on the effectiveness of the policies in place, staff training and adopted defence tools.
The first step in creating an effective defense is figuring out where the vulnerabilities are in the system. Without this knowledge it is impossible to plan. Yoroi vulnerability assessment service provides an advanced analysis of the client's infrastructure vulnerabilities, assessing both the risks related to the business and the complexity of possible remedial actions, allowing the management to take the right decisions and set up a proper security plan.
A vulnerability is the passage for threats to get into the system and manifest themselves. The main purpose of a vulnerability assessment is to identify, quantify and evaluate priorities and impacts of vulnerabilities within the client's assets. The main vulnerabilities detected during the assessment are: wrong configurations, outdated systems, default configurations. Yoroi assessment is carried on by both automated tools and our analysts. There are three different levels of service offered: not invasive, invasive and invasive plus attack. The not invasive option is based on external information gathering, which is usually the first stage of a cyber attack. The invasive option adopts a more in depth analysis, interrogating the assessed machines through ICMP, TCP or UDP. The next level is to add to the invasive approach an attack simulation in order to obtain reserved information and access to the system.
At the end of the vulnerability assessment, Yoroi's team delivers an important tool for any organisation: a report listing identified vulnerabilities, priorities and risks.
Low deployment costs make wireless networks attractive. However, the easy availability of inexpensive equipment also gives attackers the tools to launch attacks on the network, eavesdrop on, or tamper with, wireless transmissions and access sensible data. Through the Wi-Fi Infrastructure Assessment, Yoroi measures the level of security of wireless communications analysing the response of the systems when faced with various critical situations, from high utilisation levels to passive and active attacks. Yoroi usually analyses:
The methods adopted by Yoroi for Wi-Fi infrastructure tests ensure effective measurement of the levels of security of local business networks perimeter. The assessment is carried on in two stages: a first one during which the Wi-Fi security is actively tested by an attacker interacting with the access point, a second one off-line. A technical report, an executive summary and a technical appendix will be delivered at the end of the assessment to document the outcome.