CrowdStrike launches unified data protection for AI & cloud
The set of products and features includes Falcon Cloud Security AI Model Scanning and AI Security Dashboard, Falcon Data Protection for Cloud and Endpoint, and a new range of SaaS Threat Services. These are designed to address the evolving methods by which adversaries target and extract sensitive information.
One of the key advances highlighted by CrowdStrike is Falcon Cloud Security's ability to inspect AI models for malware, backdoors, and other alterations before they are deployed in production environments. Security teams will receive real-time visibility into all AI workloads within the cloud, supporting proactive risk management in an area seeing rapid growth and increasing interest from threat actors.
The Falcon Data Protection for Cloud and Endpoint feature seeks to address security gaps by offering runtime data protection for both cloud and endpoint environments. This enables organisations to prevent the exfiltration of encrypted files and mitigates risks related to generative AI–led data leaks as they occur, according to the firm.
CrowdStrike also announced SaaS Threat Services that include expert-led assessments and proactive threat detection and response, with the goal of helping organisations identify and mitigate risks stemming from SaaS application misuse or misconfiguration. These services have been designed in response to the growing prevalence of cloud-based attacks which target user identities and enterprise data.
Recent cyber incidents have illustrated an adversarial shift from causing disruption to systematically stealing data, typically through exploitation of misconfigured systems and legitimate user credentials. CrowdStrike points to groups such as SCATTERED SPIDER and FAMOUS CHOLLIMA who have used compromised SSO accounts or insider access to extract internal documents, credentials, and intellectual property for extortion or further attack. As generative AI solutions are adopted more widely without adequate security controls, new points of exposure for sensitive data emerge within organisations.
"In today's threat landscape, your data isn't just an asset – it's the primary target," said Elia Zaitsev, Chief Technology Officer at CrowdStrike. "Legacy data protection approaches fail because they're fragmented across environments, blind to encrypted exfiltration and incapable of stopping threats in real time. Today, businesses must also contend with employees inadvertently leaking sensitive data to unapproved or misused GenAI tools, adding new layers of risk. With Falcon Data Protection, we are the next chapter of data protection: unified visibility and control across your entire data ecosystem with the real-time protection needed to stop data theft before it happens."
The Falcon Data Protection platform is promoted as a way to forgo a patchwork approach that often requires separate endpoint, cloud, and SaaS security solutions. Instead, it delivers comprehensive data protection from a single platform. Among the features are runtime data protection for cloud data at rest and in transit, which uses eBPF technology to identify and prevent unauthorised data movement in real-time across multi-cloud and on-premises environments.
The Endpoint – Encryption Detection capability is intended to identify and block unauthorised attempts to archive and exfiltrate sensitive data within encrypted files, including 7zip formats, ahead of their encryption and movement. This, CrowdStrike asserts, helps prevent data theft regardless of the method used by attackers.
For generative AI applications, Falcon Data Protection includes GenAI Data Leak Prevention, which applies proprietary Similarity Detection DNA technology. This approach detects sensitive material even if altered or disguised for input into GenAI tools. Enforcement policies can be tailored by content type and data sensitivity label, restricting the flow of sensitive data into both authorised and unauthorised GenAI platforms.
Additional enhancements extend protection to macOS environments, aiming for consistent oversight and controls across varied device deployments. Just-in-Time Privileged Access and Identity-Based Threat Detection provide dynamic and situational access controls, as well as integration with broader threat intelligence, to address insider threats and external actors that exploit identity weaknesses.
With identity-based attacks and SaaS vulnerabilities increasingly exploited for malicious gain, SaaS Threat Services cover incident response, risk assessments, and tailored guidance to shore up organisational defences for both on-premises and cloud-based data assets.
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
2 days ago
- Techday NZ
Workspace 365 launches unified search to cut digital workplace clutter
Workspace 365 has introduced a new feature, Search .Simplified, that allows employees to conduct a single query across all their business applications and data sources directly from their digital workplace platform. The new capability was developed in response to findings from Workspace 365's recent research into workplace digital tools. The study uncovered that 49% of employees would prefer to have all their tools, apps, and documents accessible in one location to avoid needing to switch between different systems. Additionally, 44% indicated that reducing the number of logins or systems would enhance their productivity at work. The research also highlighted that 32% of hybrid workers consider the management of multiple tools to be their biggest challenge, while 59% of the overall workforce, and 65% in the largest organisations, believe employers should prioritise simplifying digital workplaces to improve productivity. Speaking about the motivation for the new feature, Workspace 365's Chief Executive Officer and Co-founder, Erik Nicolai, provided further context. "Our research painted a clear picture - employees are losing time, focus and engagement because information is fragmented across multiple systems," explained Erik Nicolai, CEO and co-founder of Workspace 365. "Search .Simplified aims to address that by bringing every source of information and connected app - from emails and documents, to tickets and tasks - into one intelligent search bar, and making the right information available in seconds." Search .Simplified operates through the Workspace 365 Integration Builder, enabling organisations to connect all of their business applications, legacy systems, and modern SaaS platforms via APIs. The platform requires no additional development work when integrating systems. If an application contains important data and permits integration, Workspace 365 is able to connect with it. The company is positioning itself to move beyond simple app integration, aiming to develop a broader Ecosystem. According to Workspace 365, this ecosystem unifies information and tools, connecting employee experiences and supporting focused work within a single workplace interface. Among the key features highlighted are the ability to search across every connected application without switching between them, permission-aware results so users only see information relevant and accessible to them, and improved efficiency with the promise of relevant information often delivered in under 10 seconds. The introduction of Search .Simplified comes after Workspace 365's release of Communication .Simplified, which is intended to enhance employee engagement. Together, these features are core elements in the company's broader transition towards a unified Ecosystem, integrating tools, information, and workflows into a single user experience. Nicolai commented further on the direction of Workspace 365's product strategy, stating: "Our product roadmap has a clear objective - to simplify everything. Search .Simplified is the next step towards delivering on that mission; by unlocking intelligent search across all data points, with results filtered by relevance, access rights, and context, and making them available directly from the digital workplace." Workspace 365 was founded in the Netherlands in 2010 and has developed a platform designed to bring together all digital tools, applications, and information employees need onto a single interface. The solution aims to reduce digital clutter, streamline collaboration, and centralise access for distributed and hybrid workforces. The company has been recognised for its contributions in workplace technology, having been listed on Groeibedrijven Top 250 in 2023 and TechRound's SaaS66 in 2024.
Techday NZ
2 days ago
- Techday NZ
Ransom payments surge to USD $1.13 million as data theft rises
Coveware by Veeam has released its Q2 2025 ransomware report, indicating significant increases in both the frequency and financial impact of targeted social engineering attacks, particularly those involving data exfiltration. The report highlights that average and median ransom payments rose sharply during the second quarter. The average ransom reached USD $1.13 million, a 104% increase from Q1 2025, while the median doubled to USD $400,000. This escalation follows a pattern of more significant demands after incidents in which data is stolen rather than systems encrypted. Social engineering threats According to Coveware by Veeam, three major ransomware groups - Scattered Spider, Silent Ransom, and Shiny Hunters - dominated activity in Q2. These offenders shifted away from broad, opportunistic attacks to highly targeted campaigns, employing sophisticated impersonation techniques. The tactics included posing as employees or service providers to breach help desks and exploit internal processes. "The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook," said Bill Siegel, CEO of Coveware by Veeam. "Attackers aren't just after your backups – they're after your people, your processes, and your data's reputation. Organisations must prioritize employee awareness, harden identity controls, and treat data exfiltration as an urgent risk, not an afterthought," Data exfiltration on the rise The report found that data theft is now prioritised over encryption in extortion efforts. Exfiltration was involved in 74% of ransomware cases handled by Coveware in Q2. Attackers increasingly rely on multi-extortion tactics and are known to issue delayed threats, prolonging risks to targeted organisations long after the initial breach is detected and contained. Targeted sectors and company sizes Analysis of the case data indicates that the professional services, healthcare, and consumer services sectors accounted for the highest proportion of incidents, comprising 19.7%, 13.7%, and 13.7% of attacks, respectively. Mid-sized enterprises, defined as those employing between 11 and 1,000 people, represented 64% of victim organisations. The report notes that attackers view such companies as offering the best balance between substantial ransom payout potential and relatively less developed cyber defences. Attack methods and vulnerabilities Credential compromise, phishing emails, and exploitation of internet-facing services remain the principal means of obtaining initial access to victim networks. The report also points to increased exploitation of vulnerabilities in well-known platforms including Ivanti, Fortinet, and VMware. Simultaneously, there has been a rise in attacks by so-called "lone wolf" perpetrators. These individuals are described as seasoned extortionists who use generic toolkits, but without clear branding or affiliation to known ransomware groups. The top ransomware variants in Q2 were named as Akira (19%), Qilin (13%), and Lone Wolf (9%). For the first time, Silent Ransom and Shiny Hunters also appeared within the top five variants monitored. Ransom payment dynamics The report attributes the dramatic increase in payment values largely to larger organisations choosing to pay ransoms following theft of sensitive data. This occurred even as the overall percentage of organisations agreeing to pay ransoms remained steady at 26%. Coveware by Veeam reports that its findings are based on proprietary data collected during incident response engagements, rather than external or third-party sources. The company utilises forensic tools and detailed documentation of threat actor behaviour to generate its quarterly insights. These reports are intended to offer actionable guidance on ongoing trends and new tactics, techniques, and procedures emerging within the ransomware landscape. Through real-time analysis, Coveware by Veeam has identified patterns that inform recommendations for enhancing organisational defences, such as improved employee training, more rigorous identity management protocols, and preparedness for incidents focused purely on data theft.
Techday NZ
2 days ago
- Techday NZ
ShinyHunters & Scattered Spider escalate attacks on Salesforce
Security firm ReliaQuest has reported a resurgence in activity from the cybercriminal group ShinyHunters, which has launched attacks against Salesforce and targeted major organisations including Google. ReliaQuest's recent assessment has analysed domain registration patterns and infrastructure related to ShinyHunters, suggesting a potential collaborative relationship with the threat group Scattered Spider that may have started as early as July 2024. High-profile campaigns ShinyHunters has re-emerged following a year of relative inactivity, during which most operations had subsided after the arrest of several alleged members. The group, previously known for high-profile data breaches and credential theft campaigns, is now targeting high-profile companies across various sectors, including technology, finance, and retail. Their primary method of monetisation remains the sale of stolen data on underground forums. The recent campaign is marked by the use of phishing domains and Salesforce credential harvesting pages, which indicate a refined approach compared to previous efforts. Reported evidence includes the emergence of a BreachForums user under the alias "Sp1d3rhunters" linked to both ShinyHunters and historical breaches, as well as overlapping characteristics in domain registrations. Potential collaboration ReliaQuest's analysis highlights significant similarities between ShinyHunters' recent tactics and those attributed to Scattered Spider. These include coordinated domain registrations themed around phishing campaigns, particularly relating to ticketing and Salesforce, and employing vishing and credential harvesting attacks mimicking IT support staff. These developments have prompted speculation about collaboration or sharing of resources and infrastructure between the two groups. "This latest wave of ShinyHunters-attributed attacks reveals a dramatic shift in tactics, moving beyond the group's previous credential theft and database exploitation. These campaigns have included hallmark Scattered Spider techniques: Highly targeted vishing campaigns, impersonating IT support staff to trick employees into authorising access to malicious 'connected apps'; Apps that often masquerade as legitimate tools (in this case, Salesforce), allowing attackers to steal sensitive business data; Okta-themed phishing pages to trick victims into entering credentials during vishing calls; VPN obfuscation using Mullvad VPN to perform data exfiltration (here, on victims' Salesforce instances). These tactics align closely with Scattered Spider's trademark methods and those of the broader collective, The Com, fuelling speculation about active collaboration between the groups." The assessment further points out circumstantial evidence of an alliance, such as the overlapping presence of both groups in similar attack sectors and timeframes, and online cybercriminal forum activity that combine their names and tactics. Additional support for the collaboration theory comes from reports by DataBreaches, which described a Telegram threat actor under the alias "Sp1d3rhunters," claiming that the groups "are the same" and "have always been the same." The same alias surfaced on BreachForums in May 2024, shortly before data from a significant breach was leaked, previously attributed to ShinyHunters. Targeted sectors and methods The investigation identified a series of phishing domains registered between June and July 2025, designed to impersonate well-known brands. Examples include domains such as ticket-lvmh[.]com, ticket-dior[.]com, and ticket-louisvuitton[.]com, which were registered just before reported breaches in the luxury sector. ReliaQuest highlighted that the format and registration details of these domains closely matched those used in Scattered Spider campaigns, including the use of keywords like "okta," "helpdesk," and "sso" with specific formatting conventions and privacy services masking registrant identity. Many of these domains led to Okta-branded phishing pages or were associated with vishing campaigns leveraging fake Salesforce applications to facilitate data exfiltration. Further investigation revealed more than 700 domains registered in 2025 matching these phishing patterns, with a notable shift since July 2025 from targeting professional and technical service organisations to a 12% increase in domains aimed at financial services, while targeting of technology firms fell by 5%. The report also notes that the United States remains the most targeted country by substance and volume of impersonating domains, despite recent campaigns against UK-based organisations. In Q2 2025, ReliaQuest observed that 67% of all organisations named on ransomware leak sites were US companies, a trend mirrored in domain impersonation activity. Recommendations for defence ReliaQuest recommends organisations focus on mitigating tactics, techniques and procedures (TTPs) rather than attribution to specific groups. It suggests prioritising defences against phishing, vishing, and credential harvesting, while monitoring for newly registered domains that imitate company or SaaS provider branding. "The most important takeaway is the clear effectiveness and adaptability of these tactics. Whether targeting luxury brands, financial institutions, or other high-profile organisations, these campaigns illustrate that no sector is immune to the risk of highly targeted social engineering attacks." Additional best practices include hardening social engineering defences, restricting administrator permissions on services such as Salesforce, conducting regular staff awareness training, and mandating multi-factor authentication (MFA) for all users. The report advises routine scans for endpoints following MFA attacks and immediate disabling of compromised user accounts if suspicious activity is detected. Ongoing risk and vigilance Looking forward, domain registration patterns indicate that banks, financial services organisations, and technology service providers are most at risk, given the attackers' focus on high-value, monetisable data and access to large client ecosystems. "Ultimately, the collaboration between ShinyHunters and Scattered Spider represents a high and evolving threat. Organisations should take immediate action to strengthen their defences, as the speed, scale, and adaptability of these campaigns continue to test the limits of traditional security operations." The report concludes that as cyber threat actors continue to rotate infrastructure, adapt their behavioural patterns, and leverage social engineering, organisations across all sectors should enhance detection capabilities and maintain heightened awareness of impersonation threats, particularly those geared towards widely used cloud-based applications and services.
