Search results

Security Policy Management with Professor Wool Managing Business Application Connectivity Managing Business Application Connectivity is a whiteboard-style series of lessons that examine the challenges of and provide technical tips for provisioning and decommissioning application connectivity across enterprise networks and data centers. Lesson 1 In this lesson, Professor Wool examines the challenges of managing data center applications and their connectivity requirements. Professor Wool also offers tips for bridging the gap between application owners and network and security teams - to ensure faster, more secure deployment, maintenance and decommissioning of critical applications. Examining the Need for Application-Centric Security Policy Management Watch Lesson 2 In this lesson, Professor Wool discusses how to look at and prioritize network security vulnerabilities in a new way - from the perspective of the business applications in your data center. How to Prioritize Risk from the Business Perspective Watch Lesson 3 In this lesson, Professor Wool examines how to leverage firewall rules for discovering the connectivity requirements of data center applications. Tips to Discover Business Application Connectivity Requirements Watch Lesson 4 In this lesson, Professor Wool examines the challenges of decommissioning business applications and offers recommendations for improving security without impacting network operations by removing firewall rules that are no longer in use. Tips for Secure Decommissioning of Business Applications Watch Lesson 5 How to Automatically Identify Business Application Connectivity Needs from Network Traffic Watch Lesson 6 The Different Data Sources for Application Connectivity Discovery Watch Lesson 7 How to Aggregate Network Flows Into Application Flows Watch Lesson 8 The Benefits of Mapping Firewall Rules to Business Applications Watch Have a Question for Professor Wool? Ask him now Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

Avishai Wool, CTO at AlgoSec, analyses the recent Facebook outage and the risks all organizations face in network configuration Social... Cyber Attacks & Incident Response The Facebook outage and network configuration Prof. Avishai Wool 2 min read Prof. Avishai Wool Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 10/6/21 Published Avishai Wool, CTO at AlgoSec, analyses the recent Facebook outage and the risks all organizations face in network configuration Social media giant Facebook was involved in a network outage on the 4th October 2021 that lasted for nearly six hours and took its sister platforms Instagram and WhatsApp offline. As the story developed, it became apparent that the incident was caused by a configuration issue within Facebook’s BGP (Border Gateway Protocol), one of the systems that the internet uses to get your traffic where it needs to go as quickly as possible. The outage also cut off the company’s internal communications, along with authentication to third-party services including Google and Zoom. Some reports suggested security passes went offline, which stopped engineers from entering the building to physically reset the data center. The impact was felt worldwide, with Downdetector recording more than 10 million problem reports, the largest number for one single incident. Facebook released an official statement following the outage stating: “Our engineering teams learned that configuration changes on the backbone routers that coordinate network traffic between our data centers caused issues that interrupted this communication.” While Facebook has assured its users that no data has been lost in this process, the outage is a stark reminder of how small configuration errors can have huge, far-reaching consequences. The fundamentals of application availability At the fundamental level, Facebook suffered from a lack of application availability. When a change was actioned, it caused a major chain reaction that ultimately wiped Facebook and its related services from the internet because they couldn’t see the entire lifecycle of that change and the impact it would have. To avoid an incident like this in the future, organizations should consider a few simple steps: Back up configuration files to allow for rollbacks should an issue arise Use a test system alongside live processes to run scenarios without causing any disruptions Retain low-tech alternatives to guarantee access to the network if the primary route fails The outages across Facebook’s infrastructure highlight the operational risks all organizations face around faulty configuration changes which can drastically impact application availability. Intelligent automation, thorough change management and proactive checks are key to avoid these outages. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

The AlgoSec Technology Theater at RSA 2026 Step inside. See application-centric security in action. Walk away with clarity — and maybe $100. DATE March 24–25, 2026 Booth 1649 Location Moscone Center RSA is loud. Your calendar is packed. The conversations blur together. Take 20 minutes to step into the AlgoSec Technology Theater and see how application-centric security transforms network complexity into business clarity. Join us for live presentations for presentations from AlgoSec on our Horizon Platform. Gain application-centric visibility across hybrid and cloud Align network risk to business impact Automate safe, compliant change Reduce manual effort and reclaim valuable time Presentation Times Tuesday, March 24: 11:00 AM | 1:00 PM | 3:00 PM Wednesday, March 25: 11:00 AM | 1:00 PM | 3:00 PM At each session, we’ll be raffling off a $100 Amazon gift card — you must be present to win. Reserve your seat now and secure your spot in one of our limited theater sessions. Book a meeting with an AlgoSec expert Email* First name* Last name* Company* country* Select country... Select Date...* Select Date... Select Time...* Select Time... Not attending RSA? Book a virtual Clarity Session By submitting this form I agree to receive relevant marketing material from AlgoSec, subject to its privacy policy Register Now Thank you for registering! We look forward to meeting you at the event.

Top 5 misconfigurations to avoid for robust security Multi-cloud environments have become the backbone of modern enterprise IT, offering unparalleled flexibility, scalability, and access to a diverse array of innovative services. This distributed architecture empowers organizations to avoid vendor lock-in, optimize costs, and leverage specialized functionalities from different providers. However, this very strength introduces a significant challenge: increased complexity in security... Cloud Security 5 Multi-Cloud Environments Iris Stein 2 min read Iris Stein Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 6/23/25 Published Top 5 misconfigurations to avoid for robust security Multi-cloud environments have become the backbone of modern enterprise IT, offering unparalleled flexibility, scalability, and access to a diverse array of innovative services. This distributed architecture empowers organizations to avoid vendor lock-in, optimize costs, and leverage specialized functionalities from different providers. However, this very strength introduces a significant challenge: increased complexity in security management. The diverse security models, APIs, and configuration nuances of each cloud provider, when combined, create a fertile ground for misconfigurations. A single oversight can cascade into severe security vulnerabilities, lead to compliance violations, and even result in costly downtime and reputational damage. At AlgoSec, we have extensive experience in navigating the intricacies of multi-cloud security. Our observations reveal recurring patterns of misconfigurations that undermine even the most well-intentioned security strategies. To help you fortify your multi-cloud defences, we've compiled the top five multi-cloud misconfigurations that organizations absolutely must avoid. 1. Over-permissive policies: The gateway to unauthorized access One of the most pervasive and dangerous misconfigurations is the granting of overly broad or permissive access policies. In the rush to deploy applications or enable collaboration, it's common for organizations to assign excessive permissions to users, services, or applications. This "everyone can do everything" approach creates a vast attack surface, making it alarmingly easy for unauthorized individuals or compromised credentials to gain access to sensitive resources across your various cloud environments. The principle of least privilege (PoLP) is paramount here. Every user, application, and service should only be granted the minimum necessary permissions to perform its intended function. This includes granular control over network access, data manipulation, and resource management. Regularly review and audit your Identity and Access Management (IAM) policies across all your cloud providers. Tools that offer centralized visibility into entitlements and highlight deviations can be invaluable in identifying and rectifying these critical vulnerabilities before they are exploited. 2. Inadequate network segmentation: Lateral movement made easy In a multi-cloud environment, a flat network architecture is an open invitation for attackers. Without proper network segmentation, a breach in one part of your cloud infrastructure can easily lead to lateral movement across your entire environment. Mixing production, development, and sensitive data workloads within the same network segment significantly increases the risk of an attacker pivoting from a less secure development environment to a critical production database. Effective network segmentation involves logically isolating different environments, applications, and data sets. This can be achieved through Virtual Private Clouds (VPCs), subnets, security groups, network access control lists (NACLs), and micro-segmentation techniques. The goal is to create granular perimeters around critical assets, limiting the blast radius of any potential breach. By restricting traffic flows between different segments and enforcing strict ingress and egress rules, you can significantly hinder an attacker's ability to move freely within your cloud estate. 3. Unsecured storage buckets: A goldmine for data breaches Cloud storage services, such as Amazon S3, Azure Blob Storage, and Google Cloud Storage, offer incredible scalability and accessibility. However, their misconfiguration remains a leading cause of data breaches. Publicly accessible storage buckets, often configured inadvertently, expose vast amounts of sensitive data to the internet. This includes customer information, proprietary code, intellectual property, and even internal credentials. It is imperative to always double-check and regularly audit the access controls and encryption settings of all your storage buckets across every cloud provider. Implement strong bucket policies, restrict public access by default, and enforce encryption at rest and in transit. Consider using multifactor authentication for access to storage, and leverage tools that continuously monitor for publicly exposed buckets and alert you to any misconfigurations. Regular data classification and tagging can also help in identifying and prioritizing the protection of highly sensitive data stored in the cloud. 4. Lack of centralized visibility: Flying blind in a complex landscape Managing security in a multi-cloud environment without a unified, centralized view of your security posture is akin to flying blind. The disparate dashboards, logs, and security tools provided by individual cloud providers make it incredibly challenging to gain a holistic understanding of your security landscape. This fragmented visibility makes it nearly impossible to identify widespread misconfigurations, enforce consistent security policies across different clouds, and respond effectively and swiftly to emerging threats. A centralized security management platform is crucial for multi-cloud environments. Such a platform should provide comprehensive discovery of all your cloud assets, enable continuous risk assessment, and offer unified policy management across your entire multi-cloud estate. This centralized view allows security teams to identify inconsistencies, track changes, and ensure that security policies are applied uniformly, regardless of the underlying cloud provider. Without this overarching perspective, organizations are perpetually playing catch-up, reacting to incidents rather than proactively preventing them. 5. Neglecting Shadow IT: The unseen security gaps Shadow IT refers to unsanctioned cloud deployments, applications, or services that are used within an organization without the knowledge or approval of the IT or security departments. While seemingly innocuous, shadow IT can introduce significant and often unmanaged security gaps. These unauthorized resources often lack proper security configurations, patching, and monitoring, making them easy targets for attackers. To mitigate the risks of shadow IT, organizations need robust discovery mechanisms that can identify all cloud resources, whether sanctioned or not. Once discovered, these resources must be brought under proper security governance, including regular monitoring, configuration management, and adherence to organizational security policies. Implementing cloud access security brokers (CASBs) and network traffic analysis tools can help in identifying and gaining control over shadow IT instances. Educating employees about the risks of unauthorized cloud usage is also a vital step in fostering a more secure multi-cloud environment. Proactive management with AlgoSec Cloud Enterprise Navigating the complex and ever-evolving multi-cloud landscape demands more than just awareness of these pitfalls; it requires deep visibility and proactive management. This is precisely where AlgoSec Cloud Enterprise excels. Our solution provides comprehensive discovery of all your cloud assets across various providers, offering a unified view of your entire multi-cloud estate. It enables continuous risk assessment by identifying misconfigurations, policy violations, and potential vulnerabilities. Furthermore, AlgoSec Cloud Enterprise empowers automated policy enforcement, ensuring consistent security postures and helping you eliminate misconfigurations before they can be exploited. By providing this robust framework for security management, AlgoSec helps organizations maintain a strong and resilient security posture in their multi-cloud journey. Stay secure out there! The multi-cloud journey offers immense opportunities, but only with diligent attention to security and proactive management can you truly unlock its full potential while safeguarding your critical assets. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

Cloud management enhances visibility across a hybrid network, processes network security policy changes in minutes, and reduces configuration risks But what does effective cloud management look like Webinars How to Manage Your Cloud Journey Episode 1 of Keeping Up-to-Date with Your Network Security Securing your data was once much simpler, and has grown more complex in recent years. As the workforce becomes more distributed, so does your data. Spreading your data across multiple public and private clouds complicates your network. While data used to sit behind lock and key in guarded locations, today’s data sits in multiple locations and geographies, and is made up of multiple public clouds, private clouds and other on-premises network devices. This is why managing your cloud journey can be tiresome and complicated. Enter cloud management. Cloud management enhances visibility across a hybrid network, processes network security policy changes in minutes, and reduces configuration risks. But how can you leverage your cloud management to reap these benefits? What does effective cloud management look like, and how can you achieve it when workloads, sensitive data, and information are so widely dispersed? In this episode we’ll discuss: How to manage multiple workloads on the cloud What successful security management looks like for today’s enterprises How to achieve simple, effective security management for your hybrid network May 4, 2021 Alex Hilton Chief Executive at Cloud Industry Forum (CIF) Stephen Owen Esure Group Oren Amiram Director Product Management, Algosec Relevant resources A Pragmatic Approach to Network Security Across Your Hybrid Cloud Environment Keep Reading State of cloud security: Concerns, challenges, and incidents Read Document Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

Recommendations from Rajpreet Kaur, Senior Principal Analyst at Gartner, in her recent blog on remote working, and a perspective on how... Security Policy Management Deploying NSPM to Implement a Gartner Analyst’s Work from Home Network Security Advice Jeffrey Starr 2 min read Jeffrey Starr Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 4/27/20 Published Recommendations from Rajpreet Kaur, Senior Principal Analyst at Gartner, in her recent blog on remote working, and a perspective on how Network Security Policy Management systems can help enterprises act upon this guidance The COVID-19 pandemic has been the catalyst for a global migration to remote home working. Managing and mitigating the network security risks this presents, on such an unprecedented scale and for a long period of time, poses a significant challenge even for companies that had remote access working plans in place before the pandemic. Not only are cybercriminals taking advantage of network insecurities to leverage attacks, they are also exploiting human anxiety around the crisis to break through security barriers. In fact, a recent survey found that 40 percent of companies reported seeing increased cyberattacks as they enable remote working. So how should organizations manage their security during these massive changes in network usage? In a recent blog , Rajpreet Kaur , Gartner Senior Principal Analyst, and a specialized expert on both hybrid environment network security and NSPM tools, offered recommendations to organizations on how to handle remote infrastructure security challenges, many of which closely align with a focus on network policy automation and application security. Here’s how network security policy management systems can support and enable Rajpreet Kaur’s key recommendations. 1. Don’t panic and start moving things to the cloud without a proper architectural design in place. Panicking and starting a large-scale move to the cloud without a proper plan in place can lead to poor security controls and ill-prepared migration. Before moving to the cloud, organizations must consider their network’s architectural design, which should always start with analysis. The analytical and discovery capabilities of NSPM systems automate this process by discovering and mapping network connectivity and providing a network map, which helps you to understand your network components, making migrations easier, faster and glitch-free. 2. Design a proper network security architecture and plan considering limited disruption and supporting work from home. Implementing these immediate and urgent network changes can only be done effectively and securely with robust change management processes. As with network analysis, NSPM automation capabilities are also vital in rapid change management. Security automation dramatically accelerates change processes, with request generation to implementation time drastically shortened and enables better enforcement and auditing for regulatory compliance. It also helps organizations overcome skill gaps and staffing limitations, which may have already been impacted by the current crisis. NSPM solutions enable full end-to-end change analysis and automation, including what if security checks, automation design, push of changes, and full documentation and audit trail. This ensures that changes can be implemented rapidly, and applied consistently and efficiently, with a full audit trail of every change. 3. Plan for what you need now, don’t try to implement a long-term strategic solution to fix your immediate needs. The current widespread move to home working is adding an extra layer of complexity to remote network security, since organizations are finding themselves having to implement new security policies and roll out adoption in a very short timeframe. Considering this, it’s important for organizations to focus on short-term needs, rather than attempting to develop a long-term strategic solution. Trying to develop a long-term solution in such a short window can be overwhelming and increase the risk of opening security vulnerabilities. Using NSPM speeds up the configuration and implementation process, allowing you to get your remote network security firewall policies up and running as soon as possible, with minimum disruption to your remote workforce. Once you have dealt with the critical immediate needs, you can then focus on developing a more long-term strategy. 4. Try to support your existing work from home employees by doing minimal changes to the existing architecture, like meeting throughput requirements and upgrading the equipment or restricting the access to a group of employees at times. Managing application connectivity and accessibility is key to ensuring minimal work disruption as employees move to remote working. An effective NSPM solution allows you to discover, identify and map business applications to ensure that they are safe and have the necessary connectivity flows. Having such a view of all the applications that are accessing the network allows security teams to map the workflow and provides visibility of the application’s required connectivity in order to minimise outages. 5. For any new network changes and upgrades, or new deployments, consider developing a work from home first strategy. Developing a work from home (WFH) strategy has never been more essential. The challenge is that WFH is a more vulnerable environment; employees are accessing sensitive data from a range of home devices, via outside networks, that may not have the same security controls. On top of this, cyber threats have already seen a sharp increase as cybercriminals exploit the widespread anxiety and vulnerabilities caused by the global crisis. IT security and networking staff are therefore having to do more, with the same staffing levels, whilst also navigating the challenges of doing this remotely from home. NSPM capabilities can help in overcoming these WFH issues. Security teams may, for example, need to change many Firewall rules to allow secure access to sensitive data. An effective NSPM solution can facilitate this and enable fast deployment by providing the ability to make changes to applications’ firewall openings from a single management interface. 6. Enhance security around public facing applications to protect against COVID-19 related cyber-attacks. With the move to remote working, organizations are increasingly relying on applications to carry out their work from home. Ensuring that business-critical applications stay available and secure while shifting to remote work is key to avoiding workflow disruption. It’s essential to take an application centric approach to application security, and an effective NSPM solution can help you to better manage and secure your business-critical applications . As discussed above, application visibility is key here. NSPM systems provides comprehensive application visibility, security operation teams can monitor critical applications for risks and vulnerabilities to ensure that they are safe. Gartner’s Rajpreet Kaur has delivered a good combination of practical and timely guidance along with the logical insights underlying the useful recommendations. These tips bring helpful guidance on the Work from Home security challenge that stands out for its clear relevance when there is now so much other noise out there. A robust NSPM can help you rapidly implement these invaluable recommendations. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

In the previous parts of our blog ( part I and part II ), we have described the most important parts of the Sunburst backdoor... Cloud Security Sunburst Backdoor, Part III: DGA & Security Software Rony Moshkovich 2 min read Rony Moshkovich Short bio about author here Lorem ipsum dolor sit amet consectetur. Vitae donec tincidunt elementum quam laoreet duis sit enim. Duis mattis velit sit leo diam. Tags Share this article 12/22/20 Published In the previous parts of our blog ( part I and part II ), we have described the most important parts of the Sunburst backdoor functionality and its Domain Generation Algorithm (DGA). This time, let’s have a deeper look into the passive DNS requests reported by Open-Source Context and Zetalytics . The valid DNS requests generated by the malware fall into 2 groups: DNS requests that encode a local domain name DNS requests that encode data The first type of DNS requests allows splitting long domain names into separate requests. These requests are generated by the malware’s functions GetPreviousString() and GetCurrentString() . In general, the format of a DNS request that encodes a domain name may look like: USER_ID.NUM.COMPUTER_DOMAIN[.]appsync-api.us-west-2[.]avsvmcloud[.]com where: USER_ID is an 8-byte user ID that uniquely identifies a compromised host, encoded as a 15-character string NUM is a number of a domain name – either 0 or 1, encoded as a character COMPUTER_DOMAIN is an encoded local computer domain Let’s try decoding the following 3 DNS requests: olc62cocacn7u2q22v02eu.appsync-api.us-west-2.avsvmcloud.com r1qshoj05ji05ac6eoip02jovt6i2v0c.appsync-api.us-west-2.avsvmcloud.com lt5ai41qh5d53qoti3mkmc0.appsync-api.us-west-2.avsvmcloud.com String 1 Let’s start from the 1st string in the list: olc62cocacn7u2q22v02eu.appsync-api.us-west-2.avsvmcloud.com. In this string, the first 15-character string is an encoded USER_ID : “olc62cocacn7u2q” . Once it is base-64 decoded, as explained in the previous post, it becomes a 9-byte byte array: 86 7f 2f be f9 fb a3 ae c4 The first byte in this byte array is a XOR key: 0x86 . Once applied to the 8 bytes that follow it, we get the 8-byte user ID – let’s take a note and write it down, we will need it later: f9 a9 38 7f 7d 25 28 42 Next, let’s take the NUM part of the encoded domain: it’s a character “2” located at the position #15 (starting from 0) of the encrypted domain. In order to decode the NUM number, we have to take the first character of the encrypted domain, take the reminder of its division by 36 , and subtract the NUM ‘s position in the string “0123456789abcdefghijklmnopqrstuvwxyz” : num = domain[0] % 36 – “0123456789abcdefghijklmnopqrstuvwxyz”.IndexOf(domain.Substring(15, 1)); The result is 1 . That means the decrypted domain will be the 2nd part of a full domain name. The first part must have its NUM decoded as 0. The COMPUTER_DOMAIN part of the encrypted domain is “2v02eu” . Once decoded, using the previously explained method, the decoded computer domain name becomes “on.ca” . String 2 Let’s decode the second passive DNS request from our list: r1qshoj05ji05ac6eoip02jovt6i2v0c.appsync-api.us-west-2.avsvmcloud.com Just as before, the decoded 8-byte user ID becomes: f9 a9 38 7f 7d 25 28 42 The NUM part of the encoded domain, located at the position #15 (starting from 0), is a character “6” . Let’s decode it, by taking the first character ( “r” = 114 ), take the reminder of its division by 36 ( 114 % 36 = 6 ), and subtracting the position of the character “6” in the “0123456789abcdefghijklmnopqrstuvwxyz” , which is 6 . The result is 0 . That means the decrypted domain will be the 1st part of the full domain name. The COMPUTER_DOMAIN part of the encrypted domain is “eoip02jovt6i2v0c” . Once decoded, it becomes “city.kingston.” Next, we need to match 2 decrypted domains by the user ID, which is f9 a9 38 7f 7d 25 28 42 in both cases, and concatenate the first and the second parts of the domain. The result will be “city.kingston.on.ca” . String 3 Here comes the most interesting part. Lets try to decrypt the string #3 from our list of passive DNS requests: lt5ai41qh5d53qoti3mkmc0.appsync-api.us-west-2.avsvmcloud.com The decoded user ID is not relevant, as the decoded NUM part is a number -29 . It’s neither 0 nor 1 , so what kind of domain name that is? If we ignore the NUM part and decode the domain name, using the old method, we will get “thx8xb” , which does not look like a valid domain name. Cases like that are not the noise, and are not some artificially encrypted artifacts that showed up among the DNS requests. This is a different type of DNS requests. Instead of encoding local domain names, these types of requests contain data. They are generated by the malware’s function GetNextStringEx() . The encryption method is different as well. Let’s decrypt this request. First, we can decode the encrypted domain, using the same base-64 method, as before . The string will be decoded into 14 bytes: 7c a5 4d 64 9b 21 c1 74 a6 59 e4 5c 7c 7f Let’s decode these bytes, starting from the 2nd byte, and using the first byte as a XOR key. We will get: 7c d9 31 18 e7 5d bd 08 da 25 98 20 00 03 In this array, the bytes marked in yellow are an 8-byte User ID, encoded with a XOR key that is selected from 2 bytes marked in red. Let’s decode User ID: for ( int i = 0 ; i < 8 ; i++) { bytes[i + 1 ] ^= bytes[ 11 - i % 2 ]; } The decoded byte array becomes: 7c f9 a9 38 7f 7d 25 28 42 25 98 20 00 03 The User ID part in marked in yellow. Does it look familiar? Indeed, it’s the same User ID we’ve seen before, when we decoded “city.kingston.on.ca” . The next 3 bytes marked in red are: 25 98 20 . 2 0x59820 The first number 2 stands for the size of data that follows – this data is 00 03 (selected in green). The number 0x59820 , or 366,624 in decimal, is a timestamp. It’s a number of 4-second periods of time since 1 January 2010. To obtain the real time stamp, we need to multiple it by 15 to get minutes, then add those minutes to 1 January 2010: var date = ( new DateTime( 2010 , 1 , 1 , 0 , 0 , 0 , DateTimeKind.Utc)).AddMinutes(timestamp * 15 ); For the number 0x59820 , the time stamp becomes 16 July 2020 12:00:00 AM – that’s the day when the DNS request was made. The remaining 2 bytes, 00 03 , encrypt the state of 8 security products, to indicate whether each one of them is running or whether it is stopped. The 8 security products are: Windows Live OneCare / Windows Defender Windows Defender Advanced Threat Protection Microsoft Defender for Identity Carbon Black CrowdStrike FireEye ESET F-Secure 2 states for 8 products require 2 * 8 = 16 bits = 2 bytes. The 2 bytes 00 03 in binary form are: 00 00 00 00 00 00 00 11 Here, the least-significant bits 11 identify that the first product in the list, Windows Live OneCare / Windows Defender, is reported as ‘running’ ( 1 ) and as ‘stopped’ ( 1 ). Now we know that apart from the local domain, the trojanised SolarWinds software running on the same compromised host on “city.kingston.on.ca” domain has also reported the status of the Windows Defender software. What Does it Mean? As explained in the first part of our description, the malware is capable of stopping the services of security products, be manipulating registry service keys under Administrator account. It’s likely that the attackers are using DNS queries as a C2 channel to first understand what security products are present. Next, the same channel is used to instruct the malware to stop/deactivate these services, before the 2nd stage payload, TearDrop Backdoor, is deployed. Armed with this knowledge, let’s decode other passive DNS requests, printing the cases when the compromised host reports a running security software. NOTES: As a private case, if the data size field is 0 or 1 , the timestamp field is not followed with any data. Such type of DNS request is generated by the malware’s function GetNextString() . It is called ‘a ping’ in the listing below. If the first part of the domain name is missing, the recovered domain name is pre-pended with ‘*’ . The malware takes the time difference in minutes, then divides it by 30 and then converts the result from double type to int type; as a result of such conversion, the time stamps are truncated to the earliest half hour. 2D82B037C060515C SFBALLET Data: Windows Live OneCare / Windows Defender [running] 11/07/2020 12:00:00 AM Pings: 12/07/2020 12:30:00 AM 70DEE5C062CFEE53 ccscurriculum.c Data: ESET [running] 17/04/2020 4:00:00 PM Pings: 20/04/2020 5:00:00 PM AB902A323B541775 mountsinai.hospital Pings: 4/07/2020 12:30:00 AM 9ACC3A3067DC7FD5 *ripta.com Data: ESET [running] 12/09/2020 6:30:00 AM Pings: 13/09/2020 7:30:00 AM 14/09/2020 9:00:00 AM CB34C4EBCB12AF88 DPCITY.I7a Data: ESET [running] 26/06/2020 5:00:00 PM Pings: 27/06/2020 6:30:00 PM 28/06/2020 7:30:00 PM 29/06/2020 8:30:00 PM 29/06/2020 8:30:00 PM E5FAFE265E86088E *scroot.com Data: CrowdStrike [running] 25/07/2020 2:00:00 PM Pings: 26/07/2020 2:30:00 PM 26/07/2020 2:30:00 PM 27/07/2020 3:00:00 PM 27/07/2020 3:00:00 PM 426030B2ED480DED *kcpl.com Data: Windows Live OneCare / Windows Defender [running] 8/07/2020 12:00:00 AM Carbon Black [running] 8/07/2020 12:00:00 AM Full list of decoded pDNS requests can be found here . An example of a working implementation is available at this repo. Schedule a demo Related Articles Q1 at AlgoSec: What innovations and milestones defined our start to 2026? AlgoSec Reviews Mar 19, 2023 · 2 min read 2025 in review: What innovations and milestones defined AlgoSec’s transformative year in 2025? AlgoSec Reviews Mar 19, 2023 · 2 min read Navigating Compliance in the Cloud AlgoSec Cloud Mar 19, 2023 · 2 min read Speak to one of our experts Speak to one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Schedule a call

AlgoSec enhances the effectiveness and efficiency of network security in Cisco environments by providing application-centric security, automation, and compliance capabilities AlgoSec Heads to Cisco Live to Empower Organizations to Effectively Secure Application Connectivity across Multi-Cloud and Hybrid networks AlgoSec enhances the effectiveness and efficiency of network security in Cisco environments by providing application-centric security, automation, and compliance capabilities February 2, 2024 Speak to one of our experts RIDGEFIELD PARK, NJ, February 2, 2024 – Global cybersecurity leader AlgoSec will demonstrate the quality of its application-centric hybrid network solutions at this year’s Cisco Live in Amsterdam. AlgoSec will illustrate how its range of value-added product integrations enables organizations to support their business-critical applications while minimizing security risks and ensuring compliance. AlgoSec operates deep at the business application level, allowing organizations to monitor traffic patterns, identify anomalies, and prioritize security incidents. This profound application-level understanding enables network and cloud security professionals to optimize their Cisco environments and minimize the attack surface and risk of unauthorized access. As a SolutionsPlus partner, AlgoSec have fostered a strong relationship with Cisco that enables us to effectively address the needs of their customers, which have changed over time with the increasing adoption of hybrid cloud networks. The integration of Cisco and AlgoSec’s solutions delivers innovation to the market and offers greater value to our joint prospects and existing customers. AlgoSec integrates seamlessly with Cisco networking and security solutions, including Cisco Firepower and Cisco ACI (Application Centric Infrastructure). This integration ensures consistent policy enforcement and centralized management, helping organizations to better secure their networks while reducing operational overhead and complexity. AlgoSec has recently introduced early availability for Nexus Dashboard Orchestrator (NDO) support, underscoring a commitment to providing continuity and support for customers navigating transitions in their network infrastructure. As evidence of the company’s commitment and efforts, AlgoSec was recently recognized as one of the “Meraki Picks” companies on the Meraki Marketplace. This showcases partners based on their proven track record with customers, highlighting AlgoSec’s exceptional performance in Network Security and Network Automation. AlgoSec is inviting customers and partners to visit them at Booth E10 at Cisco Live from February 5-8th. For the latest information and to set up a meeting at the show, please visit the event portal . About AlgoSec AlgoSec, a global cybersecurity leader, empowers organizations to secure application connectivity and cloud-native applications throughout their multi-cloud and hybrid network. Trusted by more than 1,800 of the world’s leading organizations, AlgoSec’s application-centric approach enables to securely accelerate business application deployment by centrally managing application connectivity and security policies across the public clouds, private clouds, containers, and on-premises networks. Using its unique vendor-agnostic deep algorithm for intelligent change management automation, AlgoSec enables acceleration of digital transformation projects, helps prevent business application downtime and substantially reduces manual work and exposure to security risks. AlgoSec’s policy management and CNAPP platforms provide a single source for visibility into security and compliance issues within cloud-native applications as well as across the hybrid network environment, to ensure ongoing adherence to internet security standards, industry, and internal regulations. Learn how AlgoSec enables application owners, information security experts, DevSecOps and cloud security teams to deploy business applications up to 10 times faster while maintaining security at https://www.algosec.com .

Security policy management for the hybrid cloud environment Download PDF Download PDF Add a Title Add a Title Add a Title Schedule time with one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

Master the trinity: Unifying your hybrid cloud security fabric See how to make safe changes faster Changes take too long because you don’t know what rules do or what will break. This live demo shows how teams understand application connectivity, validate impact, and automate changes with confidence. Live demo: Horizon, AppViz, and ACE See how it works in one platform—from visibility to execution. Register for the webinar June 11th, 2026 Email* Company* First name* Last name* country* Select country... Select Time-Zone* Choose Time-zone By submitting this form I agree to receive relevant marketing material from AlgoSec, subject to its privacy policy Register Now Thank you! Thank you for registering for our masterclass and demo. We’ve reserved your spot. Please check for a confirmation email from AlgoSec Marketing with additional details about the webinar. See you there. David Feldman Product Manager, AlgoSec David Feldman is the Product Manager driving the evolution of AlgoSec AppViz. With deep expertise across network security, cloud ecosystems, and Security Posture Management, David transforms complex customer environments into clear, actionable, business-aligned insights. Image attached.

Webinars Build and Enforce Defense in-Depth | An AlgoSec-Cisco Tetration webinar Micro-segmentation protects your workloads and applications against lateral movement of malware and limits the spread of insider threats, yet successfully implementing a defense-in-depth strategy using micro-segmentation is complicated. In this technical webinar, Jothi Prakash Prabakaran, Senior Product Manager at Cisco, and Yoni Geva, Product Manager at AlgoSec, will provide a step-by-step blueprint to implementing this strategy using the micro-segmentation capabilities of Cisco Tetration and network security policy management capabilities of AlgoSec. They will demonstrate how to tighten your security posture within the data center using an allow-list approach. They will also show how to enforce these granular micro-segmented policies enforced on the workloads with Cisco Tetration and a coarse grain policy enforced across the infrastructure through AlgoSec network security policy management. Watch the webinar to learn how to: Understand your business applications to create your micro-segmentation policy Validate your micro-segmentation policy is accurate Enforce these granular policies on workloads and summarized policies across your infrastructure Use risk and vulnerability analysis to tighten your workload and network security Identify and manage security risk and compliance in your micro-segmented environment July 22, 2020 Jothi Prakash Prabakaran Yoni Geva Product Manager Relevant resources AlgoSec Joins Cisco’s Global Price List Keep Reading Introducing Deeper Integration with Cisco’s Tetration Keep Reading Application Segmentation With Cisco Tetration and AlgoSec Read Document Choose a better way to manage your network Choose a better way to manage your network Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue

Multiple AWS accounts: Security best practices E-BOOK Download PDF Download PDF Add a Title Add a Title Add a Title Schedule time with one of our experts Work email* First name* Last name* Company* country* Select country... Short answer* By submitting this form, I accept AlgoSec's privacy policy Continue