In an era defined by digital transformation, organizations generate and store more data than ever before. From sensitive customer records to proprietary business strategies, data is at the heart of nearly every operation. But with this explosion of digital information comes increased risk—both from external threats and internal mismanagement. That’s where the intersection of Digital Forensics and Incident Response (DFIR) and information management becomes crucial.

While often viewed as separate disciplines, DFIR and information management share a common goal: protecting and making sense of data. When used together, they create a powerful synergy that enhances not just cybersecurity posture, but also business continuity, regulatory compliance, and operational efficiency.

The core roles of DFIR and information management

Information management is the systematic organization, storage, governance, and retrieval of data throughout its lifecycle. It ensures that information is accurate, accessible, and protected in accordance with policies and regulations.

Digital Forensics and Incident Response (DFIR), on the other hand, focuses on identifying, investigating, and responding to cyber incidents. It involves collecting digital evidence, analyzing activity, and mitigating damage after a breach or malicious event occurs.

DFIR may seem like a reactive, technical function, while information management appears proactive and operational. But in practice, they overlap in meaningful ways especially when data integrity, visibility, and governance are at stake.

DFIR as a data intelligence tool

One of the often-overlooked benefits of DFIR is the deep visibility it provides into an organization’s digital environment. During an investigation, DFIR tools comb through vast amounts of structured and unstructured data—emails, logs, cloud storage, endpoint activity—to reconstruct what happened and why.

This investigative process, though born out of necessity, often reveals gaps in data governance, inconsistencies in retention policies, or unauthorized data access. In other words, DFIR shines a light on the quality of your information management. It answers questions like:

Where is sensitive data stored, and who has accessed it?

Are users following data retention and deletion policies?

Has information been altered, moved, or exfiltrated without authorization?

In this way, DFIR solutions don’t just detect threats, they expose inefficiencies and risks in how data is handled.

Strengthening information governance with DFIR insights

When integrated with a broader information management strategy, DFIR can help organizations:

1. Identify high-risk data repositories

DFIR investigations often uncover shadow IT, forgotten file shares, or poorly secured data repositories. These insights help information managers prioritize remediation and improve access controls.

2. Improve data classification

Understanding what data attackers targeted during an incident can guide better classification efforts. If attackers consistently go after a specific type of document or database, that information is likely more sensitive than previously assessed.

3. Support regulatory compliance

Many regulations—such as GDPR, HIPAA, and CCPA—require both strong data management and breach response capabilities. DFIR tools provide the forensic evidence needed to demonstrate compliance in the aftermath of an incident, while also informing better data governance practices to prevent future violations.

4. Reduce data sprawl

DFIR solutions often find stale, duplicated, or orphaned data that poses security risks. Working with information management teams, organizations can use these findings to streamline data storage, reduce surface area for attack, and align with retention policies.

DFIR and the information lifecycle

Information management follows a lifecycle: creation, use, storage, archiving, and disposal. DFIR intersects every phase of that lifecycle:

Creation & use: DFIR tools detect policy violations or misuse of sensitive information.

Storage: DFIR investigations may highlight insecure or non-compliant storage practices.

Archiving & disposal: Evidence of improper deletion or retention uncovered during forensic review can guide better enforcement of retention schedules.

By integrating DFIR into the information lifecycle, organizations ensure that data is not just well-managed but also defensible and resilient.

Conclusion

DFIR is no longer just a cybersecurity emergency response function. It’s a critical partner to information management—providing insights that enhance governance, reduce risk, and strengthen compliance. Together, DFIR and information management form a powerful alliance that ensures data is both protected and purposeful.

OpenText plays a central and strategic role in information management, helping organizations capture, govern, access, and secure information across its entire lifecycle—from creation to disposition. As one of the world’s leading providers of Enterprise Information Management (EIM) solutions, OpenText enables businesses to harness the power of their data, ensure compliance, improve productivity, and mitigate risks.

OpenText’s Digital Forensics and Incident Response (DFIR) solutions effectively investigation cyber attacks, aligning seamlessly with OpenText’s long-standing expertise in Information Management by bridging two essential but often siloed areas: defending information and managing information. Together, these capabilities create a unified strategy for securing, governing, and extracting value from data—before, during, and after a cyber incident.

In a world where information is an organization’s most valuable asset—and its biggest liability—the ability to manage and defend that information is more important than ever.

Learn more about OpenText Digital Forensics and Incident Response solutions.

The post Enhance secure information management with DFIR appeared first on OpenText Blogs.

This year’s CISO Bootcamp at RSAC 2025 was a powerful reminder that while technology continues to evolve, the heart of cybersecurity remains the same: people and risk management. The role of the CISO (Chief Information Security Officer) is more complex than ever — balancing business alignment, technical oversight, and team leadership in a world of constant change.

Here are the key takeaways that every security leader should reflect on — and how partnering with the right MSSP (Managed Security Service Provider), like OpenText™, can help you stay ahead.

1. The CISO role is about risk, not just technology

The modern CISO is first and foremost a risk manager. The bootcamp emphasized that understanding and articulating risk is more important than knowing every tool in the stack.

If a risk isn’t communicated, it doesn’t exist

Transparency is essential. CISOs must ensure that risks are documented, communicated, and addressed. This is where a strong MSSP can be a game-changer. OpenText’s Risk & Compliance Advisory Services help CISOs identify, assess, and communicate risk in a way that aligns with business priorities.

Are you doing business in the EU? Check out Ensuring compliance with the NIS2 Directive.

2. Simplify and modernize your tech stack

Many organizations are burdened by complex, overlapping security tools. The advice from RSAC was clear: simplify. Focus on outcomes, not tool count.

Whether you’re building from scratch or modernizing, OpenText’s end-to-end Cybersecurity solutions — overseen by our Managed Security Services — can help you streamline operations, reduce noise, and focus on what matters most: protecting your business.

3. Build a team that has your back

Leadership is about people. The best CISOs build teams that are diverse, resilient, and aligned. Some of the most practical advice from the bootcamp included:

• Spend time with your team — take 15 minutes per person regularly.
• Foster a no-ego, no-jerk culture — because culture is everything.
• Diversity means bringing in people from both inside and outside cyber.
• Support your team like family. Recognition should flow to them, not to you.

If your team can meet without you and still move toward the North Star, you’re doing it right

4. Communicate like a business leader

CISOs must be exceptional communicators. That means translating technical risk into business language and aligning with corporate executive priorities.

Yes, we can—but here’s what it takes

This mindset positions the information security team as a business enabler. And when you need to benchmark or prioritize, OpenText’s Risk and Compliance Advisory — including our Security Assessment — can provide the insights and peer comparisons you need to make informed decisions.

5. Cybersecurity in 2025: Still a people problem

Despite the rise of AI and automation, the consensus at RSAC was clear: cybersecurity is still about people. You need a lean, skilled, and trusted team.

Experience is the sum of your failures

That’s why it’s critical to invest in people, not just tools. OpenText’s Managed Extended Detection and Response (MxDR) is designed to augment your internal team, not replace it — giving you access to top-tier talent and 24/7 coverage without the overhead.

6. Justify your headcount with trust and data

Budget constraints are real. To justify your team size, you need:

• Benchmarking – Compare your team structure to industry standards.
• Peer consultation – Talk to other CISOs about how they build out their team and model their security strategies.

But most importantly, you need trust. Build credibility with your CEO and your Board by showing that your team is aligned with business goals and delivering measurable value. OpenText can help you map your program to industry benchmarks and provide the data you need to make your case.

7. Today’s threat landscape: Beyond technology

Cybersecurity is no longer just about firewalls and endpoints. Today’s threats are shaped by:

• Geopolitical tensions
• Third-party risks
• Regulatory pressure
• Human behavior

Attackers in 2025 are targeting your communications, your information, your infrastructure, and are placing backdoors. It’s not a matter of if an incident will happen — it’s when. That’s why OpenText’s Digital Forensics and Incident Response (DFIR) services are so critical.

8. Define the North Star, not the roadmap

As a CISO, your job is to define the vision, not micromanage the execution. The roadmap will change. Threats will evolve. But your North Star — your guiding principles — should remain constant.

Let your team own the roadmap. Empower them to adapt, innovate, and lead. Your role is to remove obstacles, build culture, and keep everyone aligned.

9. Practice, practice, practice

Whether it’s tabletop exercises, red team drills, or communication rehearsals, practice is everything. The more you train, the more confident your team will be when the real thing happens.

OpenText’s Incident Response Simulation drills your team and the entire organization to gain awareness, confidence, and readiness for the inevitable incident.

10. Final thought: who has your back?

The CISO role is demanding, high-stakes, and often lonely. That’s why it’s essential to surround yourself with people—and partners—who support you.

Pick a leadership team that has your back

For many organizations, that includes a trusted MSSP. OpenText Managed Security Services offer a full spectrum of cybersecurity services—from strategic advisory to 24/7 threat detection and response. Whether you’re building a program from scratch or looking to mature your existing capabilities, OpenText has software solutions for SMB and Enterprise as well as the expertise, scale, and commitment to help you succeed.

The modern CISO must be a risk manager, a business enabler, a people leader, a clear communicator, and a visionary. Technology is important—but it’s the last piece of the puzzle. The real work is aligning security with business goals, building strong teams, and leading with empathy and clarity. If you’re a CISO in 2025, remember: It’s still about people. And the right partner makes all the difference.

Explore OpenText Cybersecurity Solutions

Ready to strengthen your cybersecurity program? Discover how OpenText’s end-to-end Cybersecurity Services can help you lead with confidence through our Risk & Compliance Advisory, Digital Forensics and Incident Response (DFIR), and other Cybersecurity Services.

Whether you're building from scratch or maturing your program, OpenText Managed Security Services offers the scale, expertise, and commitment to help you succeed—across SMB and enterprise environments.

The post People, risk, and the modern CISO appeared first on OpenText Blogs.

In a recent post, I explored the butterfly effect of cybersecurity—the idea that one small misstep (like an over-permissioned user or misclassified document) can cascade into a major breach. Today, I want to go a step further: because it’s not just about access—it’s about architecture.

Cybersecurity has always been about control. But what we’re controlling is changing.

As data sprawls across SaaS platforms, cloud systems, and unstructured repositories, CISOs are being pulled upstream—into data strategy, lifecycle management, and governance. They’re not just protecting endpoints anymore. They’re shaping how information flows throughout their business.

The shift: from defense to data-centric design

For years, the CISO focused on defending the perimeter. But Gartner, Forrester, and IDC all point to the same reality: the perimeter is gone. Data itself is now the security object of value. As Gartner puts it,  “Security must become data-centric to align protection with business value.” While according to Forrester: “CISOs must become stewards of enterprise data, not just defenders of infrastructure.”

That means asking:

• What data do we have?
• Where does it live?
• Who can access it—and why?
• What risk does it pose if exposed or misused?

These are information architecture questions—not just security questions.

Information sprawl = attack surface

Every enterprise is a patchwork of productivity:

• Files in Box
• Shared links in Google Drive
• Unclassified documents in SharePoint
• Shadow data in abandoned AWS buckets

This isn’t just messy—it’s risky. When information is unmanaged, security can’t protect what it can’t see.

Governance and cybersecurity are converging

Data protection regulations like GDPR, CCPA, and Australia’s Privacy Act reforms are raising the bar. It’s not enough to encrypt data or respond to breaches. Organizations must:

• Map sensitive data
• Classify it properly
• Apply risk-based controls
• Prove enforcement and accountability

That convergence is putting CISOs in the same room as Chief Data Officers, legal, privacy, and compliance teams—not to react to incidents, but to architect prevention.

The Modern CISO: Strategist. Steward. Architect.

The CISO of 2025 isn’t just a technologist or risk manager. They’re part data strategist, information steward and architect of trust.

Cybersecurity today isn’t just about stopping threats. It’s about enabling responsible innovation, privacy, and business trust—by understanding and protecting the flow of information.

Final thought

We used to ask. “How do we protect the network?” Then: “How do we secure identities and endpoints?” Now we ask, “How do we protect the data that powers the business—no matter where it lives?”

That’s not just a security challenge. It’s an information architecture mandate. And many CISOs are already quietly stepping into that role.

How is your security team evolving to handle information risk? Are you seeing the same convergence of data, governance, and cybersecurity?

Additional sources

ISACA, “Security teams are now responsible for classification, lifecycle, and access across business data.”

IDC, “Effective data security starts with understanding the value of the data being used within the organization.”

The post Why CISOs are quietly becoming information architects appeared first on OpenText Blogs.

My colleague Nakkul Khurana and I attended the RSA Conference 2025 (RSAC 2025) to give a talk on the work we completed at Open Text. How to Use LLMs to Augment Threat Alerts with the MITRE Framework was well received with about 200 people attending. The Open Text booth at the Expo showcased all our Cybersecurity products, was also a main attraction for visitors.

The event was also packed with insightful sessions covering the latest trends and challenges in cybersecurity. A major focus this year was the intersection of artificial intelligence (AI) and cybersecurity, exploring both the benefits and the risks. This post summarizes some key takeaways from various talks presented at the conference.

AI's dual role in cybersecurity

Several sessions highlighted AI's evolving role. George Gerchow's talked about "Harnessing AI to Enhance Cloud Security While Addressing New Attack Vectors." He discussed how AI-powered bots like MongoDB's Guardian Bot (GB) are becoming essential for real-time threat response and automating security and compliance tasks. These bots use AI to adapt to emerging threats and improve operational efficiency, reducing response times significantly.

However, AI also brings new risks. Michael Bargury's presentation, "Your Copilot Is My Insider," delved into vulnerabilities associated with AI copilots and plugins. He discussed potential data leakage, RAG poisoning, and new attack vectors that arise from the integration of AI into business processes. The key takeaway was that AI can greatly enhance security. However, it also requires careful management and security measures to prevent misuse.

The importance of security in RAG systems

Akash Mukherjee and Dr. Saurabh Shintre's "RAG-NAROK: What Poorly-Built RAGs Can Do to Data Security" emphasized the security challenges in Retrieval Augmented Generation (RAG) systems. They explained that adding private data to chatbots requires robust access controls and permissions management to prevent data leakage. Akash and Saurabh also discussed different permission enforcement methods along with the need for sensitive data protection beyond just permissions.

Security automation with LLM-driven workflows

In the session "Fast-Track Security Automation with LLM-Driven Workflows," Steve Povolny explored the application of Large Language Models (LLMs) in automating security operations. He covered various LLM tools, prompt engineering best practices, and real-world use cases for improving Security Operations Center (SOC) efficiency. Steve also highlighted the importance of addressing security considerations like data privacy, prompt injection risks, and model bias.

Principles of GenAI security

Diana Kelley's talk, "Principles of GenAI Security: Foundations for Building Security In," provided an overview of Generative AI (GenAI) security. She discussed the GenAI threat landscape, architectural considerations, and security at runtime. Key takeaways include the importance of understanding the unique risks associated with AI systems and implementing security-by-design principles.

Adversarial neural patterns in LLMs

In "Beyond the Black Box Revealing Adversarial Neural Patterns in LLMs," Mark Cherp and Shaked Reiner focused on uncovering hidden vulnerabilities in LLMs. They discussed new jailbreak techniques and mitigations, exploring the "psychology" of models and how they can be manipulated. This talk highlighted the need for continuous research and development of defences against sophisticated AI attacks.

Supply chain security and emerging threats

Dr. Andrea Little Limbago's presentation, "A Stuxnet Moment for Supply Chain Security?" addressed the emerging threat of supply chain infiltration, referencing recent incidents like the pager attacks. She discussed how digital supply chain attacks are growing and potentially shifting cyber norms. Her talk also emphasized the need for enhanced security measures and vigilance in hardware and software supply chains.

The future of security UX with Agentive AI

"How Security UX Must Change, with Agentive AI," explored how user experience (UX) in security must adapt with the rise of agentive AI. In this talk Steph Hay emphasized offloading tasks, dynamic UIs, and exponential outcomes. Assistive UX features like "easy buttons," seeded prompts, and multi-turn chats will become crucial for improving security operations.

Social engineering and GenAI

Perry Carpenter's session, "Conversations with a GenAI-Powered Virtual Kidnapper (and Other Scambots)," examined how social engineering attacks can leverage generative AI. He demonstrated how these tools create realistic scams and highlighted the need for organizations to prepare and train employees to recognize and respond to these threats.

Initial access brokers and market trends

"Initial Access Brokers: A Deep Dive," provided insights into the world of initial access brokers (IABs). In this talk, Amit Weigman discussed their methods of operation, the types of access they sell, and current market trends. Understanding the IAB ecosystem is crucial for preventing and responding to security breaches.

The evolution of the SOC in an AI-driven universe

Dave Gold's presentation, "The Future of the SOC in an AI-Driven Universe," revealed the current state of Security Operations Centers (SOCs) and how they will evolve with AI. He highlighted the shift from manual processes to semi-autonomous and autonomous SOCs, the need for scalable AI-driven platforms, and the evolution of SOC visualizations.

Safety and security of LLM agents

”Safety and Security of LLM Agents: Challenges and Future Directions," focused on the unique safety and security challenges posed by LLM agents. Dawn Song discussed potential attacks, evaluation methods, risk assessment, and defences for these systems. Ensuring both safety and security is crucial for realizing the benefits of LLM agents.

Zero trust AI and multi-agent systems

In "Zero Trust AI: Securing Multi-Agent Systems for Private Data Reasoning," Ken Huang addressed the security of multi-agent systems. He introduced the MAESTRO threat modelling approach and emphasized the need for a zero-trust security model in AI systems handling private data.

Conclusion

RSAC 2025 makes it clear that AI is fundamentally changing the cybersecurity landscape. While it offers tremendous opportunities for enhancing defences, it also introduces new and complex challenges. Organizations must adapt by understanding these changes, adopting AI-driven security solutions, and addressing the associated risks proactively. Staying informed and prepared is key to navigating the future of cybersecurity.

Learn how OpenText Core Threat Detection and Response is leveraging AI-driven behavioural analytics to revolutionize SOC teams.

The post The future of cybersecurity: Insights from RSAC 2025 appeared first on OpenText Blogs.

An internal data breach is the exposure of confidential information to an unauthorized user in an organization. We tend to think of confidential information as private information about a patient, customer, employee, etc. After all, nearly every country in the world has regulations specifying how private data can be stored, accessed, and managed. And, they can assess sizeable fines for noncompliance. 

Organizations typically store personal identifiable information (PII) as records in an application database. A patient’s medical information, for example, is structured across cells in a medical application’s database table. This is why it known as “structured data.”  

Protect your unstructured data

But sensitive information is not just PII; it also includes an organization’s confidential or competitive proprietary data. For example, not-yet-released quarterly sales results, future marketing plans, legal documents, and more. These word processing files, spreadsheets, presentations, media files, etc., cannot be structured in a database. They are stored in folders in a network file system or in the cloud. This type of data is known as “unstructured data.” It comprises about 80 percent of an organization’s total stored data. 

Organizations largely protect and manage structured data from unauthorized access through an automated process. An example is an identity and access management system (IAM) that provisions and restricts access based on user identity and role. Conversely, they will secure unstructured data through NTFS permissions assignments in Microsoft Active Directory and Microsoft Entra ID for network folders, shares, and document libraries.

NTFS permissions increase the complexity of protecting unstructured data

It’s these extensive and complex individual NTFS permissions assignments that can be so challenging to manage. Sure, a network administrator can check which groups, and associated members can access a specific folder by viewing the folder properties. But with potentially thousands of folders, subfolders, and document libraries storing files with confidential, sensitive, and high-value data, reviewing these permissions individually is impractical. 

How OpenText can help

That’s where OpenText File Reporter, a component of OpenText Data Access Governance, comes in. It has extensive reporting and analytics capabilities. File Reporter can identify all users who can access individual folders, subfolders, Microsoft 365 document libraries, their NTFS permissions. It can also identify how that access is derived. With these findings, information and security officers, network administrators, and department data owners can determine potential risks for internal data breaches.   

OpenText File Reporter can present these findings in a variety of permissions report types. That way you can have the information you need to make the necessary changes to access permissions. 

This capability has been incredibly useful to customers needing to perform regular vulnerability assessments on all of their confidential, sensitive, and high-value unstructured data and protect themselves from everything from inappropriate insider knowledge to insider misconduct. 

With so much to lose – data security, competitive advantages, customers, employees, and reputation, as well as the potential for fines and lawsuits, organizations cannot risk the possibility of an internal data breach, especially when those risks are so easy to identify with OpenText File Reporter. 

The post Identifying risks for an internal data breach within unstructured data appeared first on OpenText Blogs.

In an era where cyber threats are relentless and constantly evolving, where regulatory and industry requirements keep increasing, and where unstaffed information security roles remain a challenge, businesses cannot afford to rely solely on traditional security measures. The complexity of modern security operations requires a proactive approach—one that ensures round-the-clock protection, augments internal capabilities, and seamlessly integrates with multiple vendor products. This is precisely where Managed Security Services (MSS), SOC-as-a-Service, and Managed Detection & Response (MDR) come into play.

Industry trends and statistics

Recent data highlights the growing reliance on managed security services to address cybersecurity challenges. According to industry research*, a significant number - 29% - of organizations have added MSS solutions to augment their security teams:

• 23% of organizations are centralizing resources to optimize security operations.
• 28% are divesting the security team or reducing staff.
• 37% report no significant changes, indicating a potential gap in security preparedness.

These trends underscore the critical need for MSS, SOC-as-a-Service, and MDR solutions to enhance security resilience and mitigate risks effectively.

24x7 Managed Security Services monitoring: why it’s a must

Cyber threats don’t take breaks, and neither should your security. Organizations often struggle with maintaining a fully operational Security Operations Center (SOC) that runs efficiently 24/7. MSS and SOC-as-a-Service provide continuous monitoring, threat detection, and incident response, ensuring that potential risks are identified and mitigated before they cause damage.

Cost savings: a smarter approach to cybersecurity

Maintaining an in-house SOC can be prohibitively expensive, requiring investments in:

• Technology stack costs including SIEM
• Retaining skilled personnel for 24x7 operation
• Certifications, training and compliance
• Threat research, threat intelligence and forensic capabilities
• High availability infrastructure and facilities

Many organizations, particularly small and mid-sized businesses (SMBs), struggle to allocate resources for full-scale SOC operations. MSS, SOC-as-a-Service and MDR allow companies to outsource cybersecurity expertise without sacrificing quality, often cutting costs by up to 50% compared to an in-house SOC. Additionally, with predictable monthly pricing, organizations can scale security operations efficiently without unexpected budget overruns.

Managed Security Services complementing internal teams

Many businesses have IT teams tasked with security, but these teams often lack specialized cybersecurity expertise or resources to handle advanced persistent threats (APTs) and complex attack vectors. MSS, SOC-as-a-Service, and MDR solutions complement internal staff by acting as an extension of their security operations, providing additional expertise, automation, and threat intelligence that would otherwise be difficult to maintain in-house.

Seamless integration with vendor products

With a myriad of cybersecurity tools available today, businesses often struggle with product compatibility and integration. The right MSS, SOC-as-a-Service and MDR providers ensure that your security architecture works harmoniously with vendor products, eliminating gaps in visibility and enforcement while maximizing the value of existing security investments.

Compliance benefits: meeting regulatory requirements

As cybersecurity risks increase, regulatory compliance has become a top priority for businesses across industries. Organizations handling sensitive data must adhere to frameworks such as:

• General Data Protection Regulation (GDPR)
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)

Failure to comply with security regulations can result in hefty fines, legal consequences, and reputational damage. MSS, SOC-as-a-Service and MDR help businesses stay compliant by ensuring continuous monitoring, risk assessments, and detailed security reporting. Additionally, many outsourced services enhance audit readiness by offering forensic analysis capabilities, ensuring organizations can respond effectively to regulatory inquiries.

The MSS power of OpenText MxDR

One standout solution in the MDR space is OpenText Managed Extended Detection and Response (MxDR). OpenText MxDR provides comprehensive 24x7x365 security monitoring, leveraging machine learning and MITRE ATT&CK® behavioral analytics to detect and respond to threats in real time. With a 99% detection rate and low false positives, OpenText MxDR ensures businesses can identify and neutralize cyber threats before they escalate.

Additionally, OpenText MxDR boasts an impressive mean time to detect with its EDR Agents, significantly reducing the window of opportunity for attackers. By integrating advanced threat intelligence and endpoint security, OpenText MxDR delivers proactive defense mechanisms that safeguard businesses from emerging threats.

Want to learn more about how OpenText MxDR protects your endpoints? Discover how it delivers real-time response, advanced analytics, and endpoint resilience in today’s complex cyber landscape—read the full article.

Final thoughts: proactive security is the future

Cybersecurity is no longer just about reacting to threats—it’s about proactively defending against them. Managed Security Services, SOC-as-a-Service, and MDR are indispensable components of a modern security strategy, enabling businesses to stay ahead of threats while optimizing internal resources.

If your organization hasn’t yet considered these solutions, now is the time. Investing in expert-led security services can mean the difference between a resilient security posture and a costly breach. Ready to take the next step? Let’s secure the future, together. Contact us to learn more.

* Source: S&P Global Market Intelligence presentation at RSAC 2025

The post Why Managed Security Services are essential in today’s cyber landscape appeared first on OpenText Blogs.

In today's digital landscape, the most dangerous cybersecurity threats aren't always sophisticated hackers in hoodies writing malware in the dark. Sometimes, they're employees or contractors who already have legitimate access. They may not even realize they're part of the problem. Insider threats, malicious or unintentional, are increasingly becoming the easiest path into an organization's network.

On Episode 150 of the Reimagining Cyber podcast, host Ben welcomed back Tyler Moffitt, Senior Security Analyst at OpenText Cybersecurity, to explore the complex and growing issue of insider threats. From third-party vendor risks to phishing schemes and ransomware partnerships, this conversation highlighted why insider threats must be a top concern for every organization.

Breaking down insider threats

Tyler began by categorizing insider threats into two key types:

Malicious insiders – These individuals knowingly exploit their access for personal gain or revenge. Whether disgruntled employees, collaborators with threat actors, or simply susceptible to bribery, their insider knowledge can make them extremely dangerous.

Unintentional insiders – Far more common, these are employees or contractors who fall victim to phishing, social engineering, or other manipulative tactics. They may unknowingly click malicious links, give up credentials, or fall for voice phishing ("vishing") scams.

While both types are damaging, unintentional insider threats are easier to scale through social engineering campaigns and represent a broader risk surface.

Case study: Coinbase and the price of access

A chilling real-world example came from a recent breach at Coinbase, the popular cryptocurrency exchange. The attack was facilitated through a third-party contractor at an outsourced call center. Cybercriminals impersonated internal IT staff, contacted the contractor via a vishing campaign, and bribed them to gain access internal systems.

The result? Criminals exfiltrated sensitive customer data and targeted those individuals with phishing campaigns, successfully defrauding them of cryptocurrency.

However, the company's response makes the Coinbase case particularly notable. Instead of quietly paying off the attackers to keep the breach under wraps, Coinbase went public, disclosed the breach, and offered a $20 million bounty for information leading to the perpetrators. Even more impressively, they committed to reimbursing affected customers—an unusual and commendable move in the often murky world of crypto.

This breach affected internal operations and highlighted serious risks in third-party vendor management. As Tyler points out, even if your company maintains rigorous security controls, you're only as secure as your least secure partner. Your entire infrastructure could be compromised if a contractor can be bribed or tricked into granting access.

Scattered Spider: Masters of social engineering

If Coinbase illustrates the risk of malicious insiders, the UK-based retail breaches show how unintentional insiders can be just as dangerous.

Retail giants like Marks & Spencer, Co-Op, and Harrods recently suffered outages and data exposure linked to a notorious cybercriminal group known as Scattered Spider (Octo Tempest or UNC3944). This group specializes in social engineering. It tricks internal employees—often native English speakers—into giving up credentials or resetting multi-factor authentication (MFA), which allows further infiltration.

Tyler explains that these groups act as "access brokers," working within a broader ransomware economy. Once they've gained access, they sell it to ransomware affiliates, who then deploy the actual payloads and extort companies for millions. It's a well-oiled criminal operation, and companies worldwide struggle to keep up.

Marks & Spencer, for instance, has been battling system issues for over a month following the breach. It continues to struggle with online orders, contactless payments, and even inventory shortages. The Co-Op took a more decisive approach by shutting down its systems early to cut off the attack, preventing deeper damage.

Which insider threat is worse: Malicious or unintentional?

Tyler's answer is clearly unintentional insiders represent the bigger threat. Why? Because malicious insiders, while severe, are limited in scale. Bribing or turning an employee takes effort and coordination. But unintentional insiders? They're everywhere, and they're vulnerable. With phishing and social engineering attacks, threat actors can target thousands at once, hoping that even a small percentage will fall for it.

And with AI now empowering scammers to create deepfake voices, realistic spoofed emails, and convincing fake Slack messages, it's getting harder for employees to detect fraud.

Remote work adds fuel to the fire

Remote and hybrid work environments, which have become the norm since the pandemic, further complicate the insider threat landscape. Verifying identities and intentions is more challenging when employees aren't physically present. Tyler notes that the decentralized nature of remote work makes impersonation schemes more plausible and successful.

Defending against insider threats

Despite the doom and gloom, there are practical defenses organizations can deploy. Tyler emphasizes the importance of layered security, including:

• Zero-trust mindset: Don't assume that just because someone is inside the network, they're trustworthy. Validate everything, especially identity and access.
• Least privilege access: Only give employees and contractors the minimal level of access necessary for their roles. Implement secure escalation protocols for sensitive actions like MFA resets.
• MFA hardening: Require multiple levels of identity verification, especially for support or admin-level users. Video verification and secure PINs can provide additional safeguards.
• Behavior analytics: Monitor user behavior to detect anomalies, such as logins at odd hours or unusual system access patterns.
• Training: Regularly educate all employees, especially those in support roles, on recognizing phishing, social engineering attempts, and internal impersonation scams.
• Vendor security: Vet your third-party vendors thoroughly. Ensure their security standards match yours, especially if they handle customer data or sensitive internal systems.

The insider threat will grow

As cybercriminals become more creative and organizations become more distributed, the insider threat will only grow. Whether it's a bribed contractor or a tricked help desk agent, people have become the new perimeter—and that perimeter is fragile.

The solution? Invest in people-first security strategies, harden your identity controls, and never underestimate the importance of awareness and training. In the world of cybersecurity, trust must be earned continuously.

As Tyler put it, "Identity is the new perimeter."

Listen to this latest episode of Cybersecurity Reimagined on your favorite podcast app by clicking on the share button below. You can also listen to any of our previous episodes on demand.

[buzzsprout episode='17197815' player='true']

The post Insider threats in cybersecurity: When danger comes from within appeared first on OpenText Blogs.

The overwhelming impression from just wrapped up RSA or any other cybersecurity conference, AI is everywhere. There are dozens, if not hundreds, of AI-based cybersecurity tools with look-alike UIs and extremely similar features. They all sprinkle their marketing materials with the same buzzwords: GenAI, Agentic AI, AI assistants, etc.

One thing is clear every cybersecurity team will have to use AI tools and better sooner than later. Most of the people we met with had the same question - how to choose the best solution for their team. I have been building cybersecurity AI solutions for over a decade. Here is a consideration framework than can assist you with that decision.

1-Define what your team needs with a cybersecurity AI tool

Even though cybersecurity professionals are all tasked with protecting their organizations the circumstances vary from team to team. There are four major dimensions to consider: threats you face, the data you have, your team's composition, and your processes and workflows.

The threats you face

Let's start with identifying the primary threats that your organization is concerned with, whether AI or not. What are the main security problems you're trying to solve by adding a new tool to your arsenal? Ideally, you want to compile that list using a data-driven approach. Consult the results of your red team activities. Are there any blind spots in your existing tools?

Monitor news of the main threats and breaches that affect your industry or similar organizations. What are the high-return targets or goals that malicious actors may pursue in your organization? Are there geo-political tensions and events that may spike specific types of threats aimed at your organization?

Make sure to include in your threat prioritization process the notion of how likely they are to strike your organization and how much damage they will cause if you miss them. For instance, the healthcare industry is experiencing the rise of phishing and ransomware attacks aimed at sensitive patient data exfiltration. Meanwhile, for the financial industry this year, it is advisable to be on the watch for APTs, nation-state-sponsored espionage as well as supply chain and vendor vulnerabilities in addition to ransomware attacks.

The data you have

Check your cybersecurity data inventory. Compose a list of all data sources that you are currently using. Add information about its coverage as well as how accurate is your data. For example, if your organization deploys a mixture of endpoint agents, providing only some of the logs to your AI system may result in a partial view with some aspects of the attack missing.

Inferior quality or incomplete data will require additional cleanup and filtering otherwise it not only will not produce valuable results in your AI system but will cause degradation of the quality, bearing the signal in the noise. Your AI model can be only as good as the data you are feeding into it.

Your team's composition

Every cyber security team has a unique composition as well as distinctive styles of communication and collaboration patterns. The AI tools should empower your team rather than set up a trap.

Consider the expertise of your team members. For example, a team composed of seasoned threat hunters versus a team of newly hired SOC analysts will need different tools with diverse levels of detail and context. Is your team being uniform in the areas of expertise and tasks or it composed of several "specialists" who tend to have deeper expertise in specific areas of threat hunting, digital forensics, or mitigation techniques?

Some AI assistants provide flexibility to retrieve the answers based on the various levels and areas of the user’s expertise. Was your team exposed to AI in the past? Consider how much assistance your team will need to get up to speed with AI tools. What would benefit them is a highly configurable, hands-on, direct interaction AI tool or something that works behind the scenes incorporating AI enhancements into already familiar types of interactions and interfaces.

Keep in mind the famous Spiderman quote - “With great power comes great responsibility". Size of the team. The size of the SOC and threat-hunting teams could vary from a "one-person shop" to dozens of members. Smaller teams are likely to be much faster adopters and use direct communication methods. While larger teams are more likely to have more levels in the internal team org structure. If this is the case, the ability to create specialized reports using AI agents or automate the generation and distribution of the latest status summaries is a valuable feature for your team.

Distribution of the team.

Some teams are collocated, while others are distributed across different geo-locations. This factor often affects communication patterns and methods. Your communication AI tool should be able to enhance the type of communication that is currently prevalent in your team and solve existing problems. For example, a team distributed across a wide range of time zones, will benefit from the automated detailed AI-generated reporting.

Your processes and workflows

Your team has already established "well-oiled" team practices. Independent of the origin of these routines, they’ve withstood the test of time and are reasonably effective. Take an inventory of these, so you don't throw away a baby with the bathwater in your excitement to embrace AI. Consider:

• Investigation workflows
• Incident handling policies
• Inter- and intra-team reporting methods
• Response techniques

What can you optimize with AI? Where can your team save some time by implementing automated Agentic AI workflows? What decision making to do you want to avoid passing on to AI?

You must set up "healthy boundaries" and determine what you can delegate to an AI system and what you want done by a human. At last, the integration of the new tool should be organic it should enhance and improve your team's life. Choose evolution over revolution. If you must mandate usage of a tool or if the same tasks take longer and the quality of the work goes down, even after the expected "ramping up" period that is natural for a new tool adoption you should explore different options.

Now that you’ve created a tailored "wish list" of the features and capabilities, prioritize it according to your needs. Make sure to note which are must haves and which are just nice to haves. You may also want to consider incorporating multiple AI tools with complementary capabilities.

2- Avoid the red flags of some cybersecurity AI tools

Now let's look at what you don't want to see in an AI solution that you consider.

Can’t try before you buy

How do you verify that an AI solution fits your list of parameters? You can try evaluating an AI tool based on the marketing materials and demos. However, the best option is to "test drive" it. If a vendor provides an opportunity to try the AI solution on your data and provides hands-on experience with the system for your team - go for it. It is by far the best option and speaks volumes about the confidence of the vendor in their solution. If you must commit before seeing the performance of the tool on your data, this should be your first red flag.

Obscure models

Another red flag is undisclosed core AI models' details. Specifically, if the vendor refuses to provide any information about the origin or data the vendor used to train or fine-tune the model. Naturally, you will not get a level of detail that could benefit their competitors, but you should be able to verify that the AI model adheres to the standards and policies of your organization.

The absence of that information makes it extremely hard to evaluate the AI solution for ethics, privacy, security, and even the legality of the model usage for your use case. With laws and regulations tightening around the world in real time, what was acceptable yesterday may no longer be that tomorrow.

Fuzzy AI ethics

The topic of ethical AI is repeatedly surfacing in the headlines of major media outlets. Why is it important for your selection of AI-powered cyber security tools? AI can cause wide range of issues without ethical considerations and guardrails:

• Misinformation
• Bias and discrimination
• Compromised data privacy
• IP Infringement
• Insufficient governance and accountability

The consequences of these issues can pass to you if the vendor uses an AI system that does not address them.

Results lacking explainability and transparency

It is alarming if the signals are hard to explain. It isn't sufficient if the AI system just indicates if some activity or a user is risky it should provide a clear explanation based on what evidence it came to that conclusion. Even better, drill down to the specific raw events that resulted in that conclusion.

Your top attacks aren’t there

The next red flag is less definitive. It is possible that even though the top-priority threats aren't listed in their coverage material, the system will still detect them. If you can, red team these attacks and test drive the tool on your data. This will allow you to verify the efficiency of the AI tool to detect these attacks experimentally. However, if you can’t assess, and your top use cases aren't mentioned, the chances are high that you will have weak or no coverage for at least some of them from that AI system.

Adoption of the tool will break your current process.

Also consider compatibility between the AI tool and your current work processes. Adoption of the new tool should enhance your team’s productivity and the quality of their work. If the AI tool doesn’t align with your team’s current workflow, if you must mandate its adoption, it is unlikely to be a right fit.

Note, that that there will be some kind of learning curve. A reliable vendor should provide sufficient training, onboarding or threat hunting services that would minimize the ramping-up time for your team and get them up to speed without missing a heartbeat.

You don’t see the tool saving you money.

The final red flag is if you don't see the tool saving you money or time, which is also money. Most of our teams have limited resources that must and budgets. When you consider adopting a new AI tool ask yourself the following questions. Do you expect it to save time for your team and broader costs for your organization? If yes, try to be as specific as possible in your estimations - this will help you to compare multiple AI tools or their combinations. Consider your existing operational costs as well as potential costs of delayed detections or even missed attacks.

3- Evaluate the cybersecurity AI tool

Here are proven best practices for your evaluation methodology:

• Assess it in conditions as close to reality as possible. Specifically, the data that you are trying the AI tool on should be composed of a wide variety of data sources (for instance, include at least one endpoint and authentication data sources to cover a broad variety of attacks)
• Include an assortment of devices and user types like what you have in your organization.
• "Red team it” and be as specific and close to your prioritized list of threats as possible.
• Ideally, you should test for both quick and targeted attacks as well as advanced persistent threats. Let's be honest, you don't need a sophisticated algorithm to detect an obvious DDOS attack.
• Bring into the evaluation process at least one of your "frontline" team members who spends most of his/her day monitoring the alerts, threat hunting, analysing the logs, and responding to the attacks.

Now you have a solid, systematic way to find the tool that helps your team succeed in your own unique combination of requirements and circumstances.

OpenText Executive Vice President, Security Products, Muhi Majzoud, recently spoke to Bank Info Security about the integration of GenAI and threat detection and response in cybersecurity strategy. Watch the interview.

You can also view presentations by OpenText data scientists at RSA on demand or use our complimentary threat detection and response checklist to assess vendors.

The post Select the right cybersecurity AI tools with these 3 crucial steps appeared first on OpenText Blogs.

Cybersecurity is a major concern for organizations today. As cyber threats grow more complex, the need for strong mechanisms to detect, respond to, and investigate incidents is crucial. Digital Forensics and Incident Response (DFIR) is a key part of modern cybersecurity strategies. It helps organizations mitigate the impact of cyber incidents, understand their root causes, and prevent future occurrences. This blog explores DFIR, its importance, and how OpenText™ can help organizations be cyber resilient.

A brief history of (computer) time

Decades ago, business automation relied on isolated computing platforms like midrange and mainframe computers. These systems operated on private networks with limited connections to the public internet. As a result, the number of vulnerabilities and risks of exploitation were lower compared to other enterprise risks.

Today, multi-tiered and hybrid on/off-premises solutions are common. The internet is everywhere, and many employees work remotely on untrusted networks. Consequently, this shift has increased the need for strong cybersecurity solutions. Alongside this evolution is the need for managing incident response and digital forensics.

Incident response and digital forensics

Incident response started in IT Operations, focusing on specific platforms or software. As cybersecurity threats evolved, incident response integrated with digital forensics. This integration provides a complete approach to managing and mitigating cyber incidents. It ensures organizations can detect and respond to incidents and understand what happened.

Need for digital forensics

Organizations face increasingly sophisticated attacks. Detecting and responding to incidents and understanding what happened is critical. Digital forensics provides this ability. Mature forensic capabilities help security teams reconstruct attack timelines, identify root causes, recover compromised data, and understand attacker motives and techniques.

For environments with regulatory compliance, forensic evidence may be legally required for reporting, liability assessments, or litigation. Without sound forensics, organizations risk making decisions based on incomplete or inaccurate information, potentially worsening the damage caused by an incident.

The evolving threat landscape

The cyber threat landscape includes both external and internal adversaries. Nation-state actors, ransomware groups, and organized cybercriminals continue to evolve their tactics. Internal threats from disgruntled employees, careless insiders, or compromised internal accounts are also common.

Moreover, remote work and decentralized networks have expanded the attack surface. This makes it easier for insiders and outsiders to exploit weak points in a digital ecosystem. Additionally, integrating third-party vendors and supply chains into core business operations extends threats beyond traditional perimeter defenses. Therefore, modern organizations must be vigilant and ready to investigate incidents from all angles.

DFIR posture and success criteria

A mature DFIR posture involves a proactive and integrated approach to threat detection, containment, investigation, and recovery. Successful DFIR programs combine automated detection tools, playbooks for incident triage, real-time alerting, and a seasoned response team.

Key success criteria include clearly defined roles and responsibilities, the ability to collect and preserve forensic evidence legally, rapid containment procedures, and post-incident reviews. Metrics like mean time to detect (MTTD), mean time to respond (MTTR), and the quality of forensic reporting indicate how well an organization can respond to cyber threats. These metrics are often required to meet service level agreements with clients and customers.

OpenText solutions for DFIR

OpenText offers solutions to enhance an organization's DFIR capabilities. These solutions enable efficient collection, analysis, and reporting of evidence from various data sources. Here are some key services and tools provided by OpenText:

1. Digital Forensics and Incident Response Solutions (EnCase): OpenText's DFIR solutions help organizations collect, analyze, and report on evidence from various data sources. These solutions streamline incident response investigations, helping teams quickly identify the intrusion source, impacted systems, and root cause while preserving all evidence. For more details, visit the Digital Forensics and Incident Response page.
2. Incident Response (IR) Services: OpenText provides tools that speed up the triage of IR artifacts. These tools help security teams quickly understand the full extent, impact, and nature of a security compromise. They also offer visibility into forensic artifacts to identify the root cause and timeline of an incident. For more information, check out OpenText IR Services.
3. Forensic Lab Advisory: OpenText's Forensic Lab Advisory service provides expert guidance and support for forensic investigations. This service ensures that critical digital evidence is captured and analyzed, improving response effectiveness and helping organizations recover from incidents more quickly. Learn more about the Forensic Lab Advisory Service.

Where do we go from here?

Organizations serious about cyber resilience are increasingly turning to DFIR retainers. A DFIR retainer provides guaranteed access to seasoned incident response professionals and forensic investigators when an incident occurs. These retainers often include readiness assessments, tabletop exercises, and ongoing consulting to enhance the organization’s defensive posture.

With cyber insurance providers and compliance frameworks emphasizing the importance of documented response plans and expert support, a DFIR retainer is a strategic necessity. It bridges the gap between reactive and proactive security and ensures that when the unexpected happens, the organization steps into action with clarity and confidence.

As cyber threats continue to evolve, having a strong DFIR strategy is essential for maintaining operational continuity and protecting sensitive information. OpenText's comprehensive DFIR solutions and services help organizations effectively manage and mitigate cyber incidents. If you're interested in discussing how OpenText can support your DFIR needs and enhance your cybersecurity posture, reach out to us at SecurityServices@opentext.com. Our team of experts are ready to assist you in building a resilient and proactive security framework.

Co-Author: Mark Cappers is a Principal Consultant for OpenText Managed Security Services. A seasoned Consultant with over 20 years of experience in security, networking, and computing environments. Mark has specialized in information security, contributing to the founding of the EDS GIS Security Incident Response/Forensics team and leading enterprise security projects for global clients. Joining OpenText in 2017, he continued his career as a seasoned digital forensics and IR practitioner.  Today, Mark advises customers on their e-Discovery, Digital Forensics, and Security Incident Response. 

The post The road to Digital Forensics and Incident Response appeared first on OpenText Blogs.

In February 2025, Bybit, a major cryptocurrency exchange, suffered one of the largest heists in digital finance history. Hackers stole $1.5 billion in Ethereum by exploiting security. While this attack was external, the financial services industry faces an even greater threat—insider-driven breaches.

In recent months, malicious insiders have been caught selling confidential bank client data, leaving customers vulnerable to fraud and identity theft. Even government institutions aren’t safe, as seen in the CFPB breach where an ex-employee illegally transferred the personal data of over 250,000 consumers.

Insider threats: a growing concern

Unlike external cyberattacks, insider threats are harder to detect because they come from employees or contractors who already have access to sensitive systems. According to Verizon’s 2023 Data Breach Investigations Report, insider threats now account for three out of every four data breaches.

The financial sector is particularly vulnerable:

• The average data breach cost in financial services rose to $6.08 million in 2024, up from $5.90 million the previous year (Statista, Cost of data breaches in financial industry worldwide, 2024).
• 64% of financial firms have more than 1,000 sensitive files accessible to every employee (Varonis, 82 Must-Know Data Breach Statistics, 2024).
• Cybersecurity talent shortages have hit a record 4.8 million unfilled positions, weakening financial institutions’ ability to detect insider threats (ISC2, Growth of Cybersecurity Workforce Slows in 2024 as Economic Uncertainty Persists, 2024).

The solution: AI-powered behavioral analytics

Traditional security tools often fail to detect insider-driven breaches, leaving financial institutions exposed. OpenText Core Threat Detection and Response provides an AI-powered, behavioral analytics-driven solution to proactively detect and mitigate these threats before they escalate.

With features like unsupervised machine learning-based anomaly detection, behavioral risk scoring, and seamless integration with Microsoft Defender for Endpoint, Microsoft Entra ID, and Microsoft Copilot, OpenText helps financial organizations automate threat hunting and detect insider and other elusive threats in days instead of months, reducing the cost and damage of breaches.

Don’t wait for the next breach

The stakes have never been higher. Whether it’s billion-dollar crypto heists or employees leaking sensitive data, financial institutions must act now. We’ve got you covered with our latest guide to AI-powered threat detection and response in the financial services industry. Learn how you can elevate your organization’s defense against unknown threats posing some of the biggest cybersecurity challenges.

The post The clock is ticking: Financial cyberattacks are more dangerous than ever appeared first on OpenText Blogs.