Inside Track: Unified view
9 February 2018 | 0
Managed services, active monitoring, point solutions and dedicated appliances: the myriad of security options has never been greater.
How can these options be orchestrated to provide the kind of layered security that organisations need to face the coming threats? It is a difficult issue, according to Aidan McHugh, head of IBM Security Ireland.
“Over the last 18 months to two years, we’ve increasingly been advising that companies need to move away from the approach of building ‘moats and castles’ and putting in place point solutions to protect various parts of the business where those parts of the business don’t talk to each other,” he said.
“They need to integrate all of their various solutions into one security intelligence platform and take advantage of the data that this puts out, and concentrate their efforts on an integrated approach to security as opposed to trying to protect individual parts.”
Many companies have gotten themselves stuck in a strategy of siloing their security systems around separate components — the so-called ‘moats and castles’ approach — in an effort to protect the perimeter of their IT estate. But according to McHugh, dismantling this is one of IBM’s first actions when they encounter this in action.
“As technology evolves and time goes by, we’re seeing more and more companies improve and mature in their approach. There are new technologies available — specifically I’m talking about artificial intelligence — that can play a big role here,” he said.
“For example, we use artificial intelligence to huge effect in IBM, in the form of using Watson for cyber-security. The world produces something like two and a half quintillion bytes of data every day and about 80% of that is unstructured. That poses a huge risk to security when your systems are working off at best 20% of the available data that’s out there.”
To combat this, IBM has trained the Watson AI platform to be a cyber-security expert. To this end, it is ingesting over 10,000 research papers, approximately 750,000 security blogs and between 180,000 and 200,000 security-related news articles per year.
“We’re teaching Watson all the time about the research that’s out there and based on managed services that we provide for customers, threats that we’re seeing on a real-time daily basis. It’s becoming more intelligent on a daily basis and we are using that in our security operations centre (SOC), and our business partners are using it, to avail of far more accurate reporting and far speedier analysis of potential threats,” said McHugh.
“Security analysts would probably look at about 200,000 potential incidents a day and it’s quite hard to decipher what’s real and what’s not. With Watson, all our customers have to do is press a button which sends the potential threat to Watson and Watson will come back and say something like ‘Yes, we’ve seen that in South America in your particular sector; here’s the remediation actions you need to execute now to prevent yourself from being hit etc’.”
This is helping to address the skills shortage that many IT companies report when it comes to recruiting staff. IBM reports that according to its research, the tech sector going to be short around 1.5 million security people by 2020.
“Using AI like Watson is helping us to address that skills issue and it’s helping to get through all of those potential threats in a far more accurate way and a far faster manner,” McHugh said.
According to Chris Yule, senior security researcher for the Counter Threat Unit at SecureWorks, the various layers of security that many companies maintain in an effort to protect themselves makes deploying good security more and not less challenging. This is particularly true when it comes to cloud-deployed systems.
“One of the problems we have with cloud is that many organisations think that security is the cloud vendor’s problem, but Gartner put out something last year which agrees with what we’ve been saying for years, which is that the vast majority of cloud security breaches are the customer’s fault and not the vendor’s fault,” he said.
“Generally, the fault is caused by the customer not configuring things properly. We’ve also come across instances with customers using cloud services where it became apparent they didn’t have logs available to them.”
When SecureWorks goes in to perform forensic incident response, the first thing it does is request the logs of what happened.
“We’ve had cases where a customer was using a cloud-based firewall. When they asked their vendor for the logs so they could track who’d come into the organisation or who was communicating with an IP, the vendor refused to give them over and said that wasn’t in their contract, and then charged them tens of thousands of euros to get access to them,” said Yule.
“The way we look at it, security is a kind of a stack. You start at the bottom with the physical security of your devices and of your data centres, and you move all the way up to the applications that are sitting on the server and the data that’s hosted on that application.”
Depending on what cloud model a company is using, different parts of the stack become the responsibility of their cloud provider and parts of it remain with the company.
“What I think organisations struggle with is understanding that stack, and knowing which parts are outsourced to the cloud provider and which part remains their responsibility,” said Yule.
According to SecureWorks, it is a real challenge to operate one security policy and system across a disparate IT estate.
“To make it homogeneous and the same across all systems is probably impossible. But there are always things that can be done and it’s always a case of looking at the systems in place, identifying the business risks of doing something or not doing something, and making a call that way,” said Yule.
A further issue is that if a company has pursued a ‘best-of-breed’ approach to IT, where they have bought the best products in each class, and can then be left in a situation of having excellent equipment and applications from premium suppliers, but not necessarily being able to make them all work together.
“When you have best of breed products, there are big challenges not only around getting them all to talk to each other to give you a coordinated response, but also in the fact that often there are overlapping capabilities built into these products,” said Bharat Mistry, principal security strategist for Trend Micro.
“You may actually find that you’re paying unnecessarily for systems that overlap each other in capability. I’ve been to see companies in the past that have bought, for example, a suite of tools from McAfee for the end point and then bought a specific tool from another vendor to do something else. But when you look at the two suites, there is a 40 to 60% overlap in terms of what they do.”
According to Mistry, the reason companies do things like this is that the secondary vendor they have purchased from was best of breed at the time of the purchase.
“Likewise, we’ve seen people use things like Tripwire, which does integrity monitoring and is good for compliance environments. But if you look at most of the manufacturers out there, they have integrity monitoring built in to their products that will cover 60 to 70% of the use cases most people want. Why go out and buy a separate tool?”
With best-in-breed, there is a perception that buying this way will protect you, but very few people think about the ongoing operational aspects of it. That comes in several forms; the first is the integration side of things, the second is the upkeep of those products.
“If I have one suite of products from one vendor then I only have one maintenance contract. But if I have four or five different maintenance contracts and four or four management platforms, then before I know it, the actual staff you need to maintain these tools becomes cumbersome as well,” said Mistry.
“If you’re running a security operations centre, you want your staff to be doing operational work – incident response and monitoring – that kind of stuff. But I’ve been to one or two organisations where they’ve had to have a dedicated team of people just to maintain the tools, making sure their tools are patched and kept up to date.”
This takes a lot of effort and can represent a hidden cost, and increased complexity. The more that needs to be done, the greater the risk of something being missed.
“This is absolutely true. If you’ve got a best in breed environment, and you haven’t thought about integration then it’s going to be a complex environment. That complexity costs money and control is reduced while risk is increased,” said Mistry.
|Eyes on the prize|
|“You need to begin by identifying the data and systems most critical to your organisation. Then you identify how the confidentiality, integrity or availability might be compromised by malicious actors. And then focus relentlessly on securing against those threats”||Threatscape Dermot Williams, CEO|
|Media coverage of cybersecurity can inevitably focus on the spectacular hacks, high profile targets, and the sophisticated compromises. Most recently the focus has been on processor micro-architecture and how performance enhancing techniques, such as branch prediction and speculative execution, have opened the door to the potential exploits we have come to know as Meltdown and Spectre. But while these attacks have for the most part remained theoretical, all the while more mundane and familiar attacks have continued.So, the summary advice from Threatscape for 2018 remains the same: EYES ON THE PRIZE!
The phrase used by countless coaches to encourage their athletes on to success, and by the US civil rights movement, makes a pretty good maxim when planning your security strategy. While PowerPoint slides may use more corporate-speak terms like “data-centric” and “risk focused” the bottom line is the same: you need to begin by identifying the data and systems most critical to your organisation.
Then you identify how the confidentiality, integrity or availability might be compromised by malicious actors. And then focus relentlessly on securing against those threats.
It is important not to get too caught up on purely technical aspects of the task. All too often the root cause of breaches is not that the security in place was sub-par but that its configuration, or the processes, or the people let the side down.
In the era of ransomware, ANY opportunity for external executable code to enter your organisation and be permitted to execute must be considered an unacceptable risk. Yes, your endpoint security should be blocking malicious or unknown code but relying on that alone is poor practice. You MUST be decrypting encrypted SSL web traffic and inspecting it for threats before it is allowed to pass your firewall and reach users inside your network; you MUST have an aggressive policy towards incoming email attachments and you MUST be tightly controlling access to removable media, particularly USB drives.
“CEO email fraud” and “invoice redirection,” whereby a few well-crafted emails can fool a financial department into making payments to a fraudster, have affected many organisations. Yet the core failure here is not one of technology but of process. Emails can easily be crafted to look like they come from a trusted sender — and busy or inexperienced staff may not spot the fakes every time. Any business which accepts an email alone as sufficient validation for funds to be released is playing with borrowed time. Financial staff should be told that not only SHOULD they seek independent verification of any emailed requests affecting payments, they MUST do so. This should be put in writing to them — to empower them to say no to requests they cannot verify. Just as banks have been telling us for years “we will never ask you for your PIN code over the phone”, senior executives should be telling their finance departments “you will never be asked to make a payment based on an email alone — and if you are you must ignore it”.
As an additional simple step, which is all too often ignored, corporate email systems should be configured to block incoming emails which claim to be from their own domain — and any such messages should be forwarded instead to the security team for attention. Some systems allow a warning stating “this email originated from outside” to be added to the top of incoming emails, another useful way to help people stay alert.
Speaking of people, all too often there has been a feeling by users that information security is something which is “done TO them”. But at a minimum, information security teams should be communicating their objectives and explaining the risks they are protecting against to ensure users view security as something which is done FOR them. Best of all, and the sign of a really effective information security team, is when users have been trained to recognise their part in protecting against cyber threats — so that they view security as something which is also done BY them.
Finally, a reminder that information security is not a “set and forget” process but one requiring constant vigilance — systems should be audited, defences tested, and in todays connected world an attack may come at any time so there is a need for 24×7 security monitoring and incident response. Thankfully this has become affordable for organisations of all sizes thanks to the cost efficiencies and economy of scale offered by managed security service providers. You can rely upon our experts to protect you when you need more EYES ON THE PRIZE.
|Key information assets|
|“To some degree, the greatest challenge to organisations is the budget to address security challenges”||
Asystec Brendan McPhillips
|There are many challenges facing organisations today from a security perspective, varied attack vectors, automated attacks, vendor security updates, personnel challenges and more sophistication in the types of attacks that are happening. But to some degree, the greatest challenge to organisations is the budget to address these challenges. Not all organisations can have dedicated SOC teams with multiple tools to address all attack vectors. Historically the thought process was to secure the perimeter and have few secured ingress/egress points but as organisations become more flexible to address customer needs, interact electronically with customers and suppliers, use cloud services, these organisations have become more porous.Key to all organisations is the data it holds, what is becoming more relevant is to not treat the securing of all data sets equally, to understand which are the most key information assets within an organisation and tier the controls around those. External Regulation such as GDPR, is helping in this regard as organisations now need to know where, for example, PII information is ingested, manipulated and stored within. So, getting an understanding of what is sensitive information, what access is provided and where it resides is key.
Controls such as micro-segmentation of internal networks, automated security-triggered topology changes to the network to isolate issues or key assets (depending on the attack) and user-behavioural analytics to address abnormal behaviour patterns all align with a data-centric approach to security.
We are seeing a layered approach to security, where some opt for cloud providers as a first layer of controls, and internal personnel to provide level2+ support, but key to all of this is to look at the content and where possible automated controls around it.
|Gaps and risk|
|“Centralising and unifying the management of security solutions is also a great advantage in mitigating the gaps and risks. Certain vendors will have a central management console from which you can apply global policy and licencing”||
CMS Distribution Ciaran Hayes, technical pre-sales consultant
|You cannot solve a problem until you fully understand it.The same can be said for an organisation’s security gaps and associated risks.
Compliance is the first step in setting a security standard within an organisation. With a recognised standard, the necessary solutions will fall into place.
Compliance can often be misconstrued as the ability to simply report on a framework or area of business. However, in the case of security, compliance should unify both reporting and assessment (and in many cases, mitigation) across the chain of systems, policies and vulnerabilities within an organisation.
These solutions will often tie in, either natively or via APIs, to the security solutions installed across on-premise and cloud environments. The effect being, both the hybrid and security solutions are being assessed for gaps, risks and vulnerabilities.
Compliance and centralised management are becoming the ultimate goal for security vendors. The advent of GDPR is driving a new realisation of and necessity for compliance. This in turn is addressing the growing and complex risks associated with hybrid solutions and the security being used to mitigate these issues.
|“It is important to secure yourself with the right platform to not only drive your business forward, but to protect you and your customers from any looming threats”||Ergo Nikos Vasileiadis, IT security officer|
|Cloud-based enterprise infrastructures and applications are now mainstream, as more companies are adopting them. While shifting operations to the cloud can bring quick benefits — flexibility, stability and cost effectiveness among others — it also creates a unique set of challenges. This is especially true in hybrid environments, where on-premise and cloud applications are used together, and may include both private and public clouds with complex integrations.An aspect that is often overlooked when designing a new infrastructure is the security and privacy of data. Companies have responsibilities to their customers (internal and external) to keep data safe and secure, therefore proper security measures should be designed and implemented.
From a security and compliance perspective, a company should address the below:
Auditing: Even the most thought out security measures are susceptible to attacks. A regular audit is the best approach to minimise the risk as it will identify any potential vulnerabilities. The company should implement regular auditing, on every part of its infrastructure and applications wherever they’re hosted (private cloud, public cloud, third-parties).
In today’s business world, where more and more companies are taking to cloud-based infrastructures, it is important to secure yourself with the right platform to not only drive your business forward, but to protect you and your customers from any looming threats. The question is not can you afford to do this, but can you afford not to do it?
|“Data now moves from location to location and needs to be available to enable the organisation to continue their processes in a secure and controlled manner”||Renaissance Michael Conway, director|
|We have discussed, on premise, central, distributed, cloud and now hybrid infrastructures. The security challenges remain similar, with nuances in how data is accessed, stored and transmitted. It is essential however that the tools used to manage the ongoing challenges of confidentiality, integrity and availability develop to support the infrastructures involved and the challenges of operating these.The key area for focus is the “DATA” or the Crown Jewels. The areas in which Renaissance see focus changing are maintaining the integrity, confidentiality and availability of that data at all times. Data now moves from location to location and needs to be available to enable the organisation to continue their processes in a secure and controlled manner.
The areas where we see change are in ensuring the effective management of this data. solutions covering access, including multi-factor authentication are now common place and indeed are essential, working remotely is no longer discretionary but essential so a secure means of accessing corporate networks and VPN’s is critical. The management of privileges is key in managing who can access what from an internal perspective because with the business model in 2018 remote working, contract working and suppliers and customers existing on the corporate network is standard. The segregation of who can see and do what is critical.
The storage and transmission of data means that Encryption of data at rest and on the move is no longer optional but mandatory. Cloud and hybrid systems offer great scope for high availability and technologies are now readily available, affordable and workable to achieve these aims. In summary the management of access, ensuring that the correct people access the data and ensuring that the data is always secured from prying eyes are the key fundamentals – unfortunately often ignored! Renaissance can assist is delivering the appropriate technologies for virtually every size of Irish organisation.
|Auditing for understanding|
|“A security audit evaluates the security of a company’s information system by measuring how well it conforms to a set of established criteria. This should be done regularly as viruses, malware and cyber-criminal’s tactics change daily”||
Trilogy Technologies John Casey
|Businesses should first build a risk register. This will enable them to keep track of IT related risks and share them with the management team and other stakeholders. Secondly, businesses should create an IT security policy and a disaster recovery process and again, share these with key personnel.To ensure that all employees and end users remain vigilant, provide recurring security awareness training. Use real-life examples that employees can relate to. A click on a link from somebody you know is all that it takes to spread malware. Remind employees how to create and keep passwords safe and the importance of using pass-codes on portable devices. Tell them what to do if they receive a suspicious email or if they think they have a virus or malware on a device.
Another way to dip your toe in the water both to see what needs to be done to fill your security gaps and find out what it is like working with a third party, is to start with an infrastructure security audit. A security audit evaluates the security of a company’s information system by measuring how well it conforms to a set of established criteria. This should be done regularly as viruses, malware and cyber-criminal’s tactics change daily.
Of course, you should provide strict control for admin, users and third-party access to your systems and remember to remove them immediately should they leave.
If you do not know where to start, it might be wise not to re-invent the wheel and instead ask your security service provider. You should also start using common security and process management frameworks such as CIS controls, NIST Cybersecurity Framework, ITIL and ISO 27001.
|“Risk Management is fed from visibility and awareness of what needs to be protected. Applying the correct logical and technical controls to prevent misuse, unauthorised access or availability issues is of paramount importance”||
EdgeScan Eoin Keary
|Management of security measures consists of a number of key activities, two of which are visibility and risk management.
Visibility is of paramount importance. It helps us understand what we have to secure. In our experience as organisation grow towards enterprise level visibility reduces. The ability to understand what systems and services (assets) are enabled and exposed to both internal users and the public Internet is key given we cannot secure assets we are not aware of.Having visibility of an organisations estate is important given many of such assets contain sensitive organisational data and require an adequate level of security management applied to them.A common challenge when organisations grow is the ability to have an asset register and categorisation of assets used by the organisation. Understanding of the purpose and criticality of an organisations assets drives the level of security which must be applied to a given asset; a risk-based approach. Without visibility of one’s estate this can be an impossible task.
Risk Management is fed from visibility and awareness of what needs to be protected. Applying the correct logical and technical controls to prevent misuse, unauthorised access or availability issues is of paramount importance. Not all vulnerabilities are created equal and one cannot expect to fix all vulnerabilities in an estate all the time. Risk management requires prioritisation of discovered risks and appointing a solution to the highest risk issues first and so on.
To “win” the cyber security game we need to address the most significant risks faced first on the most business critical systems to help ensure a robust secure posture.
Edgescan SaaS covers both of the above requirements solving the above for both small businesses to global corporate enterprises. We deliver our SaaS to some of the largest global organisations many of whom face the challenge of visibility and prioritisation. Our approach to provide continuous visibility on a service and system level coupled with validated risks provides our clients with clean actionable intelligence. Items such as system maintenance can be easily discovered and managed coupled with technical support, in which we provide developer and DevOps guidance to our clients to quickly mitigate discovered issues.
Closing gaps requires gap identification. This can be difficult at times given the constant flux and change across the technical stack – from web applications and API’s to operating systems and cloud instances. Our approach is to provide continuous “fullstack vulnerability management”; as systems and services require patches or a vulnerability is discovered due to a new software release edgescan can detect such an issue within hours of deployment and alert the business owners. Retesting on demand is also a key part of closing gaps so one can ensure the issue has been mitigated properly.