This year’s CISO Bootcamp at RSAC 2025 was a powerful reminder that while technology continues to evolve, the heart of cybersecurity remains the same: people and risk management. The role of the CISO (Chief Information Security Officer) is more complex than ever — balancing business alignment, technical oversight, and team leadership in a world of constant change.

Here are the key takeaways that every security leader should reflect on — and how partnering with the right MSSP (Managed Security Service Provider), like OpenText™, can help you stay ahead.

1. The CISO role is about risk, not just technology

The modern CISO is first and foremost a risk manager. The bootcamp emphasized that understanding and articulating risk is more important than knowing every tool in the stack.

If a risk isn’t communicated, it doesn’t exist

Transparency is essential. CISOs must ensure that risks are documented, communicated, and addressed. This is where a strong MSSP can be a game-changer. OpenText’s Risk & Compliance Advisory Services help CISOs identify, assess, and communicate risk in a way that aligns with business priorities.

Are you doing business in the EU? Check out Ensuring compliance with the NIS2 Directive.

2. Simplify and modernize your tech stack

Many organizations are burdened by complex, overlapping security tools. The advice from RSAC was clear: simplify. Focus on outcomes, not tool count.

Whether you’re building from scratch or modernizing, OpenText’s end-to-end Cybersecurity solutions — overseen by our Managed Security Services — can help you streamline operations, reduce noise, and focus on what matters most: protecting your business.

3. Build a team that has your back

Leadership is about people. The best CISOs build teams that are diverse, resilient, and aligned. Some of the most practical advice from the bootcamp included:

• Spend time with your team — take 15 minutes per person regularly.
• Foster a no-ego, no-jerk culture — because culture is everything.
• Diversity means bringing in people from both inside and outside cyber.
• Support your team like family. Recognition should flow to them, not to you.

If your team can meet without you and still move toward the North Star, you’re doing it right

4. Communicate like a business leader

CISOs must be exceptional communicators. That means translating technical risk into business language and aligning with corporate executive priorities.

Yes, we can—but here’s what it takes

This mindset positions the information security team as a business enabler. And when you need to benchmark or prioritize, OpenText’s Risk and Compliance Advisory — including our Security Assessment — can provide the insights and peer comparisons you need to make informed decisions.

5. Cybersecurity in 2025: Still a people problem

Despite the rise of AI and automation, the consensus at RSAC was clear: cybersecurity is still about people. You need a lean, skilled, and trusted team.

Experience is the sum of your failures

That’s why it’s critical to invest in people, not just tools. OpenText’s Managed Extended Detection and Response (MxDR) is designed to augment your internal team, not replace it — giving you access to top-tier talent and 24/7 coverage without the overhead.

6. Justify your headcount with trust and data

Budget constraints are real. To justify your team size, you need:

• Benchmarking – Compare your team structure to industry standards.
• Peer consultation – Talk to other CISOs about how they build out their team and model their security strategies.

But most importantly, you need trust. Build credibility with your CEO and your Board by showing that your team is aligned with business goals and delivering measurable value. OpenText can help you map your program to industry benchmarks and provide the data you need to make your case.

7. Today’s threat landscape: Beyond technology

Cybersecurity is no longer just about firewalls and endpoints. Today’s threats are shaped by:

• Geopolitical tensions
• Third-party risks
• Regulatory pressure
• Human behavior

Attackers in 2025 are targeting your communications, your information, your infrastructure, and are placing backdoors. It’s not a matter of if an incident will happen — it’s when. That’s why OpenText’s Digital Forensics and Incident Response (DFIR) services are so critical.

8. Define the North Star, not the roadmap

As a CISO, your job is to define the vision, not micromanage the execution. The roadmap will change. Threats will evolve. But your North Star — your guiding principles — should remain constant.

Let your team own the roadmap. Empower them to adapt, innovate, and lead. Your role is to remove obstacles, build culture, and keep everyone aligned.

9. Practice, practice, practice

Whether it’s tabletop exercises, red team drills, or communication rehearsals, practice is everything. The more you train, the more confident your team will be when the real thing happens.

OpenText’s Incident Response Simulation drills your team and the entire organization to gain awareness, confidence, and readiness for the inevitable incident.

10. Final thought: who has your back?

The CISO role is demanding, high-stakes, and often lonely. That’s why it’s essential to surround yourself with people—and partners—who support you.

Pick a leadership team that has your back

For many organizations, that includes a trusted MSSP. OpenText Managed Security Services offer a full spectrum of cybersecurity services—from strategic advisory to 24/7 threat detection and response. Whether you’re building a program from scratch or looking to mature your existing capabilities, OpenText has software solutions for SMB and Enterprise as well as the expertise, scale, and commitment to help you succeed.

The modern CISO must be a risk manager, a business enabler, a people leader, a clear communicator, and a visionary. Technology is important—but it’s the last piece of the puzzle. The real work is aligning security with business goals, building strong teams, and leading with empathy and clarity. If you’re a CISO in 2025, remember: It’s still about people. And the right partner makes all the difference.

Explore OpenText Cybersecurity Solutions

Ready to strengthen your cybersecurity program? Discover how OpenText’s end-to-end Cybersecurity Services can help you lead with confidence through our Risk & Compliance Advisory, Digital Forensics and Incident Response (DFIR), and other Cybersecurity Services.

Whether you're building from scratch or maturing your program, OpenText Managed Security Services offers the scale, expertise, and commitment to help you succeed—across SMB and enterprise environments.

The post People, risk, and the modern CISO appeared first on OpenText Blogs.

In an era where cyber threats are relentless and constantly evolving, where regulatory and industry requirements keep increasing, and where unstaffed information security roles remain a challenge, businesses cannot afford to rely solely on traditional security measures. The complexity of modern security operations requires a proactive approach—one that ensures round-the-clock protection, augments internal capabilities, and seamlessly integrates with multiple vendor products. This is precisely where Managed Security Services (MSS), SOC-as-a-Service, and Managed Detection & Response (MDR) come into play.

Industry trends and statistics

Recent data highlights the growing reliance on managed security services to address cybersecurity challenges. According to industry research*, a significant number - 29% - of organizations have added MSS solutions to augment their security teams:

• 23% of organizations are centralizing resources to optimize security operations.
• 28% are divesting the security team or reducing staff.
• 37% report no significant changes, indicating a potential gap in security preparedness.

These trends underscore the critical need for MSS, SOC-as-a-Service, and MDR solutions to enhance security resilience and mitigate risks effectively.

24x7 Managed Security Services monitoring: why it’s a must

Cyber threats don’t take breaks, and neither should your security. Organizations often struggle with maintaining a fully operational Security Operations Center (SOC) that runs efficiently 24/7. MSS and SOC-as-a-Service provide continuous monitoring, threat detection, and incident response, ensuring that potential risks are identified and mitigated before they cause damage.

Cost savings: a smarter approach to cybersecurity

Maintaining an in-house SOC can be prohibitively expensive, requiring investments in:

• Technology stack costs including SIEM
• Retaining skilled personnel for 24x7 operation
• Certifications, training and compliance
• Threat research, threat intelligence and forensic capabilities
• High availability infrastructure and facilities

Many organizations, particularly small and mid-sized businesses (SMBs), struggle to allocate resources for full-scale SOC operations. MSS, SOC-as-a-Service and MDR allow companies to outsource cybersecurity expertise without sacrificing quality, often cutting costs by up to 50% compared to an in-house SOC. Additionally, with predictable monthly pricing, organizations can scale security operations efficiently without unexpected budget overruns.

Managed Security Services complementing internal teams

Many businesses have IT teams tasked with security, but these teams often lack specialized cybersecurity expertise or resources to handle advanced persistent threats (APTs) and complex attack vectors. MSS, SOC-as-a-Service, and MDR solutions complement internal staff by acting as an extension of their security operations, providing additional expertise, automation, and threat intelligence that would otherwise be difficult to maintain in-house.

Seamless integration with vendor products

With a myriad of cybersecurity tools available today, businesses often struggle with product compatibility and integration. The right MSS, SOC-as-a-Service and MDR providers ensure that your security architecture works harmoniously with vendor products, eliminating gaps in visibility and enforcement while maximizing the value of existing security investments.

Compliance benefits: meeting regulatory requirements

As cybersecurity risks increase, regulatory compliance has become a top priority for businesses across industries. Organizations handling sensitive data must adhere to frameworks such as:

• General Data Protection Regulation (GDPR)
• Health Insurance Portability and Accountability Act (HIPAA)
• Payment Card Industry Data Security Standard (PCI DSS)

Failure to comply with security regulations can result in hefty fines, legal consequences, and reputational damage. MSS, SOC-as-a-Service and MDR help businesses stay compliant by ensuring continuous monitoring, risk assessments, and detailed security reporting. Additionally, many outsourced services enhance audit readiness by offering forensic analysis capabilities, ensuring organizations can respond effectively to regulatory inquiries.

The MSS power of OpenText MxDR

One standout solution in the MDR space is OpenText Managed Extended Detection and Response (MxDR). OpenText MxDR provides comprehensive 24x7x365 security monitoring, leveraging machine learning and MITRE ATT&CK® behavioral analytics to detect and respond to threats in real time. With a 99% detection rate and low false positives, OpenText MxDR ensures businesses can identify and neutralize cyber threats before they escalate.

Additionally, OpenText MxDR boasts an impressive mean time to detect with its EDR Agents, significantly reducing the window of opportunity for attackers. By integrating advanced threat intelligence and endpoint security, OpenText MxDR delivers proactive defense mechanisms that safeguard businesses from emerging threats.

Want to learn more about how OpenText MxDR protects your endpoints? Discover how it delivers real-time response, advanced analytics, and endpoint resilience in today’s complex cyber landscape—read the full article.

Final thoughts: proactive security is the future

Cybersecurity is no longer just about reacting to threats—it’s about proactively defending against them. Managed Security Services, SOC-as-a-Service, and MDR are indispensable components of a modern security strategy, enabling businesses to stay ahead of threats while optimizing internal resources.

If your organization hasn’t yet considered these solutions, now is the time. Investing in expert-led security services can mean the difference between a resilient security posture and a costly breach. Ready to take the next step? Let’s secure the future, together. Contact us to learn more.

* Source: S&P Global Market Intelligence presentation at RSAC 2025

The post Why Managed Security Services are essential in today’s cyber landscape appeared first on OpenText Blogs.

Cybersecurity is a major concern for organizations today. As cyber threats grow more complex, the need for strong mechanisms to detect, respond to, and investigate incidents is crucial. Digital Forensics and Incident Response (DFIR) is a key part of modern cybersecurity strategies. It helps organizations mitigate the impact of cyber incidents, understand their root causes, and prevent future occurrences. This blog explores DFIR, its importance, and how OpenText™ can help organizations be cyber resilient.

A brief history of (computer) time

Decades ago, business automation relied on isolated computing platforms like midrange and mainframe computers. These systems operated on private networks with limited connections to the public internet. As a result, the number of vulnerabilities and risks of exploitation were lower compared to other enterprise risks.

Today, multi-tiered and hybrid on/off-premises solutions are common. The internet is everywhere, and many employees work remotely on untrusted networks. Consequently, this shift has increased the need for strong cybersecurity solutions. Alongside this evolution is the need for managing incident response and digital forensics.

Incident response and digital forensics

Incident response started in IT Operations, focusing on specific platforms or software. As cybersecurity threats evolved, incident response integrated with digital forensics. This integration provides a complete approach to managing and mitigating cyber incidents. It ensures organizations can detect and respond to incidents and understand what happened.

Need for digital forensics

Organizations face increasingly sophisticated attacks. Detecting and responding to incidents and understanding what happened is critical. Digital forensics provides this ability. Mature forensic capabilities help security teams reconstruct attack timelines, identify root causes, recover compromised data, and understand attacker motives and techniques.

For environments with regulatory compliance, forensic evidence may be legally required for reporting, liability assessments, or litigation. Without sound forensics, organizations risk making decisions based on incomplete or inaccurate information, potentially worsening the damage caused by an incident.

The evolving threat landscape

The cyber threat landscape includes both external and internal adversaries. Nation-state actors, ransomware groups, and organized cybercriminals continue to evolve their tactics. Internal threats from disgruntled employees, careless insiders, or compromised internal accounts are also common.

Moreover, remote work and decentralized networks have expanded the attack surface. This makes it easier for insiders and outsiders to exploit weak points in a digital ecosystem. Additionally, integrating third-party vendors and supply chains into core business operations extends threats beyond traditional perimeter defenses. Therefore, modern organizations must be vigilant and ready to investigate incidents from all angles.

DFIR posture and success criteria

A mature DFIR posture involves a proactive and integrated approach to threat detection, containment, investigation, and recovery. Successful DFIR programs combine automated detection tools, playbooks for incident triage, real-time alerting, and a seasoned response team.

Key success criteria include clearly defined roles and responsibilities, the ability to collect and preserve forensic evidence legally, rapid containment procedures, and post-incident reviews. Metrics like mean time to detect (MTTD), mean time to respond (MTTR), and the quality of forensic reporting indicate how well an organization can respond to cyber threats. These metrics are often required to meet service level agreements with clients and customers.

OpenText solutions for DFIR

OpenText offers solutions to enhance an organization's DFIR capabilities. These solutions enable efficient collection, analysis, and reporting of evidence from various data sources. Here are some key services and tools provided by OpenText:

1. Digital Forensics and Incident Response Solutions (EnCase): OpenText's DFIR solutions help organizations collect, analyze, and report on evidence from various data sources. These solutions streamline incident response investigations, helping teams quickly identify the intrusion source, impacted systems, and root cause while preserving all evidence. For more details, visit the Digital Forensics and Incident Response page.
2. Incident Response (IR) Services: OpenText provides tools that speed up the triage of IR artifacts. These tools help security teams quickly understand the full extent, impact, and nature of a security compromise. They also offer visibility into forensic artifacts to identify the root cause and timeline of an incident. For more information, check out OpenText IR Services.
3. Forensic Lab Advisory: OpenText's Forensic Lab Advisory service provides expert guidance and support for forensic investigations. This service ensures that critical digital evidence is captured and analyzed, improving response effectiveness and helping organizations recover from incidents more quickly. Learn more about the Forensic Lab Advisory Service.

Where do we go from here?

Organizations serious about cyber resilience are increasingly turning to DFIR retainers. A DFIR retainer provides guaranteed access to seasoned incident response professionals and forensic investigators when an incident occurs. These retainers often include readiness assessments, tabletop exercises, and ongoing consulting to enhance the organization’s defensive posture.

With cyber insurance providers and compliance frameworks emphasizing the importance of documented response plans and expert support, a DFIR retainer is a strategic necessity. It bridges the gap between reactive and proactive security and ensures that when the unexpected happens, the organization steps into action with clarity and confidence.

As cyber threats continue to evolve, having a strong DFIR strategy is essential for maintaining operational continuity and protecting sensitive information. OpenText's comprehensive DFIR solutions and services help organizations effectively manage and mitigate cyber incidents. If you're interested in discussing how OpenText can support your DFIR needs and enhance your cybersecurity posture, reach out to us at SecurityServices@opentext.com. Our team of experts are ready to assist you in building a resilient and proactive security framework.

Co-Author: Mark Cappers is a Principal Consultant for OpenText Managed Security Services. A seasoned Consultant with over 20 years of experience in security, networking, and computing environments. Mark has specialized in information security, contributing to the founding of the EDS GIS Security Incident Response/Forensics team and leading enterprise security projects for global clients. Joining OpenText in 2017, he continued his career as a seasoned digital forensics and IR practitioner.  Today, Mark advises customers on their e-Discovery, Digital Forensics, and Security Incident Response. 

The post The road to Digital Forensics and Incident Response appeared first on OpenText Blogs.

In today's rapidly evolving digital landscape, the convergence of various technologies has introduced new challenges and opportunities for cybersecurity. As organizations strive to protect their critical infrastructure and data from increasingly sophisticated cyber threats, Managed Extended Detection and Response (MxDR) solutions have emerged as a vital component of a robust cybersecurity strategy. This blog delves into the significance of MxDR for threat detection and how it can help organizations safeguard their most valuable assets.

Understanding MxDR

Managed Extended Detection and Response (MxDR) is a comprehensive cybersecurity service designed to provide continuous monitoring, detection, and response capabilities across an organization's IT environment. By integrating advanced technologies and expert services, MxDR aims to enhance the security posture of organizations, ensuring the protection of critical infrastructure and sensitive data.

MxDR solutions are not just about technology; they also encompass the expertise and experience of cybersecurity professionals who work tirelessly to protect organizations from cyber threats. These solutions combine cutting-edge tools with human intelligence to provide a holistic approach to cybersecurity. By leveraging the strengths of both technology and human expertise, MxDR solutions offer a robust defense against the ever-evolving threat landscape.

Key components of MxDR

1. Continuous monitoring and detection: MxDR solutions offer 24/7/365 monitoring of IT networks, identifying potential threats in real-time. This proactive approach helps organizations detect and mitigate cyber threats before they can cause significant damage.
2. Advanced threat intelligence: Leveraging global threat intelligence, MxDR solutions provide insights into emerging threats and attack vectors. This information enables organizations to stay ahead of cyber adversaries and adapt their security measures accordingly.
3. Incident response and remediation: In the event of a cyber incident, MxDR solutions facilitate rapid response and remediation. Expert incident response teams work to contain and eradicate threats, minimizing the impact on the organization's operations.
4. Scalability and flexibility: MxDR solutions are designed to scale with the organization's needs, providing tailored security measures that can adapt to changing environments and regulatory requirements.
5. Operational efficiency: MxDR solutions streamline security operations and reduce the burden on internal IT teams, allowing them to focus on core business activities while ensuring robust cybersecurity measures are in place.

Benefits of implementing MxDR

• Enhanced security posture: MxDR solutions provide comprehensive visibility into IT environments, enabling organizations to identify and address vulnerabilities effectively.
• Proactive threat management: Continuous monitoring and advanced threat intelligence allow organizations to detect and respond to threats proactively, reducing the risk of cyber incidents.
• Operational resilience: By ensuring the security of critical infrastructure, MxDR solutions help maintain operational continuity and resilience in the face of cyber threats.
• Regulatory compliance: MxDR solutions assist organizations in meeting industry-specific regulatory requirements, ensuring compliance with cybersecurity standards and guidelines.
• Resource optimization: The SaaS model of MxDR solutions allows organizations to optimize their resources, focusing on core business activities while relying on expert cybersecurity services.

Real-world validation

OpenText™ MxDR has been recognized for its outstanding performance in the MITRE Engenuity ATT&CK Evaluations for Managed Services. The evaluation highlighted OpenText's ability to detect and respond to threats with zero false positives, significantly reducing alert fatigue for security teams. This recognition underscores the effectiveness of OpenText MxDR in maintaining cyber resilience and protecting critical infrastructure.

Additionally, OpenText MxDR has been praised for its ability to reduce noise by 97% and detect 99% of threats, as demonstrated in the MITRE Engenuity ATT&CK Evaluations. This capability ensures that security teams can focus on actual security incidents rather than being overwhelmed by false positives.

A recent blog details a successful threat hunt against a ransomware group, showcasing the practical application of an MxDR solution. It describes how OpenText's threat hunters identified and mitigated a sophisticated attack using advanced threat detection techniques.

Moreover, OpenText was recently named #58 in the MSSP Alert Top 250 MSSPs for 2024. This ranking highlights OpenText's commitment to providing top-tier managed security services and underscores its position as a leader in the cybersecurity industry.

Act now

As cyber threats continue to evolve, the need for robust cybersecurity measures has never been more critical. MxDR solutions offer a comprehensive approach to protecting IT environments, providing organizations with the tools and expertise needed to safeguard their most valuable assets. By implementing MxDR, organizations can enhance their security posture, ensure operational resilience, and achieve regulatory compliance, all while optimizing their resources and reducing costs.

Don't wait until it's too late. Strengthen your cybersecurity defenses today with OpenText MxDR. Contact us to learn how we can help you stay ahead of the ever-changing threat landscape and protect your organization's future.

The post Enhancing cybersecurity with MxDR: A comprehensive approach appeared first on OpenText Blogs.

OpenText™ Managed Extended Detection and Response (MxDR) delivers cyber resilience using threat hunting for adversary behavior. In the ever-evolving cybersecurity landscape, staying ahead of the growing number of threats is a continuous challenge. OpenText recently shared how it uses MITRE ATT&CK framework for its threat detection and threat hunting in Understanding MITRE ATT&CK and Tidal Cyber Vendor Registry.

The hunt begins

Paul, an astute Threat Hunter with OpenText's SOC Team, was combing through logs in a customer environment when he stumbled upon a strange command line. It was using a ‘Living off the Land’ technique using Windows executable called Rundll32.exe, but this command line looked unusual compared to the others he was reviewing. The target of the command did not appear to be a DLL file. Diving deeper, Paul noticed the process was attempting a single outbound connection once per day to an IP address of a hosting network. The peculiar activity involved SYN flags being sent repeatedly to this IP over port 443, but nothing more. To Paul, this wasn’t just random noise; it was a subtle cry for attention, a digital “ping” that resembled classic beaconing activity.

In the world of cybersecurity, beaconing often hints at trouble. It’s like a compromised machine whispering to its command-and-control (C2) server, “I’m alive! What’s next?” Paul immediately flagged the activity for deeper investigation and raised it with the end customer.

A shadowy connection

Digging into the IP, Paul unearthed some unsettling history. Seven months ago, the IP was linked to the notorious Bianlian ransomware group, known for their stealthy operations and devastating attacks. However, recent threat intelligence reports suggested the IP was ‘clean’ and had no suspicious activity. Could this be a remnant of their infrastructure, or had the IP been repurposed?

A quick query on Shodan revealed the current state of the server: it was still exposed to the internet, with ports 22 (SSH) and 3389 (RDP) wide open—common ports for remote access.

Unveiling the intrusion

Tracing back the breadcrumbs, Paul zeroed in on two Indicators of Compromise (IOCs):

1. The IP of the suspected C2 server.
2. A suspicious file that was included in the unusual command line (REDACTED.log).

Both artifacts pointed to the first sign of malicious activity in the last few days. From the logs, Paul and his colleague Sourabh, another meticulous OpenText Threat Hunter, reconstructed a process tree that told a chilling story:

1. svchost.exe had spawned an instance of wscript.exe with the command:C:WindowsSystem32WScript.exe "C:windowssystem32REDACTED.vbs"
2. The same wscript.exe then launched rundll32.exe, with a command pointing to the suspicious file found in the command line; REDACTED.log.

There was no clear parent process for svchost.exe, but Sourabh discovered a scheduled task running at the same time:

• Name: REDACTED
• Path: MicrosoftWindowsWininetREDACTED
• Action: C:Windowssystem32REDACTED.vbs

This task name had been chosen to blend in and had likely been planted by the attacker to ensure persistence. With this new finding, Paul added more IOCs to the list, all related to the Scheduled Task.

Malware analysis

Paul’s next step was to analyze the contents of the file from the original command line (REDACTED.log) and the REDACTED.vbs script. Although REDACTED.log had not been found in public malware repositories, dynamic analysis revealed it was actually a malicious DLL file, as suspected. The VBScript was used to execute a function in the malicious DLL, sending parameters such as the C2 IP address. It was designed to trigger beaconing behavior via scheduled tasks, signaling to the attackers that the compromised machine was ready for further instructions.

Swift containment

Armed with the evidence, and confirming the IOCs were not being seen across other hosts in the environment, Paul and the team took immediate action to contain the threat:

1. The REDACTED.log file was deleted.
2. The malicious scheduled task was removed.
3. The REDACTED.vbs script was eradicated from the system.

With the IOCs neutralized, the compromised machine was contained, and the deeper investigation and the threat hunting continued.

Conclusion

The BianLian ransomware group, likely based in Russia, has been active since June 2022, targeting various critical infrastructure sectors in the U.S. and Australia. Initially employing a double-extortion model, BianLian would encrypt victims' systems after exfiltrating data. However, since January 2024, they have shifted to primarily exfiltration-based extortion, threatening to release stolen data if ransoms are not paid. The group typically gains access through valid Remote Desktop Protocol (RDP) credentials and uses open-source tools and command-line scripting for discovery and credential harvesting. They exfiltrate data using methods such as File Transfer Protocol (FTP), Rclone, or Mega.

This incident served as a stark reminder of how even infrastructure reported clean by many online services, like an IP associated with a ransomware group many months ago, can remain a threat. Our OpenText SOC Team’s vigilance and methodical approach not only thwarted potential harm but also provided valuable insights into the evolving tactics of cyber adversaries.

The battle in cybersecurity is ongoing, but with dedicated skilled threat hunters in our OpenText MxDR Team, the defenders continue to hold the line.

The post Unmasking the enemy! appeared first on OpenText Blogs.

In Network Detection and Response (NDR) related operations, there is often a need to replay a Packet Capture (PCAP) data stream.  The reasons can be multiple including verifying operation of supplied detections against known traffic, gathering evidence of an attack where no detections were available, or using PCAP samples to write broader detections.  It is not always practical to have full “off the wire” capture infrastructure in place.  Utilizing the OpenText™ Network Detection and Response platform and an open-source tool for replaying PCAP, we can demonstrate an approach to replay traffic using OpenText NDR.

More specifically, we will explore how to use a sample of PCAP and replay it against an existing NDR installation using the TCP Replay method.  TCP Replay is a tool used to replay network traffic from PCAP files of previously recorded traffic.  NDR is typically deployed in an environment where live capture is required, such as on-premises or cloud environments where production workloads take place.  NDR Sensors connected to their feed(s) take a copy of the data and write it to disk. NDR also sends session metadata and alerts to the back end for further analysis.  The TCP Replay method is especially useful for targeted hunts or secondary analysis which are needed whether you are updating existing detections or creating new ones.

Let's get started!

Configure sensor to receive traffic

We’ll need to choose a tunnel protocol to replay the PCAP to the sensor.  In NDR, there are two tunnel protocol choices in addition to any physical capture cards that may be present: VXLAN and GRE. For the purposes of this exercise, we’ll be using VXLAN. However, the steps to configure a NDR sensor for GRE are similar. Simply use the GRE configuration fields and leave the VXLAN fields blank in the sensor settings.

• Step 1 - Navigate to the NDR Central Management Console (CMC) and login.
• Step 2 - Navigate to Sensors and click on the ‘Gear’ icon for the registered sensor you wish to utilize for the replay.

• Step 3 - In the VXLAN configuration area, fill in the VXLAN ID, Destination Port, and MTU.  Note this information for use later in the TCP Replay system setup.

• Step 4 - Save the configured options by clicking the Update button directly under the VXLAN configuration box

TCP Replay System

Next, we need to configure the TCP Replay system to “replay” the PCAP to the sensor.  There are 2 main configurations to complete prior to attempting to playback PCAP; the VXLAN tunnel and the TCP Replay session using PCAP you’ve already uploaded to the file system. 

Step 1:

As root or using sudo, set up a VXLAN tunnel to your sensor’s IP interface with the below command sets. (please note: variables have been used in these commands, please replace $vxlan_id, $sensor_ip, and $dstport with information noted in the sensor configuration above.  Replace $source_int with the ethernet interface information from your Linux system being used for TCP Replay.

• “ip link add tun0 type vxlan id $vxlan_id dstport 4789 remote $sensor_ip dev $source_int”
• “ip link set tun0 up”

No output is expected from each command unless an error has occurred.  You can check the tunnel’s status by running “ip link” command.

Step 2:

Check to ensure the VXLAN tunnel has been established by using: “ip link” and look for “tun0” with a status of “up”.

Step 3:

In this example, we will play back our PCAP files at 100 Mbit on infinite loop against interface tun0.  Alternatively, you may run the replay continuously and perform a CTRL+C when finished.

As root or using sudo:

• “tcpreplay -i tun0 pcap.file” – This will play the file once against the VXLAN tunnel.
• “tcpreplay -i tun0 -l 0 pcap.file” – This will play the file in a continuous loop against the VXLAN tunnel.
• “tcpreplay -i tun0 -l 0 –mbps 100 pcap.file” – This will play the file in a continuous loop at 100 Mbit against the VXLAN tunnel.

Step 4:

Return to the CMC’s Interface and you should see the expected data in the Alerts and Metadata data streams area.  Ensure that you have a baseline data tuning policy and metadata generation enabled. As well, ensure that you have any Suricata signatures you wish to test.

The above has demonstrated how to utilize OpenText NDR to replay and ingest PCAP. This is extremely useful for lab environments, for writing custom detections, and investigating traffic generated from 3^rd party platforms.  In a future blog, we will explore a backtesting sensor appliance which simplifies this process greatly!

OpenText Cybersecurity Services are available to advise, guide and assist with Network Detection and Response, tuning and optimizing detection capabilities and threat hunting activities.  Contact our team today for help with your NDR solution.

The post Replaying an attack with OpenText NDR appeared first on OpenText Blogs.

In the ever-evolving cybersecurity landscape, staying ahead of the growing number of threats is a continuous challenge. Two critical resources in this fight are the MITRE ATT&CK framework and the Tidal Cyber Vendor Registry. These platforms provide invaluable insights and tools to help organizations fortify their cyber defenses against attackers. This Tidal Cyber LinkedIn post announces a new addition to the Tidal Vendor Registry: OpenText™.

What is MITRE ATT&CK?

The MITRE ATT&CK framework is a comprehensive and dynamic knowledge base of cyber adversary tactics and techniques based on real-world observations. ATT&CK, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is designed to help organizations understand and mitigate the various strategies used by cybercriminals.

Key components of MITRE ATT&CK:

1. Tactics: The high-level objectives of an adversary, such as gaining initial access to a network or exfiltrating data. There are 14 Adversary Tactics in the framework.
2. Techniques: The specific methods used to achieve these objectives, like spear phishing (an attack specifically targeting an individual or entity) or command-and-control (also referenced as a C2).
3. Procedures: The detailed, real-world behaviors that adversaries use to carry out their attacks.

MITRE ATT&CK is widely used by cybersecurity professionals to develop threat models and methodologies, enhance defensive capabilities, and conduct red teaming exercises. By understanding the behaviors and methodologies of attackers, organizations can better anticipate and thwart malicious activities.

OpenText MxDR (Managed Extended Detection & Response) uses MITRE ATT&CK based detection capabilities as an additional defense layer against advanced, persistent threats which evades other cybersecurity controls and technology. In the OilRig 2022, OpenText MxDR showcased its ability to use Adversary Tactics, Techniques and Procedures (TTPs) to detect 100% of the simulated attacker's objectives while delivering zero false positives - being the only vendor to achieve this outcome.

Introducing the Tidal Cyber Vendor Registry

The Tidal Cyber Vendor Registry is a powerful resource that complements the MITRE ATT&CK framework by providing a comprehensive directory of cybersecurity vendors and their capabilities. This registry helps organizations navigate the complex ecosystem of cybersecurity products and services, making it easier to identify and implement solutions that address specific threats.

How the Tidal Cyber Vendor Registry works

The Tidal Cyber Vendor Registry categorizes vendors based on their products' alignment with the MITRE ATT&CK framework. This alignment helps organizations quickly identify which vendors provide solutions that can help detect, prevent, and respond to specific tactics and techniques used by cyber adversaries. By mapping vendor capabilities to the ATT&CK framework, TIDAL Cyber offers a clear and structured way to assess and compare different cybersecurity solutions.

OpenText joins the Tidal Cyber Vendor Registry

We are excited to announce that OpenText Cybersecurity has been added to the Tidal Cyber Vendor Registry, with publication of ATT&CK coverage provided by OpenText MxDR's behavioral analytics. This inclusion signifies OpenText's commitment to providing top-tier detection and response services using its own capabilities combined with industry leading technology.

OpenText’s addition to the registry highlights its significant contributions to the cybersecurity landscape. Our MxDR service, recognized for its robust capabilities, exemplifies OpenText's dedication to enhancing cybersecurity defenses.

OpenText’s MITRE ATT&CK capabilities

OpenText's MxDR service is designed to provide continuous monitoring, advanced threat detection and incident response. It leverages a combination of artificial intelligence (AI), machine learning (ML), and expert human analysis to identify and mitigate threats. The service's alignment with the MITRE ATT&CK framework ensures that it addresses the full spectrum of adversary tactics and techniques, providing organizations with a holistic defense strategy.

Key features of OpenText MxDR

• Real-time Threat Detection: Utilizes AI and ML to identify threats quickly and accurately against the MITRE ATT&CK framework and the Cyber Kill Chain.
• Managed EDR: Partners with leading Endpoint Detection and Response (EDR) solutions, like Microsoft Defender for Business or SentinelOne, to ensure defense coverage at the endpoint.
• Incident Response: Provides expert guidance and support to respond to and recover from cyber incidents.
• Continuous Monitoring: Ensures that threats are detected and mitigated 24/7.
• Comprehensive Reporting: Delivers detailed insights and analytics to help organizations understand their threat landscape.

OpenText's inclusion in the Tidal Cyber Vendor Registry allows organizations to easily find and evaluate their advanced security solutions, ensuring they have the necessary tools to defend against sophisticated cyber threats. It also marks a significant step forward in the collective effort to enhance cybersecurity defenses.

The recognition of OpenText as a leader in detection and response, by two leading analyst firms this year, underscores our commitment to the importance of robust, comprehensive cybersecurity measures in today's digital world. As cyber threats continue to evolve, resources like MITRE ATT&CK and the Tidal Cyber Vendor Registry will remain essential tools in the ongoing battle to secure our digital future.

Learn more about OpenText's advanced product and services cybersecurity solutions including MxDR.

The post Understanding MITRE ATT&CK and Tidal Cyber Vendor Registry appeared first on OpenText Blogs.

In today's digital age, cybersecurity threats are an ever-present danger for organizations of all sizes. While sophisticated technology solutions are critical in defending against cyber threats, they are only part of the equation. Cybersecurity is not just about having the right tools; it's also about having the right people and processes in place. This is where Tabletop Exercises (or incident response simulations), come into play. These exercises are essential for preparing your organization to effectively respond to a cyberattack. But the question remains: are you ready?

The crucial role of people and processes in cybersecurity

Before diving into the specifics of tabletop exercises, it’s important to understand that cybersecurity extends beyond technology. A robust cybersecurity strategy encompasses people, processes, and technology. Even the most advanced security systems can be rendered ineffective without a well-prepared team with clear processes.

When a cyberattack occurs, the immediate and coordinated response of your team can make the difference between a minor incident or a major catastrophe that catapults your brand into the headlines of news outlets for all the wrong reasons. This is why incident response plans must be regularly tested and refined. Tabletop Exercises provide a structured environment where teams can practice their response to various threats, ensuring they are ready when an actual attack strikes.

Tabletop Exercises: goals and benefits

Tabletop exercises by OpenText™ are designed with four primary goals in mind, each contributing to a stronger, more resilient organization.

Goal 1: Readiness when a cyberattack strikes

The primary goal of Tabletop Exercises is to ensure readiness. By simulating a cyberattack, organizations can evaluate how well their incident response plan holds up under pressure. These exercises help identify gaps in the plan and areas for improvement. Being ready means that when a real attack happens, your team will know exactly what to do, reducing the response time and mitigating the damage.

Goal 2: Knowledge of roles for faster response

In the heat of a cyberattack, confusion and uncertainty can lead to delays and mistakes. Tabletop exercises ensure that everyone involved in the response knows their specific roles and responsibilities. But more importantly they also understand the overall responsibilities of each contributor in the response. By practicing these roles in a controlled setting, team members gain confidence and clarity. This knowledge leads to a faster, more efficient response, minimizing the impact of the attack.

Goal 3: Promote security awareness

Cybersecurity is everyone’s responsibility. Tabletop Exercises promote a culture of security awareness throughout the organization. By involving different departments and roles in the exercises, employees understand the importance of cybersecurity and their part in maintaining it. This heightened awareness helps prevent incidents from occurring in the first place and ensures a collective effort in responding to threats.

Goal 4: Meet regulatory compliance and industry standards

Compliance with regulatory requirements and industry standards are not optional. Many regulations, such as GDPR and CCPA, mandate that organizations have effective incident response plans and conduct regular testing. Tabletop Exercises help meet these requirements by providing documented evidence of your organization’s commitment to cybersecurity. They demonstrate that your organization takes cybersecurity seriously and is prepared to handle incidents in a compliant manner.

Realizing Tabletop Exercises benefits

Tabletop Exercises are a critical component of a comprehensive cybersecurity strategy. They prepare your team, enhance security awareness, and ensure compliance with regulations. However, the true value of these exercises lies in their ability to turn plans into actions. When your team is well-prepared, they can respond quickly and effectively, reducing the potential damage and costs associated with cyberattacks.

Are you confident that your organization is ready to face a cyberattack? If you haven’t conducted a Tabletop Exercise recently, now is the time to act. OpenText offers comprehensive Tabletop Exercises that are tailored to your organization’s needs. These exercises will help you train, test, and exercise your incident response plan, ensuring that you are prepared for any cyber threat that comes your way.

Learn more about how Tabletop Exercises can benefit your organization:

• Turn Up the Volume with Tabletop Exercises
• OpenText Cyber Resilience Program
• OpenText Cyber Resilience FasTrak

Don’t wait for a cyberattack to expose the weaknesses in your incident response plan. Take proactive steps today to ensure your organization is ready. Invest in Tabletop Exercises and build a resilient cybersecurity posture that can withstand the test of time and threats.

Are you ready? Your organization’s security depends on it. Talk to us today.

The post Are you ready for a cyberattack? appeared first on OpenText Blogs.

Attackers linked to Iran and China are actively targeting critical infrastructure.  Both the U.S. Environmental Protection Agency and National Security Agency have requested that each U.S. State carry out comprehensive assessments of their cybersecurity services and practices. 

Critical Infrastructure, like water treatment plants, need to defend against network-only level attacks (e.g. DNS Exfil, SCADA controls, DGA), but also need the additional layer of security that may be missed by using only endpoint protection (e.g. antivirus) or endpoint detection and response (EDR). 

Not only Critical Infrastructure with complex IOT and OT (Operational Technology) environments, but all organizations strive to fortify their digital perimeters and safeguard their operations and sensitive information. The demand for advanced solutions has never been higher. Enter OpenText™, a trailblazing force in the realm of cybersecurity, with its cutting-edge Network Detection and Response (NDR).

In this age of sophisticated cyber threats, traditional security measures often fall short in providing real-time insights and proactive defensive mechanisms. OpenText has emerged as a beacon of innovation, offering a robust and dynamic approach to threat detection and response by monitoring the network layer of an organization for attacker behavior.

OpenText NDR top 3 capabilities

1. Packet capture and analysis: The solution captures and analyzes network packets in real-time, enabling deep inspection of network traffic for signs of malicious activity. This granular visibility is crucial for understanding the nature of threats.
2. Incident response: The solution facilitates rapid incident response by providing actionable insights and alerts. Security teams can quickly assess, collect, and work to mitigate threats to minimize the impact of potential security incidents.
3. Integration with OpenText MxDR: Seamless integration with OpenText MxDR enables better correlation and analysis of network security events with other MxDR security data, providing a more comprehensive cyber resilience and overall security posture.

Defending against Advanced Persistent Threats (APT)

A leading financial investment management organization put their security posture to the test and OpenText stood out as the sole solution that detected an unannounced advanced red team exercise.

OpenText NDR is one of many security layers which protects the data and operations of this financial organization. OpenText was the sole control which detected the activities by a rogue endpoint introduced during the penetration test in the customer’s network.  The exercise utilized various protocols and methods such as SMB for lateral movement, Kerberos spraying, as well as SIP and RDP based attacks.  NDR detected all the tactics and techniques, using the platform that has been optimized and managed for the customer.

White glove solutions

OpenText Professional Services worked with the customer’s Network Security Engineering Team to integrate and configure the solution to provide actionable alerts.  Our Technical Account Manager (TAM) program ensures smooth operations and optimized value, meeting the cybersecurity objectives of the organization. The OpenText TAM further provides customers with proactive issue resolution, tailored solution deployment, ongoing knowledge transfer, technological evolution planning, advocacy, continuous improvements and time/resource savings. The TAM continues to adapt the OpenText NDR deployment to threats by crafting new custom Suricata and Zeek detections, tuning rulesets from the cybersecurity research organization Emerging Threats Pro (ETP) and custom detections and verifying optimal platform operation and deployment configuration as the cyber threat landscape continues to evolve.

Fully managed services

OpenText delivers NDR as traditional on-premises managed software or as a fully outsourced managed service, providing its advanced NDR platform bundled with expert security operations support that is tailored to each customer. Customers choose from a Technical Account Manager program approach or a Managed Security Service, outsourcing their threat detection and response to OpenText.  OpenText MxDR augmented with our cutting-edge NDR provides customers with a People + Process + Technology solution to defend their organizations.

How can we help?

Ready to harness unparalleled network visibility to efficiently hunt for and defend against threats?  OpenText Cybersecurity Services will be your guide to cyber resilience.  Learn more, or contact us today.

Co-Author: Kevin Simpson is a Principal Consultant with the OpenText Cybersecurity Services team specializing in Network Detection and Response.  Kevin has more than 10 years experience in cybersecurity engineering and consulting. Kevin is a lead Technical Account Manager (TAM) for military defense, government and financial sector customers.

The post Cybersecurity Services combat an APT with NDR appeared first on OpenText Blogs.

As cyberthreats continue to evolve, it is crucial for higher education institutions and universities to be vigilant.  Enforcing security strategies prudently designed to safeguard digital assets and the integrity of their academic research provides better cyber resilience.

The education sector has become a prime target for attackers due to the vast amount of sensitive data, including personal information of students and staff.   Hackers may also find a lucrative opportunity in stolen research findings, intellectual property, and financial records from higher education institutions.

Another point worth noting, is the increased attack surface created by the multitude of transitory users and devices connected to the network.  This exposure sets the stage for cyber criminals looking for an opportunity to exploit more susceptible targets. With limited resources dedicated to cybersecurity, the education sector is in a constant race against the tactics of the attackers and tackling the challenge of evolving cyberthreats.

The education sector often struggles to evade compromises to their sensitive data and disruptions to their operations caused by:

• Data leaks
• Ransomware
• Phishing
• DDoS attacks
• Software vulnerabilities
• Insider threats
• IoTs risks

Attacks on schools, universities, and other education organizations rose from January 2021 to September 2023 peaking at 32 reported attacks in June 2023. Ransomware groups, like Vice Society and Rhysida, whose attacks have historically focused on education sector entities contribute majorly to this rise.

It is both critical and inevitable that the educational sector must adopt a holistic cybersecurity approach to protect the data and people via robust network security measures and proactive threat detection to safeguard their digital infrastructure. Here are a few recommendations:

• Multi-Factor Authentication (MFA): Add an extra layer of security by enforcing MFA for accessing sensitive systems to mitigate the threat, even if the login credentials are compromised. 
• Penetration Testing and Vulnerability Scanning: Stay ahead in the game by utilizing periodic third-party assessments to identify vulnerabilities in the network, systems, and applications to remediate any gaps promptly. 
• Monitor Network Traffic: Install firewalls, intrusion detection/prevention systems, and segment networks to ensure network safety. Deploy network detection capabilities to promptly identify any unusual patterns that may indicate a security threat and remediate the situation. 
• Table Top Exercises Conduct drills to ensure the effectiveness of an Incident Response plan and ensure the entire organization is familiar with the plan. 
• Endpoint Protection: Enforce mandatory measures to deploy robust antivirus and anti-malware solutions on all devices including computers, laptops, and mobile devices connected to the university network. 
• Data Encryption and Backups: Encrypt sensitive data to protect against unauthorized usage and perform regular backups of critical data to ensure the availability of data in case of an unfortunate incident. 
• Access Controls: Regularly review and update access permissions to ensure that users only have access  to the information and resources applicable for their roles by implementing the principle of least privilege.  
• Patches and Updates: Maintain a process for timely software updates and patches. Use attack surface management to reduce the surface. 
• Awareness and Training: Ensure that the students, faculty, and other staff are aware of . the devastating effects of phishing scams, social engineering etc

OpenText™ Cybersecurity Services 

With over 1B US$ in cybersecurity revenues and 800,000 customers, OpenText is a market leader and delivers a comprehensive portfolio of software products and services.  With expertise in Risk & Compliance, Digital Forensics & Incident Response and Managed Security Services, we are the trusted partner for our many customers on their Cyber Resilience journey. 

Our approach is unique in the market.  We pride ourselves as leaders in Information Management and we approach cyber from that lens, to help improve cybersecurity postures with greater visibility, maturity and readiness. 

Learn more about how OpenText Security Consulting Services guide customers through Table Top Exercises and assist with world-class cybersecurity operations centers, visit  Security Services.

Co-Author: Rajam Nair is a Service Program Manager for OpenText Managed Security Services customers. As a seasoned senior member of the practice, Rajam brings in-depth expertise in Security Operations and Artificial Intelligence to drive excellence in service delivery and customer satisfaction. Rajam ensures precise and outcome-driven oversight of our customers' cyber resilience programs, emphasizing meticulous governance to achieve optimal results. 

The post Strengthening Higher Education Institutions against evolving cyberthreats appeared first on OpenText Blogs.