Decisions: Security – now and next
Security – it is a constant problem for today’s enterprise.
We are told that we need to be vigilant against advanced persistent threats (APT), zero-day exploits, cyber espionage, hackers, hacktivists and artificial intelligence-enhanced attacks, and yet it is clear that most organisations, including here in Ireland, are still failing on the basics of updating, patching, identity and access management and network segmentation.
But before diving into the thornier issues, it is worth taking a look at the real world to see how we fair, and the annual Verizon Data Breach Investigations Report (2018) is always a good place to start.
For the 2018 report, 53,308 security incidents were investigated, covering 2,216 data breaches, across 65 countries, with 67 contributors, and the results are, as always, sobering reading.
More than three quarters of (76%) of breaches were, unsurprisingly, financially motivated. Almost three-quarters (73%) of cyberattacks were perpetrated by outsiders. Organised criminal groups were behind half of all breaches, with nation-state or state-affiliated actors involved in 12%. This does leave a substantial (28%) of attacks which involved insiders. However, the malicious insider was not always the problem, as the report found that errors were at the heart of a worrying 17% of breaches, which included employees failing to shred confidential information, sending an email to the wrong person, or misconfiguring web servers. Included in all of this was that 4% of people will click on any given phishing campaign — and will do so in just the first 16 minutes of it. The first report from a savvy user will arrive after 28 minutes.
Ransomware was the top variety of malicious software, found in 39% of cases where malware was identified. When a breach did occur, 87% of compromises took minutes or less to accomplish. Only 3% were discovered quickly, with more than two thirds (68%) remaining undiscovered for months or more.
In terms of method employed, the top five were use of stolen credentials (hacking) 22%, RAM scraping (malware) 17%, phishing (social) 13%, privilege abuse (misuse) 11%, and mis-delivery (error) 10%. Pure, brute force hacking was responsible for just 5% of attacks.
The implications of all this are clear: organisations are still failing to do the simple things when it comes to security.
According to the report authors, “it is certainly possible to be aware of what is most likely to befall your organisation and how to plan accordingly. Fourteen years’ worth of data, collaboration, research and analysis continues to show us that although almost anything is possible (and we’ve seen a few things that beggar belief), criminals are, as a rule, most likely to continue to use the tools against you that have been most effective in the past.”
“Knowing where your organisation is in the food chain for criminals gives you an advantage, so be sure to use it,” the report advises.
And lest anyone be under the impression that these findings are all related to on-premises situations that do not benefit from the advantages of cloud, a snippet from McAfee Skyhigh Networks research found that as recently as 2017, 7% of AWS S3 buckets are publicly accessible and more than a third (35%) are unencrypted.
The Oracle and KPMG Cloud Threat Report 2019 points out that developers still need to think of security during development time, rather than trying to bolt on afterwards, especially in the cloud context.
“Developers need to give initial attention to securing applications and data, and business leaders need to consider the value of the data to the business and the impacts to the business if that data is compromised,” says the report.
“Unless companies take security into account up front, there will always be an unrealistic and unsustainable reliance on people and manual processes, posing numerous risks to business value and operations.”
The solution seems to be automation to remove the need for manual intervention and to provide protection at scale.
“The ability to help address vulnerabilities automatically is very exciting. Machine learning (ML), automation, the speed at which we can execute security processes – it’s all resulting in minimal downtime for some customers and the enhanced ability for all to use cyber security as a business enabler. These services and technologies are maturing to the point that we can really start to make headway mitigating points of exposure, in keeping with business strategy.”
The inference is that the real benefits for enterprises are the use of automation and machine learning, not just in identification and detection, but also in orchestration and operation, to ensure that security measures are kept up to date, properly monitored and recommendations acted upon.
This seems in stark contrast to many security vendors who lead with the application of artificial intelligence, machine learning and automation on the detection end of things. Many vendors appear to want to emphasise their superior ability in identifying threats, remedial actions and protections through the application of AI and ML when arguably, based on the evidence from Verizon et al, more organisations would benefit from their application on the management and operational side.
Is the answer then, not look for security products that operate in this way, but rather a service provider who can provide both?
The markets would certainly seem to support this.
Gartner predicts security service spend to hit €64.2 billion in 2019, up 9% on the previous year.
According to IDC, managed security services are now the fastest growing segment of the IT security sector, with a compound annual growth rate of 14.7% expected through 2021.
Gartner estimates that by 2020, managed and subscription-based security services will account for half of the revenue generated in the cybersecurity category. The analyst says that security as a service is on the way to surpassing on-premises deployments, and hybrid deployments are enticing buyers. A large portion of respondents to Gartner’s security buying behaviour survey said they plan to deploy specific security technologies, such as security information and event management (SIEM), in a hybrid deployment model in the next two years. Managed services represented roughly 24% of deployments, on average.
However, even with a managed service, the complexity of modern cloud environments has implications for visibility.
The Oracle KPMG report said that of some 460 respondents to the survey, specifically, a third cited detecting and reacting to events in the cloud as their top cybersecurity challenge.
“CISOs are particularly aware of the cloud security visibility gap, with 38% citing the inability of network security controls to provide visibility into public cloud workloads as their top cloud security challenge,” said the report. “This view on the lack of applicability of network security controls is rooted in the shared responsibility security model in which cloud services providers are responsible for securing the lower levels of the Open Systems Interconnection (OSI) model.”
Customers simply do not have access, say the authors, to network tap and span ports. As such, IT and cybersecurity teams need to use purposeful controls designed to provide visibility into the layers of cloud services which customers are responsible for securing.
However, Oracle and KPMG highlight another issue for any organisation that is looking to scale to meet demand.
Issues of scale
They said the inability to analyse and respond to security events is a long-standing issue.
“It is startling that only one in 10 participating organisations are able to process over 75% of their security event data. As such, the vast majority of companies lack visibility currently by being unable to process the growing stream of security event telemetry. They liken this to driving without mirrors, or on motorways without guard rails.
“Moreover,” they say, “the fact that detecting and reacting to security incidents in the cloud was the most cited cybersecurity challenge indicates respondents are concerned this challenge of scale will only get worse. In the context of the shared responsibility security model, this concern is specific to incidents the subscriber is responsible for investigating, not those targeted at lower levels of the infrastructure for which the cloud service provider (CSP) is responsible.”
In conclusion then, any organisation looking to improve their security posture is going to have to look at solutions that apply the emerging technologies of AI and ML to the to the operational and management aspects of their products and services as much as to detection and remediation. It is clear that security professionals are harder pressed than ever before and so any service or application that can make keeping up with the basics easier, faster and more efficient is going to be of greater appeal.
This is doubly so in the context of skills shortages. Information security has been highlighted time and again as a sector where getting the right talent, the right amount of it and retaining it, is particularly challenging.
Finally, the evidence for end user credential abuse is one that will likely require particular attention. It is not sufficient anymore to simply allow access with a set of credentials, it is necessary to monitor behaviour to pick up on when a mal-actor might have valid credentials. The field of End User Behaviour Analytics (EUBA) can potentially tackle this issue. EUBA solutions can apply machine learning to detect when a user is straying beyond expected parameters through detecting and reporting anomalies in actions. The systems use advanced analysis, aggregate data from logs and reports, taking into account packet, flow, file and other types of information, as well as certain kinds of threat data to determine whether certain activity and behaviour may constitute a cyber attack.
Artificial intelligence: risk and reward
The use of AI has become an important tool in cyber defence, but attackers are also using AI to support their efforts. 2018 saw a rise in automated bot attacks and also saw the start of attacks which, when access was obtained, used machine learning to observe and learn patterns of normal user behaviour inside the network. Nowadays, AI is frequently used to make combating spam and detecting malware more effective.
That said, the exploitation of known vulnerabilities is still the most popular attack vector. These were up from 6,500 in 2016 to over 16,000 in 2018.
Before you deploy technologies based on AI, you must understand your risks and vulnerabilities.
The focus should be on getting visibility of your security posture using Security information and event management (SIEM). SIEM solutions aggregate your network and system logs into a platform that makes the information simpler to review. SIEM analyses activity from different resources across the IT infrastructure. The average cost of a data breach is almost halved if automation is deployed. (IBM/Ponemon Institute Research)
As we know, cyber security professionals are in short supply and expensive, so most organisations do not have the manpower to review the millions of logs that SIEM produces. A managed service in the form of a Security Operations Centre (SOC) solves this problem. And for less than the cost of an IT security specialist.
At a basic level however, you need to understand the risks associated with known vulnerabilities. By deploying and actively using a vulnerability management tool you can prioritise the right vulnerabilities. In addition, you should employ an efficient and effective patch management service. These will simplify asset management and software distribution and secure your IT environment.
Zinopy, a Trilogy Technologies Group company, is a market leader in cyber security, digital workspace solutions and managed services. Zinopy delivers virtualisation, mobility and security solutions to enable you to work securely from any place at any time. The SIEM and SOC services enable Zinopy to defend organisations against cyber attacks.
John Ryan is CEO of Zinopy
The limits of traditional security
The adoption of security products has changed significantly in recent times. The product selection process used to be focused on the traditional, large security players. Typically, those vendors were providing a product suite covering multiple layers of the infrastructure. This is no longer the case.
With the advent of cloud native applications, multi-cloud and hybrid-cloud architectures, which is evolving rapidly, it seems that the traditional IT security vendors were not able to innovate at the same pace.
We have seen organisations adopting serverless functions and container-based solutions, such as AWS ECS and Kubernetes. Even though the development team have done an excellent job, the project was being blocked whenever the application had to be promoted to the production environment.
The traditional security tools, to protect the operating system and the network, just do not work with these modern technologies.
When we are dealing with container-based applications, for example, there are very specific controls that need to be put in place for detecting vulnerabilities in the container image, detect unapproved changes and provide container level application firewall.
When leveraging serverless functions for example, we do not have control nor visibility of the underlying infrastructure. Therefore, the security controls need to be defined at a different level, mostly as part of the build process in the CI/CD pipelines, in order to ensure that configuration and permissions are being hardened.
The key in selecting the security toolset is to ensure that it will be a good fit for your current and future workloads.
Fabio Douek is lead cloud architect with Singlepoint
What’s stopping CIOs from building an agile workspace?
Most CIOs agree building an agile workspace is critical to their organisations’ competitive advantage — so what is holding them back? A recent survey from Capita and Citrix reveals all.
Over the past decade, digitalisation has had an impact on almost every aspect of our personal lives — from the way we shop, to the way we bank, to the way we watch TV. So why are so many enterprise CIOs struggling to deliver the same digital shift when it comes to the way we work?
To find out, Capita and Citrix commissioned Vanson Bourne in 2018 to carry out a survey of 200 CIOs and senior IT decision-makers. The results, published as “Delivering Workforce Mobility, Digital Transformation, and Agile Workspaces – Where are Organisations Today?” show that almost all enterprises (95%) are either undertaking digital transformation projects or planning to do so in the next 12 months.
However, many also report significant challenges holding back their progress towards a more agile workspace — something that CIOs now see as fundamental to their success and ability to compete. Overall, 84% of respondents said their slowness in rolling out new services and applications to support an agile workspace is impacting their entire organisation’s ability to stay ahead of the competition.
Here, we look at some of the highlights from the research.
Legacy apps slow the journey
Our survey found almost half (44%) of CIOs consider legacy technology and applications a barrier to building an agile workspace — and almost nine in 10 (87%) said legacy applications in particular have at least slowed the journey.
In an era of SaaS and mobile apps, many enterprises still rely on dated on-premises applications to support business-critical processes. These applications were never designed to be delivered from the cloud, and many have been heavily customised, so the costs to re-architect are high. More than two-thirds (68%) of respondents cited this cost as a speed bump in their journey towards a more agile workspace.
Another third (36%) of CIOs said they lack in-house skills to modernise legacy applications, suggesting this barrier is best overcome “by seeking outside help and bringing in skilled application remediation experts from a third party”.
Notably, the survey showed little appetite for CIOs to simply replace legacy applications with SaaS products – more than half (58%) said SaaS didn’t fully meet their requirements, while 17% said SaaS didn’t meet their requirements very much or at all.
Delivering a user-centric workspace is difficult
One of the key differences between an agile workspace and the traditional IT desktop model is that the former is user-centric – designed to empower employees to use the applications they need, on the devices they want, anywhere they happen to be.
However, our research showed many CIOs are struggling to deliver a user-centric workspace without introducing new security risks or putting extra pressure on their IT departments.
Take bring-your-own-device (BYOD), for example. While more than nine in 10 respondents (92%) felt BYOD had improved employee productivity, a similar number agreed security risks were higher (87%), IT support needs were greater (89%) and IT management challenges had increased (88%).
“Organisations must seek out solutions that enable BYOD in a secure manner while minimising the support burden,” the report states. “Replacing the traditional IT desktop with a managed workspace agility service, for instance, gives users access to the applications and data they need from any device and location, with access centrally configured, managed, and permissioned.”
Employees don’t want to talk to IT any more
Another key aspect of a user-centric workspace is the ability to self-serve. Self-service has become popular in our personal lives, whether we’re checking out at the supermarket or checking in at the airport, and offers the potential for cost reductions for the organisation delivering the service as well as a better experience for the end user.
It is no surprise, then, to see many CIOs have started to implement self-service tools as a way to automate IT support in their workplace. In fact, 94% are either using self-service now or intend to do so in the next 12 months.
However, even with self-service in place, the research found not all CIOs are measuring the IT user experience as well as they could be. More than four in five (83%) said they mostly learn about the IT user experience from employee calls to the helpdesk, and more than a quarter (28%) said they only measure the IT user experience once or twice a year.
Need for speed
Overall, our research found there is “not just one hurdle for CIOs to surmount… [but] a multitude of barriers” to overcome on the journey to a more agile workspace.
In addition to issues such as cost, security and the technical challenges around legacy technology and applications, these barriers include factors like company culture (cited by 39% of respondents) and business and IT misalignment (36%).
However, when it came to the impact on their bottom line, most CIOs were in agreement: some 84% said their slowness in rolling out new services and applications to support an agile workspace “is impacting their organisation’s ability to stay ahead or overtake the competition”.
Need for flexibility
Finally, it is not just the limitations of legacy applications themselves that have slowed the journey to a more agile workspace — it is the underlying budgeting model, too.
Because legacy technology is still often delivered on-premises, CIOs are forced to deal in fixed multi-year budget cycles where IT investments in infrastructure, platforms and applications are accounted for as capital expenditure (CapEex).
Some 88% of CIOs agreed this model makes it difficult to create an agile workspace because it limits flexibility. With an on-premises data centre, for example, organisations have no way to scale resources up and down on demand — they need to anticipate their requirements over a fixed period as a single capex investment.
On the other hand, the use of cloud-based infrastructure, platforms and applications allow organisations to account for IT as operational expenditure (OpEx). This delivers far greater flexibility than traditional budgeting models, making it a vital part of an agile workspace that can adapt to new market conditions much faster than the workspace of the past.
“The digital workspace of the future will be happier, more agile, and greener,” the report states. “CIOs that fail to enable a smarter way to work will fail to realise the productivity and efficiency gains that digital transformation promises.”
Harvey is sales director for managed services with Capita IT Services
How to meet the resource challenge for vital IT projects
The biggest constraint for completing IT projects in today’s market is not budgets or technology but people. Ideally, many organisations would like to run change projects in parallel with their ‘business as usual’ IT services, but they often struggle to do so with in-house resources.
In the local market, we are seeing two factors causing this situation. One is a higher churn of IT personnel who are leaving organisations after spells that typically last no more than two years – taking valuable skills and knowledge with them. The second development is that there are fewer generalist IT professionals because the technology landscape is changing so rapidly, forcing many of them to specialise.
At a global level, Logicalis’ 2018-2019 CIO survey confirms this trend; 31% of respondents said the lack of internal resources was causing them to export IT to third parties. Other surveys have shown similar results.
The problem is that few organisations have easy access to experienced internal resources that they can use to augment a team for a specific project. The project may call for a particular skillset that the company does not have on its books. What is more, these engagements can be short-term in nature which makes recruiting for them a challenge.
That is why working with an external partner to deliver IT projects makes sense on many levels. A specialist technology provider typically has access to multidisciplinary IT professionals who are skilled in a variety of technologies because of the work they carry out. At Logicalis, for example, our team has experience in working with products from leading vendors such as IBM, HP, Cisco, Citrix, NetApp, ServiceNow, Microsoft, Oracle, VMware, Amazon, Checkpoint and McAfee.
In a case where a customer wants to review and overhaul its infrastructure and network, we can scale the team in a flexible way by adding specialists at relatively short notice if the need arises. This is something a single organisation would typically struggle to do. And because Logicalis as a company is active across multiple geographies, we can call on additional resources within the group to augment our team based in Ireland. We also work with local contracting partners to source the right skills needed for any given scenario, to be managed by us or by the client.
We offer two streams of services: for customers needing short-term strategic consulting engagements, we can assess current infrastructure, networks and storage and propose ways to optimise or streamline it. We also provide cloud, ISO, security compliance and cyber assessments along with infrastructure healthchecks, gap analysis, upgrades and patching. These high-level engagements typically involve around one to two weeks of work.
In addition, we work on longer-term contracts of three or six months’ duration. These are typically large projects such as infrastructure migration, integration or consolidation that might involve making the transition from one environment to another, moving to cloud, multiple data centres to a single site, or implementing large-scale disaster recovery infrastructure. Other areas we focus on include hybrid cloud, hyper-converged infrastructure, software-defined networking, security, and virtualisation.
Finally, there is another advantage to working with an external partner for these projects rather than dealing directly with contractors. Our staff retention rate is high, which effectively makes our (human) resources renewable; that is, the person who carried out a VMware upgrade or a network infrastructure assessment will still be in place long after a project is completed. If any issue arises further down the road, we can quickly act to solve it and minimise any disruption for the customer.
Together, these factors make a strong argument for working with an experienced external provider that can give organisations the resources they need to implement IT projects in a timely and cost-effective way.
David O’Hagan is consulting services business manager with Logicalis