CS1701
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Computing<br />
Security<br />
Secure systems, secure data, secure people, secure business<br />
SHARP RESISTANCE<br />
New moves to keep<br />
out the intruders<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
LIVING IN LA LA LAND<br />
How Lottery operator Camelot<br />
woke up to a nightmare<br />
IN CONTROL?<br />
Security Operations Centres<br />
come under close scrutiny<br />
GIVE US YOUR MONEY!<br />
How ransomware became<br />
big business - and may get<br />
even bigger in 2017<br />
Computing Security Jan/Feb 2017
comment<br />
POSTGRAD DEGREES TO FIGHT CYBERCRIME<br />
It is a mark of the times we live in that a new line-up of cybersecurity degrees has been<br />
launched to help fight hackers and online criminals, as demand for skilled specialists<br />
grows. With billions of pounds being lost to the economy through cybercrime, Arden<br />
University, Coventry, has been working with industry specialists to develop four new IT<br />
postgraduate degrees to give graduates skills fill vacancies in high-demand sectors such as<br />
strategic IT management, telecoms and cybersecurity.<br />
The launch of the courses comes as the UK government has recognised and responded to<br />
the need to improve national cybersecurity, with chancellor Phillip Hammond pledging to<br />
spend £1.9bn to upgrade resilience (see also News, page 7).<br />
"If we do not have the ability to respond in cyberspace to an attack which takes down our<br />
power network - leaving us in darkness or hits our air traffic control system, grounding our<br />
planes - we would be left with the impossible choice of turning the other cheek, ignoring<br />
the devastating consequences or resorting to a military response," Mr Hammond said worryingly,<br />
as he unveiled the government's National Cyber Security Strategy in London recently.<br />
"That is a choice we do not want to face and a choice we do not want to leave as a<br />
legacy to our successors."<br />
Meanwhile, cybersecurity vacancies have grown by 73% in the last year alone, indicating<br />
what a challenge the UK is up against in dealing with the threats that it faces - ones that<br />
are now expanding at an alarming rate.<br />
Dr Ben Silverstone, who leads the Postgraduate Computing programmes at Arden<br />
University, said: "Cybersecurity is more important than ever and there is growing, lucrative<br />
demand for graduates with specialist skills. We designed these new postgraduate degrees<br />
with employability in mind - with the demand for highly qualified IT professionals growing<br />
at such a rapid pace, we want to equip our graduates with the skills to fill vacancies in key<br />
sectors of the IT field, such as cybersecurity."<br />
The MSc Security Management degrees teaches the management and deployment of IT<br />
security, including infrastructure, policy making, governance and compliance. IT systems<br />
and business strategy alignment are covered in the MSc Strategic Information<br />
Management course, while the MSc Enterprise Architecture Management degree focuses<br />
on the design and deployment of IT infrastructure and systems to support business objectives.<br />
The MSc Telecommunications Management looks at skills needed to develop business<br />
improvement opportunities, and manage the design and implementation of network solutions.<br />
It's a small step in the right direction, but so much more needs to be done.<br />
Brian Wall<br />
Editor<br />
Computing Security<br />
brian.wall@btc.co.uk<br />
EDITOR: Brian Wall<br />
(brian.wall@btc.co.uk)<br />
NEWS EDITOR: Mark Lyward<br />
(mark.lyward@btc.co.uk)<br />
PRODUCTION: Abby Penn<br />
(abby.penn@btc.co.uk)<br />
LAYOUT/DESIGN: Ian Collis<br />
(ian.collis@btc.co.uk)<br />
SALES:<br />
Edward O’Connor<br />
(edward.oconnor@btc.co.uk)<br />
+ 44 (0)1689 616 000<br />
PUBLISHER: John Jageurs<br />
(john.jageurs@btc.co.uk)<br />
Published by Barrow & Thompkins<br />
Connexions Ltd (BTC)<br />
35 Station Square,<br />
Petts Wood, Kent, BR5 1LZ<br />
Tel: +44 (0)1689 616 000<br />
Fax: +44 (0)1689 82 66 22<br />
SUBSCRIPTIONS:<br />
UK: £35/year, £60/two years,<br />
£80/three years;<br />
Europe: £48/year, £85/two years,<br />
£127/three years<br />
R.O.W:£62/year, £115/two years,<br />
£168/three years<br />
Single copies can be bought for<br />
£8.50 (includes postage & packaging).<br />
Published 6 times a year.<br />
© 2017 Barrow & Thompkins<br />
Connexions Ltd. All rights reserved.<br />
No part of the magazine may be<br />
reproduced without prior consent,<br />
in writing, from the publisher.<br />
www.computingsecurity.co.uk Jan/Feb 2017 computing security<br />
@CSMagAndAwards<br />
3
Secure systems, secure data, secure people, secure business<br />
Computing Security Jan/Feb 2017<br />
contents<br />
CONTENTS<br />
Computing<br />
Security<br />
SHARP RESISTANCE<br />
New moves to keep<br />
out the intruders<br />
IN CONTROL?<br />
Security Operations Centres<br />
come under close scrutiny<br />
NEWS<br />
OPINION<br />
INDUSTRY<br />
COMMENT<br />
CASE STUDIES<br />
PRODUCT REVIEWS<br />
LIVING IN LA LA LAND<br />
How Lottery operator Camelot<br />
woke up to a nightmare<br />
GIVE US YOUR MONEY!<br />
How ransomware became<br />
big business - and may get<br />
even bigger in 2017<br />
COMMENT 3<br />
POSTGRAD DEGREES LAUNCHED<br />
TO FIGHT CYBERCRIME<br />
NEWS 5<br />
• Outlook bleak as passwords cracked<br />
• Hackers and the fear of flying<br />
• 10-step cyber assessment tool released<br />
INTRUSION DETECTION 8<br />
Perimeter defence and intrusion detection<br />
have been a mainstay of the network<br />
security stack for well over a decade. But<br />
how are they evolving to meet escalating,<br />
more sophisticated attacks?<br />
ARTICLES<br />
RANSOMWARE 16<br />
More than 80% of resellers think<br />
customers are most concerned with<br />
fresh ransomware threats<br />
TIME TO THINK TWICE! 22<br />
Over and again, human weakness - and<br />
curiosity - are complicit in aiding attackers<br />
to get inside an organisation's defences.<br />
How can this be prevented?<br />
TIME TO STOP LIVING IN<br />
FANTASY LAND 24<br />
National Lottery operator Camelot did not<br />
have the greatest of years in 2016. No<br />
doubt it took in lots of money, but it also<br />
took plenty of flak. Not that surprising,<br />
when tens of thousands of customers had<br />
their online accounts breached.<br />
CLOUD EXPO EUROPE 26<br />
Walk into the ExCel London exhibition<br />
centre on the 15-16 March and you will<br />
be entering a world that promises the<br />
infinitely possible, technology wise<br />
REVIEW<br />
• CYjAX Intelligence Platform 17<br />
PREDICTIONS 2017 11<br />
Security breaches ripped through the<br />
castle walls of one organisation after<br />
another last year. Can we expect 2017<br />
to be any different? The early forecasts<br />
are not that encouraging<br />
WHEN WILL WE EVER LEARN? 18<br />
Having suffered two of the largest hacks<br />
in history, Yahoo ended 2016 on a low<br />
note, with its approach to cyber security<br />
brought seriously into question. What<br />
went so wrong?<br />
CENTRE OF ATTENTION 28<br />
Security operations centres - SOCs -<br />
are all the rage, it seems. But their<br />
reputation has been called into<br />
question, with reports that many are<br />
falling short of target maturity levels<br />
4<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
news<br />
Ed Vaizey<br />
CENTRE OF EXCELLENCE FOR DUBLIN<br />
10-STEP CYBER SELF-ASSESSMENT TOOL LAUNCHED<br />
Eoin Hinchy<br />
Businesses in Scotland are facing an<br />
unprecedented level of threat to their<br />
operations, according to a senior police<br />
chief and security expert. The stark<br />
warning, from the deputy director of the<br />
Scottish Business Resilience Centre (SBRC),<br />
chief inspector Ronald Megaughin, comes<br />
following the launch of a free-to-use selfassessment<br />
tool designed to tackle the<br />
broad concerns facing businesses.<br />
Developed in partnership with the<br />
Scottish Government, Police Scotland and<br />
the Scottish Fire and Rescue Service,<br />
'10 Steps to Business Resilience' is<br />
intended for businesses to proactively<br />
ensure their resilience. The assessment<br />
covers the following topics: Keeping<br />
the show on the road; Information<br />
Management; Cyber Security; Protecting<br />
Valuables; Looking after staff and<br />
customers; Selecting and Keeping Staff;<br />
Supplier Management/Procurement; Fraud<br />
Prevention; Understanding and Managing<br />
Risk; Protecting the Brand.<br />
More information: www.10steps.co.uk<br />
DocuSign has opened a Cybersecurity<br />
Centre of Excellence in Dublin as part of<br />
its ongoing commitment to Europe and<br />
protecting its customers' data and<br />
privacy. The centre will be committed<br />
to conducting research into the latest<br />
cyberattacks and trends, while<br />
developing tools for the advanced<br />
detection of such threats.<br />
"Our customers are committed to<br />
undertaking digital transformations<br />
which are underpinned by a high level<br />
of security and trust," commented Eoin<br />
Hinchy, director of Information Security<br />
at DocuSign. "This trust can only be built<br />
on a weight of cybersecurity intelligence<br />
and a culture of constant innovation that<br />
ensures their data is safeguarded.<br />
"With the proliferation of cyberattacks<br />
continuing to grow every day, it is<br />
essential to stay ahead of these<br />
challenges and mitigate any risk.<br />
This is exactly what the research and<br />
development and the customised security<br />
tools from the Centre of Excellence will<br />
help us do."<br />
HACKERS CAN 'READ' BANK CARD DETAILS 'IN SECONDS'<br />
In response to experts from Newcastle<br />
University revealing that criminals can work<br />
out the card number, expiry date and<br />
security code for a Visa debit or credit card<br />
in as little as six seconds using guesswork,<br />
Howard Berg, SVP UK & Ireland at Gemalto,<br />
had this to say: "It is crucial that<br />
organisations better understand how to<br />
protect themselves and their customers,<br />
AI USED TO BLOCK 'CATEGORY 3'-STYLE ATTACKS<br />
AdaptiveMobile says it has demonstrated<br />
protection against a range of sophisticated,<br />
stateful attacks on SS7 networks with one<br />
of the largest networks in APAC.<br />
Using the latest in artificial intelligence (AI)<br />
and machine learning, AdaptiveMobile<br />
states, it has blocked complex threats with<br />
asymmetric traffic flows, further solidifying<br />
the company's commitment to use<br />
advanced techniques in threat detection<br />
and enabling them to meet the needs of<br />
the most demanding Tier-1 networks.<br />
"Using the latest in AI techniques and<br />
as it is no longer a question of if, but when,<br />
a hack will occur. Security measures such as<br />
dynamic card verification, which prevents<br />
CCV card information from being stored in<br />
a static format, is helping to limit card fraud<br />
online. By changing the code as quickly as<br />
the bank wants, even if a hacker gets access<br />
to the number, there's only a limited time<br />
period for which it'll be valid."<br />
cutting-edge, self-learning algorithms,<br />
the company's Signalling Protection has<br />
demonstrated protection against<br />
sophisticated attacks such as network<br />
anomaly and trajectory plausibility,<br />
amongst others," it stated.<br />
These types of attacks are commonly<br />
referred to in the industry as 'Category 3'-<br />
style attacks. "Artificial intelligence moves<br />
beyond simple rules-based approaches,<br />
reduces false positives, improving ease of<br />
management and user experience for the<br />
operators," added AdaptiveMobile.<br />
???<br />
5<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
news<br />
HACKERS AND THE FEAR OF FLYING<br />
MALWARE HAVOC UNLEASHES AN AVALANCHE<br />
Following claims that a flaw could allow<br />
hackers to take control of a plane, using the<br />
in-flight entertainment system, Myles Bray, vice<br />
president, EMEA, at ForeScout Technologies,<br />
had this to say: "The concept of hackers being<br />
able to take control of a plane through the inflight<br />
entertainment system is not new. Last<br />
year a prominent hacker claimed he made a<br />
plane 'climb' and move 'sideways' after<br />
infiltrating its in-flight entertainment system.<br />
While the current claims to take control of<br />
lighting systems and make in-flight<br />
announcements sounds unsettling, rather<br />
than fatal, they set a worrying precedent. As<br />
the number of connected systems grow, the<br />
risk of hackers gaining full access to the<br />
network through them rises exponentially.<br />
Without adequate security systems in place to<br />
automate the process of identifying and<br />
quarantining an infected system, users and<br />
businesses will continue to be at risk."<br />
Internet security vendor Bitdefender has<br />
joined forces with Europol and other<br />
partners to aid with 'Operation Avalanche'.<br />
This is a cross-jurisdiction, cross-industry<br />
clean-up effort aimed at targeting malware<br />
families that have wrought havoc in recent<br />
years, and have inflicted significant damage<br />
to both business and consumer computer<br />
users all over the world.<br />
The targeted malware families include<br />
over 20 old (yet functioning) botnets, as<br />
well as newer and better known threats.<br />
Catalin Cosoi, chief security strategist at<br />
Bitdefender, commented: "Removal is a<br />
critical step that victims need to take, in<br />
order to ensure the extinction of these<br />
malware families. Even if our products<br />
have successfully detected these threats<br />
since their emergence, the removal tool<br />
we built as part of the cooperation with<br />
Catalin Cosoi<br />
Europol allows victims running other<br />
security solutions - or no solution at all -<br />
to successfully disinfect their machines<br />
and clean up after the botnet."<br />
THE SEARCH IS ON FOR I.T. TALENT<br />
DEPLETED CYBER SKILLS POOL MUST BE REPLENISHED<br />
A new study from Trustwave and Osterman<br />
Research, based on a survey of 147 IT security<br />
decision makers and influencers, has found<br />
that a fast-moving confluence of skills<br />
shortages, worsening threats and<br />
disproportionate spending habits is leaving<br />
organisations increasingly vulnerable to data<br />
breaches, malware, phishing and a variety<br />
of other information security problems that<br />
can have serious or even devastating<br />
consequences.<br />
Some 57% of respondents said that finding<br />
and recruiting IT talent are their biggest<br />
challenges, with only 8% believing threequarters<br />
or more of their staff have the<br />
specialised skills and training needed to<br />
handle complex issues. The study also found<br />
that three times as many respondents would<br />
rather grow their staff’s skills and expertise<br />
than grow the number of people on their<br />
team. Further, skills are lacking in key areas,<br />
with about 40% of respondents saying their<br />
most inadequate skill sets are in emerging<br />
and evolving security threats.<br />
James Hatch<br />
The UK government's recently announced<br />
National Cyber Security Strategy 2016 to<br />
2021 is to be welcomed by the cyber<br />
security industry - with reservations.<br />
"The online threat landscape is in a<br />
constant state of flux and the additional<br />
£1.9 billion investment will be vital in<br />
reducing the UK's cyber risk exposure," said<br />
James Hatch, director of Cyber Services at<br />
BAE Systems Applied Intelligence. "However,<br />
whilst the government's strategy is to be<br />
applauded, there are key issues that will<br />
determine its ultimate success."<br />
The strategy identifies that progress from<br />
the 2011-2016 strategy has been slower<br />
than expected, necessitating additional<br />
Government intervention, he pointed out.<br />
"Talent is a significant concern, with 'few<br />
graduates and others with the right skills<br />
emerging from the education and training<br />
system'. Producing the next generation of<br />
cybersecurity professionals will be crucial to<br />
the success of the strategy, and both<br />
industry and government should focus<br />
resources on education and promotion of IT<br />
security as a viable and value career choice<br />
for students prior to higher education level.<br />
"To do this, we need a collaborative<br />
approach between government and the IT<br />
security industry to identify the knowledge<br />
and skills gaps in the market, and devise<br />
education programmes tackling these<br />
shortages - replenishing a depleted talent<br />
pool in the long-term," he added.<br />
6<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
case study<br />
news<br />
AKAMAI ACQUIRES CYBERFEND<br />
OUTLOOK BLEAK AS PASSWORDS CRACKED<br />
Akamai Technologies has acquired Cyberfend,<br />
an innovator in bot and automation<br />
detection solutions for web and mobile<br />
environments, in an all-cash transaction. The<br />
acquisition is intended to further strengthen<br />
Akamai's existing bot management and<br />
mitigation services. Credential theft and abuse<br />
is a significant problem for online businesses<br />
and their customers.<br />
Recent industry estimates place the number<br />
of compromised user credentials (eg,<br />
usernames, passwords, email addresses)<br />
exfiltrated during major breaches and<br />
currently in circulation in the billions. The<br />
value of these stolen credentials can be worth<br />
as much as two to five times more than basic<br />
credit card information.<br />
NEW POSTGRADUATE I.T. DEGREES<br />
Charl van der Walt<br />
Thousands of UK businesses are immediately<br />
at risk from potential compromise of their<br />
Outlook Web Access platform. That's<br />
according to new research from SecureData.<br />
This suggests close to 0.5% of all organisations<br />
in its study could be cracked using a<br />
combination of publicly available email<br />
addresses from previous data breaches and<br />
poor password security behaviour by users, as<br />
they reuse passwords between professional<br />
and personal applications.<br />
The researchers analysed 1.5million<br />
compromised email addresses from 173,000<br />
individual organisations in the UK. SecureData<br />
could crack 92% of passwords where the<br />
compromise included the hashed or one-way<br />
encrypted password. From this sample of<br />
organisations, 1,226 could be identified as<br />
using Outlook Web Access.<br />
Charl van der Walt, head of security strategy<br />
at SecureData, commented: "We developed<br />
this research as a vehicle to illustrate the<br />
increasing security challenge, as employees mix<br />
their corporate and personal online universes.<br />
This is exacerbated by enterprise risk models<br />
that fail to appreciate how attackers view their<br />
business, reflecting instead their own view as<br />
to what is valuable."<br />
'BREAKTHROUGH' DATA GOVERNANCE AND PROTECTION<br />
New cybersecurity degrees have been<br />
launched to help fight hackers and online<br />
criminals, as demand for skilled specialists<br />
grows. With billions of pounds being lost to<br />
the economy through cybercrime, Arden<br />
University has been working with industry<br />
specialists to develop four new IT<br />
postgraduate degrees to give graduates<br />
skills to fill vacancies in high-demand<br />
sectors such as strategic IT management,<br />
telecoms and cybersecurity.<br />
The launch of the courses comes as the<br />
UK government recognises the need to<br />
improve national cybersecurity, with<br />
chancellor Phillip Hammond pledging to<br />
spend £1.9bn to upgrade resilience. At the<br />
same time, cybersecurity vacancies have<br />
grown by 73% in the last year alone.<br />
QinetiQ's data security company Boldon<br />
James and Varonis Systems, provider of<br />
software solutions that protect data<br />
from insider threats and cyberattacks,<br />
have announced the integration of<br />
Boldon James Classifier data classification<br />
solution suite with the Varonis Metadata<br />
Framework platform. This, it is said, will<br />
enable organisations to ensure their<br />
most valuable data is monitored and<br />
protected against the rapidly growing<br />
threats arising from both insiders and<br />
external cyberattacks.<br />
"The combined value of the Varonis and<br />
Boldon James solutions helps to reduce<br />
the business risk of valued and sensitive<br />
information ending up in the wrong<br />
hands, while enhancing decision making<br />
and increasing the effectiveness of<br />
enterprise search and retrieval," stated<br />
the two vendors.<br />
"The combined offering of Varonis<br />
and Boldon James Classifier enables<br />
Martin Sugden<br />
organisations to identify, protect and<br />
monitor their most valuable data,<br />
wherever it is located," said Martin<br />
Sugden, CEO at Boldon James. "This<br />
partnership adds significant value to our<br />
mutual customers… offering the widest<br />
range of products and best-of-breed<br />
integrations."<br />
Ste<br />
www.computingsecurity.co.uk Jan/Feb 2017 computing security<br />
@CSMagAndAwards<br />
7
intrusion detection<br />
MANNING THE PERIMETER WALLS<br />
PERIMETER DEFENCE AND INTRUSION DETECTION HAVE BEEN A MAINSTAY OF THE NETWORK SECURITY<br />
STACK FOR WELL OVER A DECADE. BUT HOW ARE THEY EVOLVING TO MEET ESCALATING, MORE<br />
SOPHISTICATED ATTACKS?<br />
8<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
intrusion detection<br />
As the industry grew smarter and<br />
more focused on the nature of<br />
threats it faced, next-generation<br />
firewalls (NGFW) emerged, but these<br />
focused on the rules at the edge of the<br />
network, and making and expressing how<br />
applications and services are allowed to<br />
access the outside world. However, this<br />
did not fully solve the problem of stopping<br />
intrusions. "That's where next-gen<br />
intrusion prevention systems (NGIPS) came<br />
in, argues Andrew Bushby, UK director,<br />
Fidelis Cybersecurity, "and even these have<br />
now evolved."<br />
NGIPS find and stop the more dangerous<br />
unknown threats that push through a<br />
next-gen firewall. "Traditional IPS were<br />
originally designed to identify attacks<br />
targeting known vulnerabilities," he says.<br />
"However, the exploits hackers use have<br />
changed - attackers are no longer servercentric<br />
and are now using unexpected<br />
pathways to target enterprises and<br />
distributed endpoints. This is forcing<br />
organisations to take a hard look at their<br />
IPS and assess whether they need to buy<br />
new NGIPS to optimise their existing<br />
security stack.<br />
"By deploying NGIPS that use modern<br />
approaches to detecting and stopping<br />
attacks - such as reassembling sessions,<br />
not packets, and using Yara-based rule<br />
sets - companies can detect modern<br />
intrusions that traditional IPS cannot see,"<br />
adds Bushby. "This means that<br />
organisations can see the entire inbound<br />
and outbound communication stream,<br />
which is critical to detecting and stopping<br />
attackers in their tracks."<br />
NGIPS also need a degree of automation<br />
to validate network-based alerts and<br />
quarantine suspicious endpoints as well as<br />
being easily scalable; for example, through<br />
a cloud-based deployment. "This is<br />
particularly important when you consider<br />
the seemingly endless array of<br />
'complementary' security components<br />
companies have amassed over the years -<br />
such as firewalls, antivirus, as well as<br />
NGIPS - and the fact breaches are still<br />
happening. Alerts should also have<br />
integrated forensics, providing contextual<br />
detail on a suspected threat. As well as<br />
this, it's essential that new intelligence can<br />
be automatically applied to the past when<br />
scrutinising the rich metadata on the<br />
network and endpoints.<br />
Only with all these measures in place,<br />
he points out, will NGIPS "truly be<br />
capable of taking on the cyber threats of<br />
the modern world".<br />
DEFENDING AGAINST OUTSIDE FORCES<br />
According to the InfoSec Institute, which<br />
has been training information security<br />
and IT professionals since 1998 with a<br />
diverse line-up of training courses, a key<br />
means of monitoring and protecting<br />
against outside forces intruding beyond<br />
an organisation's defences is to deploy a<br />
SIEM (security information and event<br />
management) solution.<br />
Writing on InfoSec Institute's website,<br />
Jatin Jain stresses how such solutions<br />
normalise, filter, correlate, assemble and<br />
centrally manage other operational events<br />
to monitor, alert on, respond to, analyse,<br />
audit, and manage security and<br />
compliance pertinent information.<br />
"SIEM systems provide fundamental<br />
security operations like other product<br />
categories. Their functions and delivery<br />
mechanisms, hardware appliances,<br />
virtual appliances and services vary by<br />
vendor. They provide more efficient and<br />
useful analysis capabilities for<br />
information security professionals and<br />
their organisations," states Jain, who has<br />
wide experience in the information<br />
security domain, embracing information<br />
security audit, web application audit,<br />
vulnerability assessment, penetration<br />
testing/ethical hacking and also acted as<br />
a corporate trainer.<br />
Andrew Bushby, Fidelis Cybersecurity:<br />
hackers are now using unexpected<br />
pathways to target enterprises and<br />
distributed endpoints.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
9
intrusion detection<br />
"SIEMs collect and centrally manage records<br />
of network, application, device, security, and<br />
user activity from different infrastructure<br />
sources. The most common form of event<br />
log data is an audit file generated by a<br />
system, commonly captured via syslog<br />
protocol. Manually reviewing many diverse<br />
log sources has been proven ineffective, slow,<br />
conducive to error, and frustrating to security<br />
personnel. In addition, at some point a given<br />
log file may be overwritten with newer data,<br />
whereby previous audit information will<br />
be lost."<br />
RULE AND CONQUER<br />
It is important to know what device sources<br />
in your operating environment must be<br />
supported and how your environment will<br />
support a security information and event<br />
management solution to receive or pull in<br />
necessary event log data.<br />
"For example, if a device's event log function<br />
is activated, some SIEMs may require the use<br />
of agents or credentialed means of access to<br />
obtain event log data. SIEM vendors publish<br />
the devices, support and provide updates to<br />
maintain and expand device support,<br />
Identification of problems, attacks and<br />
violations for which SIEMs serve an action<br />
[typically called an incident]," says Jain. "An<br />
incident is an event or occurrence that<br />
satisfies a rule and condition, or multiple<br />
rules and conditions. Rules can also be<br />
statistically derived event thresholds. The<br />
capacity for real-time correlation is<br />
determined by two factors: the amount of<br />
events per second, and the breadth of<br />
attributes and logic that can applied by the<br />
SIEM's rule engine."<br />
SIEMs also help in identifying a company's<br />
specific issues or scenarios of interest,<br />
extending operating controls and<br />
communicating at different level of severity,<br />
he adds. "An event will have a corresponding<br />
severity as reported by a device within the<br />
event log. It can be automatically adjusted by<br />
the SIEM, based on the rule-rule logic or rule<br />
customisation. A SIEM alert will also provide<br />
underlying event triggers for further<br />
investigation. In addition, SIEMs also offer<br />
different event consolidation, alert<br />
suppression and case management<br />
capabilities to facilitate incident response,"<br />
he points out.<br />
"The best means for achieving SIEM<br />
implementation success is via phases, rather<br />
than through an 'all at once' approach. It can<br />
break many projects into smaller phases:<br />
initial installation, replacement and<br />
expansion. The implementation and<br />
maintenance of SIEM will be easier, if the<br />
document and management process is<br />
better," he concludes.<br />
TOP 10 BEST PRACTICES:<br />
Perimeter defences - monitor and report on key status, attacks and configuration changes associated with perimeter defences<br />
Intrusion detection - monitor, respond and report on key status, notifications and incidents with regards to intrusion detection, system threats<br />
Malware defence - monitor and report on key status, violation, issues, threats, and activity supporting malware controls<br />
Application defences - monitor and report on key status, configuration changes, issues, violation and anomalous activity with regard to the<br />
web, database, and other application defences<br />
Establish key monitoring and reporting requirements prior to deployment, which includes objectives, targets, compliance controls,<br />
implementation and workflow<br />
Determine the system's scopes, infrastructure audit targets, necessary credentials, and verbosity<br />
Compliance - includes management of audit data accessibility, retention, integrity, evidentiary requisites, and disposal<br />
Access control - monitor and report on key status, transgression and anomalous access to critical resources<br />
Resource integrity - monitor and report on key status, backup processes, configuration changes, threats, and vulnerabilities affecting network<br />
system resources integrity and availability<br />
Acceptable use - monitor and report on key status and issues violation activity regarding the acceptable use of resources and information.<br />
10<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
predictions 2017<br />
IT'S A MIXED-UP, MUDDLED UP, SHOOK-UP WORLD<br />
SECURITY BREACHES RIPPED THROUGH THE DEFENCES OF ONE ORGANISATION AFTER ANOTHER LAST<br />
YEAR. CAN WE EXPECT 2017 TO BE ANY DIFFERENT?<br />
One thing that last year and just<br />
about any recent year will be<br />
remembered for is the succession<br />
of big names that suffered a major<br />
breach - leaving them red-faced, often<br />
out of pocket and chastened by how<br />
easily the cybercriminals tore through the<br />
outer walls and seized their valuable<br />
data. Or, more accurately, the data of<br />
tens of thousands, even hundreds of<br />
thousands, of clients who had trusted<br />
them to keep their information safe.<br />
The bad news is that, judging by past<br />
performance, 2017 will be no better. In<br />
fact, it could be a whole lot worse. Why?<br />
Because endless warnings from the<br />
experts about how to keep their data safe<br />
have had seemingly little effect on far<br />
too many organisations. A lack of a clear<br />
strategy across the business that is<br />
enforced at all levels is to be discovered<br />
all too often after a breach has occurred.<br />
For whatever reason, despite the<br />
mayhem they see around them as others<br />
succumb to breach after breach, they<br />
don't put in place the safeguards that<br />
will serve to prevent the hackers from<br />
getting in - or at least implement systems<br />
that will provide early detection of a<br />
breach and minimise the damage.<br />
FUTURE IMPERFECT<br />
We've been speaking to a number of<br />
security experts about what 2017 may<br />
hold in store and here are some of their<br />
considered predictions:<br />
"Regulations that address the vast<br />
majority of cybersecurity threats already<br />
exist," says Tom Kemp, CEO of Centrify.<br />
"It's the adoption of key technologies<br />
that help to adhere to these regulations<br />
that's lacking. And that isn't to say that<br />
companies aren't trying. Many already<br />
have teams devoted to meeting the<br />
regulations they fall under. Still, in<br />
2017, we'll likely see a renewed effort<br />
by regulators to accelerate the<br />
implementation of security technologies.<br />
Ignoring the regulations or inching<br />
toward adherence will no longer be<br />
acceptable.<br />
"After a hugely successful 2016, we'll<br />
see increases in ransomware. Companies<br />
may start to actually budget money to<br />
buy back their own data after a<br />
ransomware event. As long as the<br />
majority of ransoms remain relatively<br />
11<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
predictions 2017<br />
low, companies will continue to pay<br />
them, and they may do so without<br />
involving law enforcement to avoid<br />
disruption and blemishing their brands.<br />
"We'll see widespread adoption of twofactor<br />
authentication - a fundamental<br />
technology that effectively addresses a<br />
problem that's grown too big to ignore.<br />
Despite a hack in early August that<br />
resulted in the loss of 120,000 bitcoin<br />
worth $65m, the cryptocurrency quickly<br />
rebounded and has grown in popularity.<br />
Expect some additional security measures<br />
to be implemented in the exchanges."<br />
NEW IDENTITY SOLUTIONS<br />
Identity will once again raise its ugly<br />
head, warns Garry Sidaway, SVP Security<br />
Strategy & Alliances at NTT Security. "We<br />
have known for a long time that<br />
passwords do not provide the necessary<br />
level of assurance that is required in the<br />
mobile digital age. Convenience and<br />
security are uneasy bedfellows and,<br />
although passwords are convenient, they<br />
are increasingly seen as weak tokens of<br />
identity. The demand for convenience by<br />
the consumer and digital workforce and<br />
the increase in mobile phone use will<br />
drive a renewed emphasis for identity<br />
solutions. Combining something you<br />
have with somewhere you are and<br />
something you know will see the decline<br />
of passwords as the primary<br />
authentication method. This<br />
combination of physical and digital, with<br />
the emergence of advanced<br />
authentication methods, will provide the<br />
catalyst for new identity solutions."<br />
"The digital workforce lives and works<br />
in a society where mobile is king and<br />
most other things are being replaced by<br />
it - from mobile cash to social mobile.<br />
Our phone is now our digital hub,<br />
controlling how we are identified and<br />
authenticated into our world and how<br />
we control and interact digitally. Because<br />
of this, we will see threat vectors<br />
concentrate on the devices in our hand<br />
rather than the devices on our laps.<br />
Security is traditionally focused on<br />
backend systems or containers - but this<br />
approach will have to change, with<br />
protection built into mobile devices from<br />
the ground up."<br />
YEAR OF THE EMPLOYEE<br />
2017 will be the year of the employee<br />
for multiple reasons, states Paul<br />
Calatayud, CTO, FireMon. "As physical<br />
cyber defences are built up within<br />
organisations, it will become more<br />
difficult to attack actual machines and<br />
therefore cyber attackers will shift<br />
towards targeting internal employees.<br />
Another way employees will be at the<br />
heart of cyber security in organisations is<br />
neglect, particularly in large enterprises<br />
with so many users accessing so many<br />
systems. This neglect, though a natural<br />
by-product, inevitably leads to<br />
compromise.<br />
"It could also be the lack of skilled<br />
employees that will be a bigger issue<br />
in 2017, due to the void of skilled<br />
individuals with cyber security skills<br />
coming through the ranks. Cyber<br />
personnel will become a rare commodity<br />
like we have never seen before.<br />
Organisations have received the message<br />
and are staffing and investing, but that<br />
demand generates a supply that is not<br />
available. As an alternative, there will<br />
be new and exciting innovations and<br />
adoption of philosophies such as DEV-<br />
SEC-OPS. This is simply the act of<br />
developing automation where possible<br />
within a cyber program, in order to free<br />
up staff resources.<br />
"The biggest risks for business heading<br />
into 2017, in regards to cloud adoption<br />
and security, will be how best to manage<br />
the risks as organisations increase their<br />
adoption from basic non-regulated data<br />
to more regulated data. This will put a<br />
lot of pressure on CISOs and security<br />
Andy Powell, Capgemini UK: in 2017,<br />
we'll expect to see cyber-attacks take<br />
a more sinister turn.<br />
Jeff Costlow, ExtraHop: security budget<br />
dollars will start going to solutions that<br />
deliver real-time situational awareness<br />
across the network.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
12
predictions 2017<br />
Garry Sidaway, NTT Security: our phone is<br />
now our digital hub, controlling how we<br />
are identified.<br />
Tom Kemp, Centrify: companies may<br />
budget money to buy back their data<br />
after a ransomware event.<br />
shops to move off the 'wait and see' and<br />
into response mode."<br />
NEXT-GEN CYBERATTACKS<br />
2017 will see more next-generation<br />
cyberattacks against specific individuals<br />
and organisations, cautions Noam<br />
Rosenfeld, SVP, Cyber Intelligence<br />
Solutions, Verint Systems. "Carefully<br />
planned and methodical, those attacks<br />
will use multiple vectors - including web,<br />
email, malicious files - dynamically<br />
adapting to exploit zero-day and other<br />
network vulnerabilities. The malware<br />
carrying out these attacks will initially<br />
investigate network vulnerabilities,<br />
disabling network security measures and<br />
infecting other points and devices. It will<br />
use fewer command and control servers,<br />
but will wait for the right time to extract<br />
data from the network. Many<br />
organisations will realise that they have<br />
suffered data breaches and been under<br />
attack for weeks, months, even years.<br />
"CISOs will finally understand that<br />
antivirus and next generation firewalls<br />
aren't enough. Knowing signatures,<br />
black-and-white listing, and recognising<br />
pattern-based techniques won't stop the<br />
latest threats. In 2017, CISOs will have<br />
had enough and will drive cybersecurity<br />
as a strategic and integral part of the<br />
organisation - not just a series of<br />
approximations. They won't want to<br />
hear about the latest and greatest point<br />
solutions - good results won't be enough<br />
to buy the technology," adds Rosenfeld.<br />
"Instead, security solutions must show<br />
their ROI - that they can identify threats<br />
operating above the control baseline and<br />
provide actionable intelligence directing<br />
resources to discovering, investigating,<br />
and stopping the threats. Alert fatigue<br />
needs to become a thing of the past.<br />
CISOs will want to know how all the<br />
security elements in the networks are<br />
operating - and working together.<br />
They'll want something that gathers all<br />
information from all the point solutions,<br />
giving them complete situational<br />
awareness of the digital environment."<br />
SCARY TIMES<br />
2016 was a big year in IT security, and a<br />
scary one, says Jeff Costlow, director of<br />
security, ExtraHop. "Some security experts<br />
estimate that ransomware took in a<br />
billion dollars over the past 12 months,<br />
with more than 4,000 attacks occurring<br />
every day. In 2017, these threats are only<br />
poised to get more sophisticated. We<br />
already have Mirai source code and we<br />
know ransomware is big business. This<br />
will be the year we see the first effective<br />
DDoS ransoms. Prior to now, there have<br />
been DDoS ransoms, but they haven't<br />
been nearly as effective as the<br />
ransomware application. Enterprises<br />
will need to equip themselves to not<br />
only thwart these attacks, but anticipate<br />
and detect them earlier.<br />
"Over the next 12 months, I believe that<br />
we're also going to see the first effective<br />
hacks against two-step authentication<br />
(note the difference between two-step<br />
authentication and two-factor<br />
authentication; two-factor uses two<br />
different mechanisms, while two-step<br />
uses an extra step). I've long called twostep<br />
authentication 'one-and-a-half<br />
factor', because it's better than a simple<br />
password, but definitely not as good as<br />
a full two-factor authentication,<br />
which requires inputting two unique<br />
authentication elements only known to<br />
the user. So many passwords have been<br />
leaked in the last few years, the bad guys<br />
now have a good statistical model of a<br />
password and will put that to use<br />
against two-step in 2017," states<br />
Costlow.<br />
What does all of this mean? "2017 may<br />
be the year that IT security finally moves<br />
to the final stage of grieving perimeter<br />
security: acceptance. As we've seen, over<br />
and over again, no matter how well<br />
13<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
predictions 2017<br />
fortified the perimeter, bad actors get in.<br />
And they are only getting better at it.<br />
The time has come to acknowledge that<br />
these malicious actors - whether<br />
employees, contractors, or outside<br />
agitators - are already inside the<br />
network. In turn, expect to see security<br />
budget dollars start going to solutions<br />
that deliver real-time situational<br />
awareness across the network. The days<br />
of data centres being banks without<br />
surveillance cameras in every hallway will<br />
be over, because the results of this slip in<br />
security have proven to be so<br />
catastrophic over the past few years."<br />
DDOS ESCALATION<br />
Dave Larson, CTO/COO at Corero<br />
Network Security, also homes in on the<br />
Mirai botnet. "While it is certainly<br />
fearsome in terms of its size, its capacity<br />
to wreak havoc is also dictated by the<br />
various attack vectors it employs. If a<br />
variety of new and complex techniques<br />
were added to its arsenal in 2017, we<br />
may see a substantial escalation in the<br />
already dangerous DDoS landscape, with<br />
the potential for frequent Terabit-scale<br />
DDoS events, which significantly disrupt<br />
our Internet availability.<br />
"While the motivations for such attacks<br />
are endless, the range of potential<br />
political and economic fallouts from such<br />
attacks could be far-reaching. Our entire<br />
digital economy depends upon access to<br />
the Internet and so organisations should<br />
think carefully about business continuity<br />
in the wake of such events. For example,<br />
it may be prudent to have back-up<br />
telephone systems in place to<br />
communicate with customers, rather<br />
than relying solely on VOIP systems,<br />
which could also be taken down in the<br />
event of an attack," says Larson.<br />
EVERYONE IS A TARGET<br />
2016 was another year of significant<br />
breaches across many industries, of<br />
course, demonstrating that, while cyber<br />
criminals are ever more intent on stealing<br />
critical data, they are not targeting<br />
specific verticals to achieve it. That's an<br />
important point to fully and completely<br />
understand, says Brian Chappell director,<br />
Technical Services EMEAI & APAC,<br />
BeyondTrust.<br />
"In 2017, the simple fact remains:<br />
everyone is a target for hackers. This will<br />
become more relevant as the IoT<br />
continues to expand with ever more<br />
devices being sold that are internet<br />
connected, each one expanding the<br />
attack surface presented to the hackers.<br />
As we closed out 2016, tools like Mirai<br />
clearly demonstrated the risk that the IoT<br />
represents, not only to the environments<br />
hosting the devices but also to everyone<br />
else. This year is likely to be the year of<br />
DDoS, but it's not all bad; we can expect<br />
to see the first commercialised anti-DDoS<br />
organisations appearing, directly<br />
attacking the botnets by patching<br />
vulnerable systems forcibly, for example.<br />
"It's not all bad," Chappell reasures us.<br />
"This year will also see a lot of positives.<br />
Password re-use should diminish both in<br />
the user space and the admin space.<br />
With a multitude of personal password<br />
management tools available across<br />
multiple platforms, users should<br />
continue to be encouraged to trust these<br />
tools and use them for different, strong<br />
passwords across all the systems they<br />
use. In 2017, we'll see more<br />
organisations encouraging their users to<br />
take up these tools, perhaps even<br />
funding them."<br />
RANSOMEWARE SURGE<br />
"This year saw the shocking rise of<br />
ransomware attacks on hospitals and<br />
other public services, such as the San<br />
Francisco public transit, demonstrating<br />
the wide variety of applications for the<br />
same ransomware threat," states Jerome<br />
Segura, malware intelligence analyst at<br />
Malwarebytes. "Healthcare organisations<br />
especially will continue to fall victim to<br />
nefarious hackers in 2017. Unfortunately,<br />
the healthcare industry will always be<br />
popular targets for ransomware attacks<br />
due to the sheer amount of data stored.<br />
Medical IoT devices are on the rise, from<br />
insulin pumps to wireless connected<br />
pacemakers, and hospital networks are<br />
home to a host of files on both patients<br />
and corporations. To make matters<br />
worse, hospital data systems frequently<br />
don't have the best security protection,<br />
all too often running out of date<br />
software. Cyber security basics still need<br />
to be learned, from the importance of<br />
data backups to the need for a layered<br />
approach to endpoint security.<br />
"While zero-day threats must be<br />
approached with constant vigilance,<br />
most malware is still designed based on<br />
vulnerabilities that have already been<br />
known to security professionals for at<br />
least one year. For hackers, the effort to<br />
build a new variant of pre-existing<br />
malware is more economical than<br />
uncovering new vulnerabilities on which<br />
to base the creation of completely new<br />
malware. As such, new types of existing<br />
exploits are steadily increasing and will<br />
continue to do so," adds Segura.<br />
UTILITIES UNDER ATTACK<br />
The cyber attack on the Ukrainian power<br />
grid in 2015 gave the world a real<br />
insight into what hackers are capable of<br />
- and that leaves Andy Powell, VP, head<br />
of cybersecurity at Capgemini UK, deeply<br />
concerned. "With an increasing amount<br />
of smart devices entering the utilities<br />
space, and with phishing tactics and<br />
malware becoming more refined, a<br />
similar attack could very well be<br />
imminent," he warns. "In 2017, we'll<br />
expect to see cyber-attacks take a more<br />
sinister turn. It's possible that we might<br />
even see the first real-world hack of a<br />
connected medical device. If hackers use<br />
ransomware for attacks of this nature, it<br />
will have a debilitating effect for the<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
14
predictions 2017<br />
Brian Chappell, BeyondTrust: Password<br />
re-use should diminish both in the user<br />
space and the admin space.<br />
Jerome Segura, Malwarebytes: healthcare<br />
organisations especially will continue to<br />
fall victim to nefarious hackers in 2017.<br />
healthcare, utility and, in particular, the<br />
manufacturing industry, in which<br />
ransomware is becoming more<br />
prevalent, as the tools are now being<br />
made available by state actors."<br />
CAR CONTROLS HACKING<br />
For Javvad Malik, security specialist at<br />
AlienVault, the way that computers have<br />
been steadily taking over more vehicle<br />
functions, increasing security<br />
vulnerabilities a result, does not bode<br />
well for the future. "Hacking into<br />
vehicles, accessing functions or locating<br />
their whereabouts are becoming more<br />
commonplace. There's a push by<br />
automotive manufacturers to install<br />
more intelligence, functionality and<br />
automation into vehicles. But, with<br />
these additions, he warns, come more<br />
vulnerabilities. "There's no easy fix - but<br />
the consequences of a vulnerability in<br />
a vehicle can be a lot more catastrophic<br />
than one on a website."<br />
SPYING AND DRONES<br />
There is likely to be more widespread use<br />
of VPNs to evade new government spying<br />
measures, suggests Robert Page, lead<br />
penetration tester at Redscan Cyber<br />
Security. The introduction of the<br />
Investigatory Powers Bill will probably<br />
mean that an increasing number of web<br />
users will turn to VPNs and Tor in 2017 to<br />
avoid their use of websites and services<br />
like instant messaging applications being<br />
disclosed to the authorities, he says.<br />
"While this part of the bill isn't designed<br />
to detect illegal activity outright - an<br />
application to acquire a person's internet<br />
connection records will only be granted<br />
following a justifiable case - that won't<br />
deter many users from wanting to use<br />
conceal activity on either shadowy or<br />
ethical grounds."<br />
Page also predicts increased targeting<br />
of drones by hackers. "While drones and<br />
unmanned aircraft have great potential<br />
to improve the speed and efficiency of<br />
everyday services, their ability to inflict<br />
injury and damage means that the<br />
government and manufacturers need to<br />
place more emphasis on enhancing their<br />
security in 2017. With frequent reports<br />
of low-cost, commercially available<br />
drones being flown in unauthorised<br />
areas, even models used by amateurs are<br />
a threat in the wrong hands. Plans to<br />
update EU safety and privacy rules<br />
governing the use of drones, coupled<br />
with the introduction of the drone code,<br />
will definitely go some way to stem fears.<br />
More work will need to be done with<br />
manufacturers, however, to ensure that<br />
cyber security fears are fully addressed."<br />
CLOUD SECURITY<br />
Finally, David Ferbrache, technical<br />
director in KPMG's cyber security<br />
practice, sees Cloud security coming of<br />
age in 2017: "Cloud services have finally<br />
grown up and recognised the need to<br />
provide clients with the functionality<br />
they need to implement effective security<br />
and compliance solutions. A well<br />
managed cloud environment can offer<br />
levels of security and resilience that<br />
many organisations would struggle to<br />
replicate internally; and, even in<br />
regulated industries, 'cloud as the first<br />
choice' has become the mantra."<br />
Executives demand certainty - even<br />
where there may be none: "Cyber<br />
security programmes have been well<br />
established in big corporates. Executives<br />
are now holding their CISOs to account<br />
to explain what has been achieved by<br />
their investments, occasionally<br />
demanding unreasonable certainty.<br />
Suddenly, the challenge has become just<br />
what does money buy you in reducing<br />
the impact and ideally the likelihood of a<br />
cyber breach - and just where does cyber<br />
insurance figure in that decision calculus.<br />
Boards are recognising that getting the<br />
basics right matters, but so does being<br />
ready to respond to an increasingly<br />
inevitable cyber breach," he concludes.<br />
15<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
ansomware<br />
RANSOMWARE TOP OF THREAT LIST<br />
MORE THAN 80% OF RESELLERS THINK CUSTOMERS ARE MOST CONCERNED WITH NEW RANSOMWARE THREATS<br />
Corey Nachreiner, WatchGuard: security<br />
customers are wondering how best to<br />
protect themselves.<br />
WatchGuard's new global channel<br />
partner survey on cyber security<br />
reveals that 83% of resellers<br />
believe that ransomware will be their<br />
customers' largest concern this year. In<br />
addition, 16% believe the majority of<br />
their customers would pay a cyber<br />
ransom and 65% believe at least some of<br />
their customers would pay. This<br />
willingness or necessity to pay, coupled<br />
with the increasing threat of<br />
ransomware, could prove costly for<br />
businesses in the coming year.<br />
"The proliferation of ransomware<br />
reached epidemic proportions in 2016, so<br />
it makes sense that resellers are<br />
forecasting it as the top threat next year,"<br />
says Corey Nachreiner, chief technology<br />
officer at WatchGuard. "On top of cyber<br />
extortion, security customers are hearing<br />
about tons of other new attacks and<br />
threat vectors each day, and they're<br />
wondering how best to protect<br />
themselves."<br />
The WatchGuard survey was designed to<br />
capture resellers' perspectives on<br />
customer cyber threat concerns.<br />
Conducted by independent market<br />
research firm Vanson Bourne, the survey<br />
examined the views of more than 1,400<br />
WatchGuard partner organisations across<br />
the globe.<br />
About 4% of reseller respondents<br />
believe that less than half their customers<br />
have the proper resources in place to<br />
adequately manage incoming security<br />
alerts. Many SMBs simply don't have the<br />
time or personnel necessary to focus on<br />
the management of network security<br />
solutions and the mitigation of growing<br />
cyber threats. Only 5% of surveyed<br />
resellers believe all their customers have<br />
these resources in place, while 7% believe<br />
none of them do at all.<br />
UTM OR NGFW?<br />
Of the total surveyed partner<br />
organisations, 63% do not think the<br />
majority of their customers understand<br />
the difference between Unified Threat<br />
Management (UTM) appliances and Next<br />
Generation Firewalls (NGFW). Nearly 80%<br />
do not think their customers care about<br />
the difference between the two appliance<br />
categories at all - and only want to know<br />
that their business is protected by the<br />
latest threat prevention solutions.<br />
This suggests that security customers<br />
are trusting channel resellers and<br />
managed security service providers to<br />
make informed recommendations about<br />
security appliances and strategies. Over<br />
the course of the last two years, nearly<br />
75% of reseller respondents'<br />
organisations have seen the most growth<br />
in UTM appliance sales, while only<br />
around a quarter have seen the most<br />
sales growth in NGFW appliances.<br />
16<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
product review<br />
CYJAX INTELLIGENCE PLATFORM<br />
The cyber threat landscape is<br />
evolving at such a pace that<br />
businesses need to be even more<br />
inventive in protecting confidential data.<br />
In many cases, threat updates and<br />
signatures provided by security partners<br />
aren't enough and now require a<br />
blended approach.<br />
The CYjAX Intelligence Platform is<br />
designed to work with existing security<br />
solutions where it enhances them with<br />
brand-specific intelligence on cyber<br />
threats. It doesn't require additional onsite<br />
hardware or software and presents all<br />
its findings in a customisable web portal.<br />
Created by career intelligence and<br />
technical experts in 2012, CYjAX<br />
automates the collection of threat<br />
intelligence information to enable<br />
advanced monitoring and analysis<br />
capabilities. A key priority is providing<br />
factual intelligence on the latest threats,<br />
including those from data breaches,<br />
cloud computing, social media,<br />
mainstream news and, yes, even the<br />
darknet.<br />
CYjAX has a sharp focus on protecting<br />
Pii (personally identifiable information) -<br />
something many financial institutions are<br />
failing to do. Only recently, a well-known<br />
bank suffered an unprecedented attack<br />
on its online services resulting in a £2.5m<br />
loss. It got off very lightly, but won't be<br />
so fortunate when the GDPR (general<br />
data protection regulation) comes into<br />
force in 2018, as it calls for punitive fines.<br />
We found the CYjAX web portal to be<br />
very intuitive, as it's designed to present<br />
only those findings that match your<br />
requirements. The home page opens<br />
with a wealth of real-time report<br />
modules using widgets to provide<br />
information on areas such as live<br />
tweets, news feeds, phishing<br />
campaigns, darknet marketplaces and<br />
those of particular interest to law<br />
enforcement agencies.<br />
Along with a report overview, the home<br />
page provides a daily brief which filters<br />
out information not relevant to your<br />
industry vertical. This provides handy<br />
updates on your company's sphere of<br />
operations and clicking on an entry<br />
brings up a full report.<br />
The portal can be used to view general<br />
information about these topics, but comes<br />
into its own when you use keyword<br />
datastreams. These describe anything from<br />
a brand, a person's name or domain to an<br />
IP address, email account, credit card<br />
number or third party.<br />
Once keywords have been added,<br />
CYjAX starts sending newly discovered<br />
intelligence on them to the relevant<br />
dashboard modules. You can also<br />
subscribe to datastreams and receive<br />
regular email updates on them when<br />
new information has been discovered.<br />
The dashboard provides full search<br />
facilities for all the intelligence<br />
datastores, making it easy to home in on<br />
an area of interest. The results can be<br />
refined, as the search page allows you to<br />
pick a specific datastore to interrogate,<br />
with options including darknet forums,<br />
web pages and marketplaces.<br />
The new DataLeak Datastore feature<br />
will prove invaluable, as it already<br />
contains details of around 2.5 billion<br />
compromised email credentials. The<br />
datastore can be searched and, once<br />
you've advised CYjAX which domains<br />
belong to you, its reports will provide<br />
information about data leaks specific to<br />
your organisation.<br />
Called Pastes, the second data leak<br />
module lists data files pasted into web<br />
sites that contain Pii. Selecting an entry<br />
reveals its entire contents and CYjAX's<br />
API service allows this information to be<br />
extracted and used by your resident<br />
systems to improve their security posture.<br />
CYjAX Intellimetrics provides<br />
customisable dashboards with graphical<br />
views of selected threat intelligence data.<br />
These can be viewed over a specific<br />
period or in real-time, allowing<br />
businesses to identify and track threat<br />
behaviour patterns.<br />
Enterprises need to up their game, if<br />
they want to stay ahead of the latest<br />
security threats. The CYjAX Intelligence<br />
Platform is a sophisticated solution that<br />
works in tandem with existing security<br />
products and delivers a critical defence<br />
layer that protects your all-important<br />
brand reputation. CS<br />
Product: Intelligence Platform<br />
Supplier: CYjAX Ltd<br />
Web site: www.cyjax.com<br />
Sales: info@cyjax.com<br />
Tel: 020 7096 0668<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
17
yahoo fallout<br />
WHEN WILL WE EVER LEARN?<br />
HAVING SUFFERED TWO OF THE<br />
LARGEST HACKS IN HISTORY,<br />
YAHOO ENDED 2016 ON A LOW<br />
NOTE, WITH ITS APPROACH TO<br />
CYBER SECURITY BROUGHT<br />
SERIOUSLY INTO QUESTION.<br />
WHAT WENT SO WRONG?<br />
Many would have been forgiven if<br />
they reacted to the massive breach<br />
at Yahoo last year as beyond<br />
comprehension. After all, we still have this<br />
(perhaps naïve) idea that big companies<br />
think and act big, and that it's the minnows<br />
who are much more likely to be the victims<br />
of hackers. And with companies of the size<br />
and scale (and wealth) of Yahoo, one might<br />
think they would throw infinite resources at<br />
keeping their customers' information safe.<br />
"A breach of this size is almost<br />
unfathomable - even disregarding the<br />
fact this was the second massive breach<br />
disclosure from Yahoo in a matter of<br />
months," says Ed Macnair, CEO,<br />
CensorNet." There's clearly been some<br />
historic security failings at the company<br />
and they are now paying the price.<br />
"We're living in an era where any data<br />
held online is inherently insecure and, if<br />
the right controls aren't in place, someone<br />
will steal it. While the numbers impacted in<br />
this case are massive, Yahoo isn't the first<br />
and won't be the last, unless businesses do<br />
better at protecting the information they<br />
hold. While one would hope that most<br />
Yahoo account holders changed their<br />
passwords earlier in the year [when the first<br />
breach took place], relying on that as a<br />
method of dealing with lost details can't go<br />
on much longer.<br />
"It should have become clear to almost<br />
everyone that the password/ username<br />
method is broken and to stop events like<br />
this we need a new system in place. The<br />
tools, like multi-factor authentication,<br />
already exist; we now need to force their<br />
use and make it harder for hackers to get<br />
what they want. This situation will carry on<br />
repeating itself until we make a change."<br />
OUTDATED MODEL<br />
Paul German, CEO, Certes, refers to Yahoo's<br />
"outdated cyber security model which takes<br />
a, 'protect', 'detect', 'react' approach which<br />
simply does not work. The problem lies in<br />
the fact that, once inside a network, there<br />
is a significant delay before a hacker is<br />
detected, leaving them free to move<br />
18<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
yahoo! fallout<br />
uninhibited, accessing vast quantities of<br />
sensitive data and wreaking havoc. A single<br />
hack could be forgiven as unlucky, but twice<br />
smacks of a complete unwillingness to act<br />
and take the security of its customers'<br />
sensitive data seriously."<br />
As far as he is concerned, there is a<br />
fundamental step missing - damage<br />
limitation. "At whatever point a hacker enters<br />
a network, they must be contained,<br />
restricting the data they can access and the<br />
damage they can inflict before they are<br />
detected. This obvious step is missing from<br />
the cyber security strategies of some of the<br />
world's biggest organisations and is the<br />
reason we are seeing hacks that affect<br />
consumers on such a massive scale.<br />
However, by looking to approaches such as<br />
cryptographic segmentation to contain a<br />
threat, businesses can ensure a hacker<br />
cannot roam freely across its network,<br />
significantly limiting the impact of an attack."<br />
EASY ACCESS<br />
As Steven Malone, director of security<br />
management at email security firm<br />
Mimecast, is at pains to point out, email is<br />
one of the most vulnerable windows into an<br />
organisation - which makes it no surprise<br />
that 91% of cybercrime starts with an email.<br />
"Considering the inherent weaknesses of<br />
email, it is critical that organisations take<br />
proactive measures to secure themselves<br />
from simple phishing emails right through to<br />
impersonation and weaponised<br />
attachments. Nowadays, effective malware is<br />
easily bought online, meaning that criminals<br />
with little to no computer skills are free to<br />
send infected emails. It is also vital that<br />
organisations look to train employees, as<br />
they will always remain the gatekeepers into<br />
organisations. Some alertness can go a long<br />
way, spotting giveaways in the emails so<br />
perfectly crafted they could have be sent by<br />
a colleague or close friend."<br />
FORENSIC EVIDENCE<br />
David Gibson, VP of strategy and market<br />
development at Varonis, believes<br />
organisations should be taking steps not<br />
only to safeguard data, but also provide<br />
forensic evidence when the worst happens.<br />
"The first step in a data security strategy<br />
should be to instrument your environment to<br />
be able to: a) see who is accessing data,<br />
when, and how; b) profile normal behaviour;<br />
and c) alert on abuse. Step two should be to<br />
identify sensitive data and ensure that only<br />
the right people have access (ie, the principle<br />
of least privilege). Step three is to implement<br />
automated processes and human<br />
checkpoints to verify that controls put in<br />
place stay in place, so you don't backslide to<br />
an insecure state.<br />
"Interestingly, if Yahoo hadn't instrumented<br />
their environment to detect evidence of<br />
intrusion, they may never have 'officially'<br />
discovered the recent two data breaches….<br />
The upcoming breach notification<br />
requirements will also place a new burden<br />
on data controllers like Yahoo," Gibson adds.<br />
Under the General Data Protection<br />
Regulation (GDPR), the IT security mantra is<br />
clear: 'always be monitoring'.<br />
TOO LITTLE, TOO LATE<br />
Once the breach had been unearthed, Yahoo<br />
notified potentially affected users, asking<br />
them to promptly change their passwords<br />
and adopt alternate means of account<br />
verification - but that was very much<br />
slamming the barn door shut after the horse<br />
had well and truly bolted. The first breach,<br />
remember, took place in 2014, so whatever<br />
remedial action Yahoo has recommended<br />
since the discovery of the breach in October<br />
this year is all too little, too late. The damage<br />
has already been well and truly done. Yahoo<br />
ARE WE PASSING THE PASSWORD TEST?<br />
New online research commissioned by credit information provider Equifax reveals that how we manage our<br />
passwords could mean we are leaving an 'open door' for fraudsters. According to the responses of over<br />
2,000 people, more than a quarter (27%) change their online passwords less than once a year and 23%<br />
never change their passwords without being prompted. It appears the over 55s are the most lax - with 29%<br />
of them admitting to infrequently updating their passwords.<br />
Lisa Hardstaff, identity fraud expert at Equifax, believes the fact that people now have so many passwords to<br />
remember could be a reason why they don't regularly update their passwords. "Our research revealed that<br />
nearly a third of consumers (31%) have more than five passwords. This demonstrates that people in the UK<br />
are definitely doing the right thing in ensuring that, if a fraudster accesses one of their passwords, they can't<br />
access all their other accounts by using the same password. However, good practice is to ensure that you<br />
regularly change your passwords and, worryingly, over a quarter of Brits do that less than once a year."<br />
Lisa Hardstaff, Equifax.<br />
Passwords can be the first barrier that online criminals face when trying to access someone's personal details,<br />
she adds. "So, understanding what makes a password strong can help keep information safe."<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
19
yahoo! fallout<br />
David Gibson, Varonis: organisations<br />
should be providing forensic evidence<br />
when the worst happens.<br />
Paul German, Certes: there is a<br />
fundamental step missing - damage<br />
limitation.<br />
users should have been better protected<br />
and, even allowing for the fact that a breach<br />
occurred at all, that intrusion and theft<br />
should have been detected at the time.<br />
The fact that the company was quick to<br />
invalidate unencrypted security questions<br />
and answers, so they couldn't be used to<br />
access an account, is of scant comfort to<br />
those whose data has been taken and used<br />
for whatever purposes. The time lapse of<br />
two years between the breach and finding<br />
out they were victims was something of<br />
a double blow. If the breach had been<br />
discovered at the time, they might well<br />
have been less impacted.<br />
In advice to all its account holders,<br />
Yahoo also made the following security<br />
recommendations:<br />
Change your password and security<br />
questions and answers for any other<br />
accounts on which you used the same or<br />
similar information used for your Yahoo<br />
account<br />
Review your accounts for suspicious<br />
activity<br />
Be cautious of any unsolicited<br />
communications that ask for your<br />
personal information or refer you to<br />
a web page asking for personal<br />
information<br />
Avoid clicking on links or downloading<br />
attachments from suspicious emails<br />
Additionally, consider using Yahoo<br />
Account Key, a simple authentication<br />
tool that eliminates the need to use<br />
a password altogether.<br />
These recommendations are mostly to be<br />
found in any issue of Computing Security<br />
magazine about the world we now live in -<br />
and, incidentally, have lived in for some<br />
time - as is Yahoo's warning about how an<br />
"increasingly connected world has come with<br />
increasingly sophisticated threats". Industry,<br />
government and users "are constantly in the<br />
crosshairs of adversaries", it states. That kind<br />
of statement now seems no more surprising<br />
than being told the sun will come up in the<br />
morning.<br />
It's hard to see what solace its account<br />
holders will extract from Yahoo's undertaking<br />
that, through what are strategic proactive<br />
detection initiatives and active response to<br />
unauthorised access of accounts, "Yahoo<br />
will continue to strive to stay ahead of these<br />
ever-evolving online threats and to keep our<br />
users and our platforms secure".<br />
DARK, DARK DAYS<br />
Meanwhile, how have other industry<br />
observers generally responded to the<br />
breach? "With the complex, data-rich, IT<br />
environments organisations run today, there<br />
is always a high possibility of yet another<br />
breach, with customer data making its way<br />
onto the dark web," says Gavin Millard,<br />
EMEA technical director, Tenable Network<br />
Security. "As we continue to add more<br />
technologies to our networks and as<br />
attackers become more sophisticated, it's<br />
important that organisations have a rapid<br />
process for determining the impact of the<br />
breach and a robust approach in addressing<br />
the ensuing post-breach fallout."<br />
Leo Taddeo, chief security officer, Cryptzone,<br />
states that the loss of unencrypted security<br />
questions and answers creates a risk for<br />
enterprises that rely on this technique to<br />
enhance security for traditional credentials.<br />
"The best defence is to deploy access<br />
controls that examine multiple user<br />
attributes before allowing access. This type<br />
of 'digital identity' makes it much harder for<br />
a hacker to take advantage of the type of<br />
information lost by Yahoo," he comments.<br />
Alex Mathews, EMEA technical manager,<br />
Positive Technologies, points out how almost<br />
every year we see reports of millions of<br />
leaked accounts of Yahoo/Hotmail/Gmail/<br />
iTunes/etc. He stresses the need for complex<br />
password protection on the part of users and<br />
the responsibility that also lies with them to<br />
do everything to keep themselves safe.<br />
20<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
yahoo! fallout<br />
"Despite many warnings, millions of users will<br />
still use very simple passwords like 1111,<br />
'qwerty', or their own names," he says.<br />
"According to Positive Technologies research,<br />
the password '123456' is quite popular, even<br />
among corporate network administrators: it<br />
was used in 30% of corporate systems<br />
studied in 2014. Hackers use the dictionaries<br />
of these popular passwords to bruteforce the<br />
user accounts, so perhaps now is the time to<br />
employ a little creativity."<br />
Mathews also refers to the additional<br />
protection offered by Yahoo in the form of<br />
Account Keys: "It would be prudent for any<br />
users that decide to continue using its service<br />
to employ this as a matter of urgency."<br />
CAUGHT NAPPING<br />
Troy Gill, manager of security research at<br />
AppRiver, regards such a breach as no<br />
surprise. "The sad reality is this is the latest in<br />
a long list of organisations that have been<br />
caught napping when it comes to protecting<br />
customers' data and I don't think we've seen<br />
the last confession yet. In fact, as technology<br />
infiltrates every facet of our lives, we are only<br />
opening the door for these types of events to<br />
be both more frequent and by all likelihood<br />
more impactful.<br />
"Keeping customers' data secure should be a<br />
top priority for all enterprises. A determined<br />
hacker can be quite difficult to detect, but<br />
organisations need to commit to hardening<br />
themselves to these types of attacks. This<br />
breach serves as a stark warning to all<br />
organisations that no company is too big<br />
or too small a target."<br />
Richard Cassidy, UK cyber security evangelist<br />
at Alert Logic, raises further concerns over<br />
how the Yahoo account data seems to have<br />
already been monetised (in part) and firmly<br />
distributed via various cybercriminal<br />
networks. "It is indeed very unfortunate;<br />
service providers such as Yahoo will always be<br />
a high-value target for bad actor groups on<br />
the DarkWeb, especially those looking to<br />
prove credibility and stamp their name in the<br />
data heist record books (per se)."<br />
FUTURE THINKING<br />
He adds that stopping every threat is a<br />
panacea that many argue is impossible to<br />
achieve. "Regardless of organisation size or<br />
security capabilities in-house, there needs to<br />
be a paradigm shift in how we view<br />
susceptibility to threats, and how we architect<br />
our current security framework around threat<br />
detection and early warning of nefarious<br />
activity. Relying on legacy layered security<br />
solutions, with no correlation on activity from<br />
application to network layer, can leave<br />
organisations at greater risk of a data breach."<br />
It's here that we need to shift our thinking<br />
and architecture, Cassidy says. "Organisations<br />
need to assess their risk status to data<br />
breaches, understand the market they<br />
operate in, their competitors and, of course,<br />
the threat vectors most likely to be seen,<br />
architecting security capabilities that reduce<br />
that risk profile and enable better trust<br />
relationships between third parties and<br />
customers, all with the aim of keeping key<br />
data security assets as protected as current<br />
technology capabilities permit.<br />
"Furthermore, reliance on automated<br />
security scanning functions can lead to key<br />
indicators of compromise going undetected;<br />
the human expert analysis approach ensures<br />
a level of assurance around protection from<br />
even the most advanced malware threats or<br />
zero day activity that may be targeted against<br />
the organisation."<br />
MASSIVE IMPACT<br />
Corey Williams, senior director, products and<br />
marketing, Centrify, says this is "less of a story<br />
about 500 million user accounts being stolen<br />
and more about how lax security and poor<br />
handling of incidents can impact the very<br />
existence of a company. The stakes for<br />
properly securing access to corporate<br />
resources and handling security incidents<br />
couldn't be higher".<br />
Ed Macnair, CensorNet: the password/<br />
username method is broken and to stop<br />
events like this we need a new system.<br />
Steven Malone, Mimecast: email is one of<br />
the most vulnerable windows into an<br />
organisation.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
21
anti-malware<br />
TIME TO THINK TWICE!<br />
OVER AND AGAIN, HUMAN WEAKNESS - AND CURIOSITY - ARE COMPLICIT IN AIDING ATTACKERS TO GET<br />
INSIDE AN ORGANISATION'S DEFENCES. HOW CAN THIS BE PREVENTED?<br />
While ensuring that systems and<br />
applications are fully updated to<br />
protect a business against malware<br />
is essential, more can always be done -<br />
ultimately it all comes down to where the<br />
line is drawn between minimum level of<br />
acceptable security and absolute overkill for<br />
the problem at hand. At a basic level, the<br />
following should at least be considered, says<br />
Daniel Driver, head of perception cyber<br />
security at Chemring Technology Solutions:<br />
User security awareness training, in order<br />
to make users 'think twice' before clicking<br />
the link, plugging the USB drive in or<br />
divulging any data to external parties that<br />
could be used to build an attack. This will<br />
also cover simple concepts to minimise<br />
impact, if a user account were breached,<br />
such as good password management to<br />
avoid the same password being used<br />
across multiple sites<br />
Periodic auditing and review of the<br />
security of the environment ensures that<br />
no legacy equipment is left unmanaged,<br />
user accounts are live and do not have<br />
excessive network/system access, no<br />
rogue device have been plugged in, and<br />
that there isn't simply a better way to<br />
configure a device for improved security<br />
and operation.<br />
"While it is important to do all of the above,<br />
it is possible that a determined attacker will<br />
use more advanced evasion and infiltration<br />
techniques, such as using social engineering,<br />
to get a valid password from an employee or<br />
use their own zero-day threats [custom<br />
malware]," warns Driver. "For those instances,<br />
it is important to know that malware is<br />
active on your system as soon as possible, so<br />
that remedial action can be taken.<br />
Monitoring for unusual activity on your<br />
network provides this insight."<br />
In addition to the prevention of malware, it<br />
is important to consider how you respond,<br />
should the systems be breached. "With<br />
ransomware being a very current example,<br />
would backups allow a user or organisation<br />
to recover data quickly, with minimal loss of<br />
data or service?" he asks.<br />
In the end, he advises, it comes down to a<br />
question of how important your data is and<br />
how much investment an adversary wants<br />
to make, so they can gain access to it. "You<br />
could implement all best practices by the<br />
latest software updates, keeping AV up to<br />
date and using the most robust firewalls,<br />
but a threat actor is likely to be able to<br />
mitigate all these protections with enough<br />
time and tenacity.<br />
"A more sophisticated network monitoring<br />
layer is needed, which constantly identifies<br />
and classifies behaviour to quickly identify<br />
malicious behaviours. As malware becomes<br />
increasingly intelligent and devious, so a step<br />
change is needed, as the technology used to<br />
combat it must match it."<br />
ON THE FRONTLINE<br />
According to research analyst organisation<br />
22<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
anti-malware<br />
Forrester, endpoint security represents the<br />
frontline in your fight against cyberattackers.<br />
"Breaches have become commonplace<br />
among enterprises, and your employee<br />
endpoints and servers are targeted more<br />
than any other type of asset," it states in the<br />
company's report, 'The Forrester Wave:<br />
Endpoint Security Suites, Q4 2016'.<br />
"The effects from these security breaches<br />
can be devastating, causing a company to<br />
lose revenue, market reputation and market<br />
competitiveness. Unfortunately, inadequate<br />
endpoint security leaves the doors wide open<br />
to a variety of attacker techniques and tools,<br />
including malware, software exploits and<br />
social engineering. Now, more than ever, it's<br />
critical to have the right endpoint protection<br />
in place.<br />
"Security budgets have risen significantly in<br />
the past few years, with endpoint security<br />
budgets commanding, on average, 10% of<br />
the overall IT security budget in 2016.2<br />
Despite the available budget for new<br />
investments, security pros struggle to find<br />
the right tools to protect the expanding<br />
attack surface posed by employee devices."<br />
As the numbers of new malware variants<br />
and methods of obfuscation rise, antivirus<br />
technologies have become less effective at<br />
protecting employee endpoints and servers.<br />
Numerous competing technology vendors<br />
have risen up to take aim at the stagnant<br />
antivirus market as a result. On the other<br />
hand, many of the traditional antivirus<br />
vendors have not taken this lying down.<br />
Some have adapted by either building or<br />
acquiring new technologies that do not rely<br />
on older, blacklist-based malware protection.<br />
Others have augmented their anti-malware<br />
engines with additional analysis capabilities<br />
that go beyond static blacklisting. This has<br />
led to a highly fragmented market with a<br />
number of different approaches to endpoint<br />
security, each with its own set of benefits<br />
and challenges, adds Forrester.<br />
To cut through the market confusion,<br />
advises Forrester, it's useful to categorise<br />
vendor capabilities into three core needs:<br />
attack prevention, detection and<br />
remediation. "Point products generally meet<br />
one need, while endpoint security suites<br />
meet two or all three, with varying levels of<br />
automatic policy enforcement between<br />
each." Before making any new purchases,<br />
consider a vendor's ability to meet each of<br />
these needs, it continues, specifically how<br />
well they are able to meet those three needs:<br />
Prevent malware and exploits from<br />
executing. Functionally, an endpoint<br />
security suite should create an<br />
environment where malware can't load<br />
into memory or an exploit is unable to<br />
take advantage of a running process. It<br />
may also prevent threats by reducing the<br />
attack surface, with measures such as<br />
system hardening and application<br />
control<br />
Detect malicious activity post-execution.<br />
Knowing attackers will inevitably get past<br />
preventive controls, modern endpoint<br />
security suites monitor running memory<br />
to identify malware and exploited<br />
applications before they achieve their<br />
malicious goals. Some solutions focus<br />
solely on process behaviour, while the<br />
most advanced solutions include user<br />
behaviour in their analysis to build<br />
context for a complete picture<br />
Remediate and contain malicious activity<br />
and potential vulnerabilities. Once a<br />
modern endpoint security suite identifies<br />
malicious endpoint activity or a potential<br />
vulnerability, it should be able to launch<br />
automated remediation without<br />
significant admin involvement.<br />
Remediation functions include<br />
executable/file quarantining,<br />
configuration roll-back, and targeted<br />
blocking of process/user behaviours,<br />
among others. Vulnerability remediation<br />
techniques (such as patch deployment)<br />
are included here as well; these often<br />
augment prevention measures.<br />
Daniel Driver, Chemring Technology<br />
Solutions: a more sophisticated network<br />
monitoring layer is needed.<br />
To assess the state of the endpoint security<br />
suite market and see how the vendors stack<br />
up against each other, Forrester evaluated<br />
the strengths and weaknesses of top<br />
endpoint security suite vendors. After<br />
examining past research, user need<br />
assessments, and vendor and expert<br />
interviews, it developed a comprehensive set<br />
of evaluation criteria.<br />
Forrester's research uncovered a market in<br />
which, it states, Trend Micro, Sophos,<br />
Symantec, Kaspersky Lab, Intel Security, and<br />
Carbon Black are leaders. Cylance, Landesk,<br />
CrowdStrike, ESET, Palo Alto Networks, IBM,<br />
SentinelOne and Invincea offer competitive<br />
options, it adds, while Bromium, in<br />
Forrester's opinion, lags behind.<br />
The full report, authored by Chris Sherman,<br />
with Christopher McClean, Salvatore<br />
Schiano, and Peggy Dostie, is available to<br />
purchase at:<br />
https://www.forrester.com/report/The+Forre<br />
ster+Wave+Endpoint+Security+Suites+Q4<br />
+2016/-/E-RES113145<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
23
software verification<br />
TIME TO STOP LIVING IN FANTASY LAND<br />
National Lottery operator Camelot did not have the greatest of<br />
years in 2016. No doubt it took plenty of money, but it also took<br />
plenty of flak. Tens of thousands of customers had their online<br />
accounts breached. That old jingle, ‘It could be you’, was one<br />
that Camelot no doubt came to see in another light<br />
The tail-end of 2016 was not a good<br />
one for Camelot, the operator of<br />
the National Lottery. It suffered two<br />
body blows that have left its reputation<br />
somewhat tarnished, to say the least.<br />
Indeed, if Camelot is compared to the<br />
mythical castled city whence its name is<br />
derived, where King Arthur held court,<br />
you would have to say that its attitude to<br />
cyber security has been unreal in the<br />
extreme, and much lacking in chivalry<br />
and valour.<br />
The first blow will be known to anyone<br />
who has ever picked up a newspaper,<br />
read one online or switched on their<br />
television set. It dates back to last<br />
November when thousands of customer<br />
accounts on the National Lottery website<br />
may have been compromised. Camelot<br />
at the time said "around 26,500 players'<br />
accounts were accessed. The National<br />
Lottery operator became aware of<br />
'suspicious activity' on a number of<br />
players' online National Lottery accounts.<br />
"Of our 9.5 million registered online<br />
players, we believe that around 26,500<br />
players' accounts were accessed," it<br />
stated back then. "A much smaller<br />
number - fewer than 50 - have had some<br />
activity take place within the account<br />
since it was accessed. This was limited to<br />
some of their personal details being<br />
changed - and some of these details may<br />
have been changed by the players<br />
themselves…. no money has been<br />
deposited or withdrawn from affected<br />
player accounts," Camelot added.<br />
In fairness to Camelot, it took<br />
immediate steps to remedy the situation.<br />
Reputation wise, however, the damage<br />
was already done, as many industry<br />
commentators have been quick to note.<br />
James Lyne, global head of security<br />
research at Sophos, points to the<br />
importance of using a different password<br />
on each website. "Otherwise, a breach of<br />
any one web service could provide access<br />
to your entire online life. We would<br />
recommend users change their password<br />
on any service where they use the same<br />
email address and password<br />
combination. Cyber criminals have<br />
executed numerous campaigns reusing<br />
stolen credentials recently, so avoiding<br />
sharing passwords across sites is key.<br />
Sophos offers its top password tips here:<br />
https://nakedsecurity.sophos.com/2014/1<br />
0/01/how-to-pick-a-proper-password<br />
MULTI-FACTOR AUTHENTICATION<br />
The simplest way to block this type of<br />
breach from happening is with multifactor<br />
authentication, states Barry Scott,<br />
CTO, Centrify EMEA. "After a user enters<br />
their password, the site will confirm it is<br />
really them before allowing access,<br />
maybe by asking them to enter a specific<br />
code or by replying to a text. Even with<br />
multi-factor authentication in place, it is<br />
24<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
software verification<br />
always good practice to ensure<br />
passwords are unique.<br />
"I can't emphasise enough that<br />
passwords must not be reused across<br />
websites and multi-factor authentication<br />
should always be enabled, if offered by<br />
the site. In fact, users should be<br />
demanding it from the sites they use.<br />
Similarly, businesses need to realise<br />
attempts to breach them are inevitable<br />
and they should be providing customers<br />
with multi-factor authentication as<br />
standard, in order to protect against the<br />
main cause of data breaches -<br />
compromised credentials."<br />
SIGNIFICANT ROLE<br />
"The National Lottery breach highlights<br />
the challenge all organisations face<br />
today - and reiterates the fact that<br />
consumers have a significant role to play<br />
in protecting their online accounts,"<br />
points out Oliver Pinson-Roxburgh,<br />
EMEA director at Alert Logic. "Attackers<br />
leave digital fingerprints in their network<br />
activity or system logs that can be<br />
spotted, if you know what to look for,<br />
and have qualified people looking for it.<br />
Through continuous monitoring, 24x7,<br />
and being able to distinguish normal<br />
from abnormal, organisations can<br />
identify and act against sophisticated<br />
attackers.<br />
"A passphrase is also highly<br />
recommended, instead of a password.<br />
You can take a common phrase and<br />
create a pattern that means something<br />
to you, then add minor edits, as a way to<br />
keep passphrases different. An example<br />
is: 'The sun rise is great today'. A simple<br />
passphrase could be: Tsr!Gr82day. The<br />
passphrase is 11 characters long and<br />
contains number, upper/lower case<br />
letters and a symbol. The exclamation<br />
mark (!) substitutes for the 'i' in the word<br />
is. You can add something specific to<br />
make the passphrase different on<br />
multiple accounts."<br />
REGULATION COMPLIANCE<br />
Finally, David Navin, head of corporate<br />
at Smoothwall, comments: "No matter<br />
how big or small, all companies must<br />
protect their data, and that of their<br />
partners and suppliers. They need to<br />
comply with regulation and build a<br />
layered security defence which spans<br />
encryption, firewalls, web filtering and<br />
ongoing threat monitoring as well as a<br />
proactive stance. Companies need to<br />
have all the measures and contingency<br />
plans in place so that if a breach does<br />
occur, they are able to recover and instil<br />
customer confidence as soon as<br />
possible."<br />
£3 MILLION PENALTY<br />
And the second blow that Camelot has<br />
suffered of late? The financial penalty<br />
of £3 million that the Gambling<br />
Commission imposed on the company.<br />
This followed an in-depth investigation<br />
relating to an allegation that a<br />
fraudulent National Lottery prize claim<br />
had been made and paid out in 2009,<br />
but which only came to light last year.<br />
It was found that Camelot had breached<br />
the terms of its operating licence in<br />
three key aspects: its controls relating<br />
to databases and other information<br />
sources; the way it investigated a prize<br />
claim; and its processes around the<br />
decision to pay a prize.<br />
The £3m penalty package was paid by<br />
Camelot for the benefit of good causes.<br />
This includes £2.5million to represent<br />
the amount that would have been<br />
received by good causes had the prize<br />
claim not been paid.<br />
If life is a lottery, Camelot will be<br />
hoping that it fares better in 2017. That<br />
said, it is but one of many organisations<br />
that have suffered significant breaches<br />
of late - and anyone predicting that<br />
this year will see several others fall into<br />
the same trap definitely won't need a<br />
winning ticket to prove it.<br />
‘Barry Scott, Centrify: passwords must<br />
not be reused across websites.<br />
James Lyne, Sophos: a breach could<br />
provide access to your entire online life.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
25
cloud expo<br />
EVERY EMERGING TECHNOLOGY,<br />
ONE DIGITAL TRANSFORMATION<br />
WALK INTO EXCEL LONDON ON THE 15 AND 16 MARCH<br />
AND ENTER A WORLD OF THE INFINITELY POSSIBLE<br />
Whether you represent a small startup<br />
or a vast corporation, the<br />
Cloud is now a reality in the way<br />
we all do business every day. We're way past<br />
if. We're way beyond when. We're now at<br />
how. And the ‘how’ is very much here in a<br />
one industry-leading event over two packed<br />
days, in the presence of the leading minds<br />
and leading suppliers. That makes Cloud<br />
Expo Europe 2017 is a must-visit event.<br />
Register online for your FREE ticket at:<br />
www.cloudexpoeurope.com/NetworkCo<br />
mputing<br />
Cloud Expo Europe offers dedicated and<br />
cutting-edge content…<br />
This is a unique opportunity to learn firsthand<br />
what is new and what is next in the<br />
cloud sphere - from conference programmes<br />
packed with hundreds of real practitioners<br />
including Financial Times, ITV, LEGO, Lloyds<br />
Banking Group, LV=, NHS Choices, Ministry<br />
of Defence, Spotify and Schuberg Philis.<br />
Be inspired by over 600 top experts,<br />
including number 1 rated CIOs, acclaimed<br />
global Cloud Leaders, Cloud gurus from Box,<br />
BT, GamingWorks, Google, McLaren<br />
Technology Group, Microsoft, Paypal,<br />
Skyscanner, Spotify, Twitter, Telefonica, l+D,<br />
Vodafone, IBM and VMware.<br />
At the UK's largest technology event, you<br />
can meet all the people that matter…<br />
Source the latest products and solutions<br />
from 500 cutting-edge suppliers, including<br />
Commvault, Docker, Gamma, IBM, Intel,<br />
Interoute, Novosco, Navisite, NTT<br />
Communications, Pure Storage, Salesforce,<br />
Samsung, T-Systems, Trend Micro, VMware,<br />
Veeam, Western Digital and Zanyo.<br />
Network with thousands of your peers;<br />
with a projected attendance of over 20,000,<br />
there has never been a better opportunity to<br />
meet industry visionaries, business leaders<br />
and people who have faced - and overcome<br />
- the same challenges as you.<br />
Surround yourself with rich content, reach<br />
new heights and discover…<br />
2017’s instalment welcomes new features<br />
and content, including DevOps Live,<br />
Containers and Open Cloud methodologies,<br />
FinTech advances, IoT programmes,<br />
Big Data trends and a real-life, fullyfunctioning<br />
Date Centre.<br />
You get all of this within one location,<br />
at one time and with one ticket. Once<br />
inside, the possibilities are endless…<br />
safety, security, certainty. It's what Cloud<br />
Security Expo offers.<br />
No one implementing cutting-edge cloud<br />
technology can afford to ignore security.<br />
26<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
cloud expo<br />
Cybersecurity is a very real issue that needs<br />
very real solutions. Cloud Security Expo 2017<br />
is where you can go to find them.<br />
Secure your cloud with confidence, save<br />
yourself money, time and hassle and ensure<br />
your business is locked down tight, free<br />
to employ the latest breakthroughs and<br />
business-winning technology.<br />
The educationally-led conference and<br />
exhibition covers the pressing security needs<br />
of cloud service providers and major<br />
organisations adopting cloud technology.<br />
Security professionals such as CISOs<br />
and heads of IT security, plus senior IT<br />
professionals, including CIOs, CTOs and<br />
cloud architects will gather together to<br />
hear from the experts in the field discuss<br />
prevailing security issues, including<br />
Almairall, Aviva, Canadian Imperial Bank<br />
of Commerce, Shell International, Sky<br />
scanner, Twitter and UBS.<br />
At Cloud Security Expo, you're in safe<br />
company. Lots of it.<br />
To say everyone will be there who really<br />
matters gives some idea of the event’s<br />
reach. If they're anything in cloud security or<br />
cloud innovation, then they're likely to be at<br />
Cloud Security Expo. There are more than 80<br />
of the world's leading suppliers delivering<br />
services and solutions critical to cloud<br />
security: including AVG Business by Avast,<br />
cPacket Networks, CensorNet, Darktrace,<br />
GlobalSign, Hitachi ID Systems, Dual<br />
Security, Forcepoint and Trend Micro.<br />
Find out more about Cloud Security Expo<br />
at www.cloudsecurityexpo.com<br />
Putting 'things' into action @ Smart IoT<br />
London…<br />
You know the what of 'things'. You probably<br />
understand the why of 'things'. What you<br />
need to fully grasp now is the how of<br />
'things'. That's just where Smart IoT London<br />
will come to your aid. Wherever you are on<br />
your IoT journey - whether you're exploring<br />
how to become a data-centric business<br />
or you are looking at the next steps of<br />
securing, analysing and integrating this<br />
data with your existing or new<br />
applications and processes - Smart IoT<br />
London really is the place to be and to get<br />
into the thick of 'things'.<br />
The Urban IoT Showcase will deliver just<br />
this by highlighting how some of the most<br />
progressive and exciting IoT programmes<br />
developed for the urban environment,<br />
utilises intelligent technologies, and how<br />
applications will benefit citizens, businesses,<br />
policy makers and planners. Smart IoT<br />
London is collaborating closely with<br />
Innovate UK, the Digital and Future Cities<br />
Catapult and leading academics to create a<br />
unique space where technology providers,<br />
enterprise, city management teams, city<br />
planners, and the investment community<br />
can engage and harness the potential of IoT.<br />
For more information, visit<br />
www.smartiotlondon.com<br />
With IoT comes Big Data…<br />
The interpretive and practical 'how to'<br />
conference and exhibition, Big Data World,<br />
is where you can source ideas, inspiration,<br />
products and services from suppliers<br />
including Qlik, Splash, Alteryx, Proxem,<br />
Dataiku, Differentia consulting and Time<br />
Tender. You can gain the latest insights from<br />
more than 80 big data thought leaders,<br />
business government leaders and global<br />
visionaries, including Booz Allen Hamilton's<br />
Kirk Borne, IBM's evangelist Jeremy Waite,<br />
Skype's Mike Hyde, Spotify's Will Shapiro,<br />
eBay's Davide Cervellin and Google's Juan<br />
Felipe Rincon.<br />
With big data comes the ever-evolving data<br />
centres. Cue Data Centre World…<br />
Data Centre World is the compelling and<br />
practical event, dedicated to tomorrow's<br />
world of data centres in what is the biggest<br />
gathering and most truly global event that<br />
you are likely to visit.<br />
Whether you are responsible for a server<br />
room or a tier 4 data centre, or anything in<br />
between, you can equip yourself with the<br />
latest knowledge and skills at Data Centre<br />
World. Housing products from a total of<br />
30 exhibitors, the DCW Green Data Centre<br />
returns to London for the second time!<br />
This year, the interactive feature is an outof-this-world<br />
force, spanning up to 400m 2<br />
and containing over 30 of the world's<br />
leading suppliers, including Dunwoody,<br />
Fireworks, 2BM, Riello, Uninterruptable<br />
Power supplies, Huber + Suhner, IPU Group,<br />
Excool. From cooling units and fans, to<br />
cables and perimeter fencing. This is an<br />
exceptional experience in the offing and<br />
just another solid reason to be at Data<br />
Centre World 2017.<br />
Visit www.datacentreworld.com for more<br />
information<br />
ALL OF YOUR TECHNOLOGY NEEDS<br />
IN ONE LOCATION<br />
Building on the success of 2016 events,<br />
which saw 18,515 attendees flood the<br />
ExCeL Centre for Cloud Expo Europe, Cloud<br />
Security Expo, Smart IoT London and Data<br />
Centre World, the time is almost here to<br />
welcome Big Data World to the event<br />
stack: boasting five industry-leading events<br />
in one location. This is a great opportunity<br />
to update your knowledge and skills across<br />
the whole technology stack - from data<br />
centres to the cloud, covering security, big<br />
data issues and the Internet of Things -<br />
with just one ticket. Learn from the<br />
experts, enhance your skills and be part of<br />
the UK's outstanding business technology<br />
event in March.<br />
Register online for FREE here:<br />
www.cloudexpoeurope.com/NetworkCo<br />
mputing<br />
FACTFILE....FACTFILE....FACTFILE<br />
WHAT: Cloud Expo Europe<br />
WHEN: 15-16 March 2017<br />
WHERE: ExCeL Centre, London, UK<br />
HOURS: 9.30am-5pm<br />
WEB: www.cloudexpoeurope.com<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
27
security operations centres<br />
CENTRE OF ATTENTION<br />
SECURITY OPERATIONS CENTRES - SOCS - ARE ALL THE RAGE, IT SEEMS. BUT THEIR REPUTATION HAS<br />
BEEN QUESTIONED, WITH REPORTS THEY ARE FALLING SHORT OF TARGET MATURITY LEVELS<br />
With increased pressure to rapidly<br />
innovate and align security<br />
initiatives with business goals,<br />
security operations centres (SOCs) provide<br />
the foundation for how organisations<br />
protect their most sensitive assets, and<br />
detect and respond to threats. However,<br />
recent findings show that the majority of<br />
SOCs are falling below target maturity levels,<br />
leaving organisations vulnerable in the event<br />
of an attack.<br />
This is according to Hewlett Packard<br />
Enterprise (HPE), which has just published its<br />
fourth annual 'State of Security Operations<br />
Report' (2017), providing deep analysis on<br />
the effectiveness of organisations' SOCs and<br />
best practices for mitigating risk in the<br />
evolving cybersecurity landscape.<br />
Published by HPE Security Intelligence and<br />
Operations Consulting (SIOC), the report<br />
examines nearly 140 SOCs in more than 180<br />
assessments around the globe. Each SOC is<br />
measured on the HPE Security Operations<br />
Maturity Model (SOMM) scale that evaluates<br />
the people, processes, technology and<br />
business capabilities that comprise a security<br />
operations centre. A SOC that is well<br />
defined, subjectively evaluated and flexible is<br />
recommended for the modern enterprise to<br />
effectively monitor existing and emerging<br />
threats; however, 82% of SOCs are failing to<br />
meet this criteria and falling below the<br />
optimal maturity level, claims HPE. "While<br />
this is a 3% improvement year-over-year, the<br />
majority of organisations are still struggling<br />
with a lack of skilled resources, as well as<br />
implementing and documenting the most<br />
effective processes," the company states.<br />
"This year's report showcases that, while<br />
organisations are investing heavily in security<br />
capabilities, they often chase new processes<br />
and technologies, rather than looking at the<br />
bigger picture, leaving them vulnerable to<br />
the sophistication and speed of today's<br />
attackers," says Matthew Shriner, vice<br />
president, Security Professional Services,<br />
Hewlett Packard Enterprise. "Successful<br />
security operations centres are excelling by<br />
taking a balanced approach to cybersecurity<br />
that incorporates the right people, processes<br />
and technologies, as well as correctly<br />
leverages automation, analytics, real-time<br />
monitoring, and hybrid staffing models to<br />
develop a mature and repeatable cyber<br />
defence programme.<br />
STRONG CONNECTION<br />
There has never been a stronger connection<br />
between security initiatives and business<br />
goals, adds Shriner. "The speed of<br />
organisations' adoption of new innovations<br />
such as cloud, IoT and big data platforms is<br />
matched head-on by advancement of the<br />
attackers. The sophistication, agility and scale<br />
of attacks has made speed an imperative for<br />
any successful security operations centre and<br />
has led to a renewed focus on automation,<br />
real-time detection and response at scale.<br />
"Along with this focus, we are continuing<br />
to see a struggle to find and maintain skilled<br />
resources necessary to run security<br />
operations. Automation and outsourcing<br />
have been utilised to ease this burden with<br />
varying degrees of success. Throughout our<br />
assessments, performed on six continents,<br />
we have seen a multitude of SOC people,<br />
process, and technology configurations. Our<br />
28<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
security operations centres<br />
Meg Whitman, CEO, speaking at the<br />
Hewlett Packard Enterprise Discover<br />
2016 London.<br />
data provides us with a view of the most<br />
effective configurations, along with insights<br />
into the opportunities and limitations of<br />
automation and outsourcing.<br />
"This year has also seen a sharp decline in<br />
maturity for organisations that are opting<br />
out of real-time security monitoring in favour<br />
of post-event search technologies. While this<br />
is a disturbing trend, organisations that have<br />
adopted hunt team capabilities as an add-on<br />
to their existing real-time monitoring<br />
programs have seen success in rapid<br />
detection of configuration issues, previously<br />
undetected malware infections, and SWIFT<br />
attack identification."<br />
BAD AND GOOD!<br />
Over the last five years, HPE has found that<br />
26.61% of cyber defence organisations that<br />
were assessed failed to score a security<br />
operations maturity model (SOMM) level 1 -<br />
a 1% decrease over last year and a drop<br />
for the second year in a row. "These<br />
organisations operate in an ad-hoc manner,<br />
with undocumented processes and<br />
significant gaps in security and risk<br />
management," it states. "Yet, after the<br />
assessments conducted this year, we found<br />
that over the last five years 18% of assessed<br />
organisations are meeting business goals<br />
and are working toward or have achieved<br />
recommended maturity levels, which is 3%<br />
better than last year's findings and a 5%<br />
improvement in two years."<br />
The assessments have shown some<br />
interesting trends: Consistency of mission,<br />
technology, management, and staff has a<br />
strong effect on the maturity of cyber<br />
defence organisations. Teams with low<br />
turnover, strong business alignment, and<br />
who follow multi-year plans tend to have<br />
greater capabilities as well as overall maturity.<br />
Organisations are continuing to try a variety<br />
of models to create right-size operations,<br />
including partnering with service providers or<br />
off-shoring specific roles or functions (such<br />
as level 1 monitoring). This has mixed results<br />
and often solving one challenge creates<br />
several new ones.<br />
Hunt teams that perform analysis on<br />
historical logs (as opposed to real-time<br />
analysis) are being adopted rapidly. HPE<br />
found that significant time and effort is<br />
being spent on data hygiene,<br />
contextualisation and preparation before<br />
these hunt teams are able to distinguish true<br />
threats from a myriad of misconfigured<br />
systems and process deficiencies in the<br />
management of IT assets. Increasing levels<br />
of workflow and process automation allow<br />
organisations to improve consistency,<br />
bandwidth, and speed of operations.<br />
Many are investing in security incident<br />
investigation and management toolsets.<br />
Deliberate and diligent implementation of<br />
these capabilities as well as proper<br />
management has led to positive results.<br />
"The uneven distribution of maturity results<br />
across industries can be directly correlated<br />
with the experience of negative financial<br />
impact from malicious attacks, says HPE.<br />
"Organisations that have experienced direct<br />
financial loss due to malicious attacks do a<br />
better job of immediately maturing to a<br />
higher level. This group of organisations<br />
continues to grow significantly in number."<br />
KEY OBSERVATIONS<br />
According to the report, therefore, SOC<br />
maturity decreases with hunt-only<br />
programmes. The implementation of hunt<br />
teams to search for unknown threats has<br />
become a major trend in the security<br />
industry. While organisations that added<br />
hunt teams to their existing real-time<br />
monitoring capabilities increased their<br />
maturity levels, programs that focused solely<br />
on hunt teams had an adverse effect.<br />
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security<br />
29
security operations centres<br />
Hewlett Packard Enterprise<br />
Discover 2016 London.<br />
In a few instances, organisations have<br />
gone as far as opting for open hunt as the<br />
sole means for detection and response,<br />
while eliminating SIEM-based real-time<br />
monitoring efforts. Many of these<br />
organisations were frustrated by security<br />
operations that were difficult to staff and<br />
not producing the expected value, and thus<br />
decided to try something new. The result?<br />
Much of the same.<br />
"Searches that return data from<br />
misconfigured applications and systems, but<br />
not much in terms of useful results about<br />
threats to the organisation," reveals HPE.<br />
"The maturity of these organisations actually<br />
regressed and risks increased, as response to<br />
known-bad threats slowed and decreased in<br />
consistency. In most cases, the operational<br />
context of the previous solution was lost in<br />
the transition to a new approach.<br />
EARLY ADOPTION OUTCOMES<br />
While most organisations in the early<br />
adoption phase of this emerging area of<br />
security operations are experiencing mixed<br />
results, there are some that have successfully<br />
added threat hunt capability to their security<br />
programs in complimentary ways to existing<br />
real-time operations.<br />
"HPE is working with organisations that<br />
have leveraged the mature methodologies<br />
that made their SOC programs successful<br />
and expanded those lessons learned into<br />
threat hunt."<br />
Here are some other key observations from<br />
HPE's findings:<br />
Complete automation is an unrealistic<br />
goal. A shortage of security talent<br />
remains the number one concern for<br />
security operations, making automation<br />
a critical component for any successful<br />
SOC. However, advanced threats still<br />
require human investigation and risk<br />
assessments need human reasoning,<br />
making it imperative that organisations<br />
strike a balance between automation<br />
and staffing<br />
Focus and goals are more important than<br />
size of organisation. There is no link<br />
between the size of a business and<br />
maturity of its cyber defence centre.<br />
Instead, organisations that use security<br />
as a competitive differentiator, for market<br />
leadership, or to create alignment with<br />
their industry are better predictors of<br />
mature SOCs<br />
Hybrid solutions and staffing models<br />
provide increased capabilities.<br />
Organisations that keep risk management<br />
in-house, and scale with external<br />
resources, such as leveraging managed<br />
security services providers (MSSPs) for costaffing<br />
or in-sourcing, can boost their<br />
maturity and address the skills gap.<br />
As organisations continue to build and<br />
advance SOC deployments alongside the<br />
evolving adversary landscape, a solid<br />
foundation based on the right<br />
combination of people, processes and<br />
technology is essential. To help<br />
organisations achieve this balance,<br />
HPE recommends:<br />
Mastering the basics of risk identification,<br />
incident detection, and response, which<br />
are the foundation to any effective<br />
security operations program, before<br />
leveraging new methodologies such as<br />
hunt teams<br />
Automating tasks where possible, such<br />
as response automation, data collection,<br />
and correlation to help mitigate the skills<br />
gap, but also understanding the<br />
processes that require human interaction<br />
and staffing accordingly<br />
Periodic assessment of organisations'<br />
risk management, security and<br />
compliance objectives to help define<br />
security strategy and resource allocation<br />
Organisations that need to augment<br />
their security capabilities, but are unable<br />
to add staff should consider adopting a<br />
hybrid staffing or operational solution<br />
strategy that leverages both internal<br />
resources and outsourcing to a MSSP.<br />
There will be great challenges ahead this<br />
year and beyond, adds Matthew Shriner,<br />
with further adoption of the new style of IT,<br />
adhering to new regulations such as GDPR,<br />
an increase in politically motivated attacks<br />
and more. "I remain steadfast in the belief<br />
that organisations' best defence will be to<br />
remain steady with their security operations<br />
foundations. Focus on the people. The<br />
people will drive the process and the process<br />
will ensure the most effective use of the<br />
technologies.<br />
"Excel at the basics and enhance capabilities<br />
with analytics to uncover advanced attacks<br />
with greater visibility across the organisation,<br />
providing confidence for your business to<br />
innovate securely," he advises.<br />
30<br />
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk
and network with thousands of security<br />
80 leading international vendors<br />
WWW.CLOUDSECURITYEXPO.COM/COMPUTINGSECURITY<br />
All free of charge. Secure your ticket at<br />
150 expert speakers,<br />
and technology professionals.<br />
Access over<br />
ALL THE KNOWLEDGE YOU WANT,<br />
ALL OF THE CONFIDENCE YOU NEED.<br />
No business can afford to ignore cloud security.<br />
Cloud security is a very real complex issue<br />
that needs very real solutions. Cloud Security<br />
Expo 2017, taking place on the 15th and 16th<br />
March at ExCeL London, will give you the<br />
confidence you need. And more.<br />
15-16 March 2017 ExCeL, London<br />
CO-LOCATED WITH<br />
Register for your FREE ticket today at<br />
www.cloudsecurityexpo.com/ComputingSecurity<br />
BIG DATA<br />
WORLD<br />
ORGANISED BY<br />
15-16 March 2017 ExCeL, London<br />
www.bigdataworld.com<br />
EVERY EMERGING TECHNOLOGY.<br />
ONE DIGITAL TRANSFORMATION JOURNEY.<br />
DIMAOND SPONSOR<br />
KEYNOTE THEATRE SPONSOR<br />
GOLD SPONSORS SILVER SPONSORS EVENT PARTNERS CONTINUING<br />
PROFESSIONAL<br />
EDUCATION<br />
PLATINUM SPONSOR<br />
THEATRE SPONSOR