CS1701

Computing
Security
Secure systems, secure data, secure people, secure business
SHARP RESISTANCE
New moves to keep
out the intruders
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
LIVING IN LA LA LAND
How Lottery operator Camelot
woke up to a nightmare
IN CONTROL?
Security Operations Centres
come under close scrutiny
GIVE US YOUR MONEY!
How ransomware became
big business - and may get
even bigger in 2017
Computing Security Jan/Feb 2017

comment
POSTGRAD DEGREES TO FIGHT CYBERCRIME
It is a mark of the times we live in that a new line-up of cybersecurity degrees has been
launched to help fight hackers and online criminals, as demand for skilled specialists
grows. With billions of pounds being lost to the economy through cybercrime, Arden
University, Coventry, has been working with industry specialists to develop four new IT
postgraduate degrees to give graduates skills fill vacancies in high-demand sectors such as
strategic IT management, telecoms and cybersecurity.
The launch of the courses comes as the UK government has recognised and responded to
the need to improve national cybersecurity, with chancellor Phillip Hammond pledging to
spend £1.9bn to upgrade resilience (see also News, page 7).
"If we do not have the ability to respond in cyberspace to an attack which takes down our
power network - leaving us in darkness or hits our air traffic control system, grounding our
planes - we would be left with the impossible choice of turning the other cheek, ignoring
the devastating consequences or resorting to a military response," Mr Hammond said worryingly,
as he unveiled the government's National Cyber Security Strategy in London recently.
"That is a choice we do not want to face and a choice we do not want to leave as a
legacy to our successors."
Meanwhile, cybersecurity vacancies have grown by 73% in the last year alone, indicating
what a challenge the UK is up against in dealing with the threats that it faces - ones that
are now expanding at an alarming rate.
Dr Ben Silverstone, who leads the Postgraduate Computing programmes at Arden
University, said: "Cybersecurity is more important than ever and there is growing, lucrative
demand for graduates with specialist skills. We designed these new postgraduate degrees
with employability in mind - with the demand for highly qualified IT professionals growing
at such a rapid pace, we want to equip our graduates with the skills to fill vacancies in key
sectors of the IT field, such as cybersecurity."
The MSc Security Management degrees teaches the management and deployment of IT
security, including infrastructure, policy making, governance and compliance. IT systems
and business strategy alignment are covered in the MSc Strategic Information
Management course, while the MSc Enterprise Architecture Management degree focuses
on the design and deployment of IT infrastructure and systems to support business objectives.
The MSc Telecommunications Management looks at skills needed to develop business
improvement opportunities, and manage the design and implementation of network solutions.
It's a small step in the right direction, but so much more needs to be done.
Brian Wall
Editor
Computing Security
brian.wall@btc.co.uk
EDITOR: Brian Wall
(brian.wall@btc.co.uk)
NEWS EDITOR: Mark Lyward
(mark.lyward@btc.co.uk)
PRODUCTION: Abby Penn
(abby.penn@btc.co.uk)
LAYOUT/DESIGN: Ian Collis
(ian.collis@btc.co.uk)
SALES:
Edward O’Connor
(edward.oconnor@btc.co.uk)
+ 44 (0)1689 616 000
PUBLISHER: John Jageurs
(john.jageurs@btc.co.uk)
Published by Barrow & Thompkins
Connexions Ltd (BTC)
35 Station Square,
Petts Wood, Kent, BR5 1LZ
Tel: +44 (0)1689 616 000
Fax: +44 (0)1689 82 66 22
SUBSCRIPTIONS:
UK: £35/year, £60/two years,
£80/three years;
Europe: £48/year, £85/two years,
£127/three years
R.O.W:£62/year, £115/two years,
£168/three years
Single copies can be bought for
£8.50 (includes postage & packaging).
Published 6 times a year.
© 2017 Barrow & Thompkins
Connexions Ltd. All rights reserved.
No part of the magazine may be
reproduced without prior consent,
in writing, from the publisher.
www.computingsecurity.co.uk Jan/Feb 2017 computing security
@CSMagAndAwards
3

Secure systems, secure data, secure people, secure business
Computing Security Jan/Feb 2017
contents
CONTENTS
Computing
Security
SHARP RESISTANCE
New moves to keep
out the intruders
IN CONTROL?
Security Operations Centres
come under close scrutiny
NEWS
OPINION
INDUSTRY
COMMENT
CASE STUDIES
PRODUCT REVIEWS
LIVING IN LA LA LAND
How Lottery operator Camelot
woke up to a nightmare
GIVE US YOUR MONEY!
How ransomware became
big business - and may get
even bigger in 2017
COMMENT 3
POSTGRAD DEGREES LAUNCHED
TO FIGHT CYBERCRIME
NEWS 5
• Outlook bleak as passwords cracked
• Hackers and the fear of flying
• 10-step cyber assessment tool released
INTRUSION DETECTION 8
Perimeter defence and intrusion detection
have been a mainstay of the network
security stack for well over a decade. But
how are they evolving to meet escalating,
more sophisticated attacks?
ARTICLES
RANSOMWARE 16
More than 80% of resellers think
customers are most concerned with
fresh ransomware threats
TIME TO THINK TWICE! 22
Over and again, human weakness - and
curiosity - are complicit in aiding attackers
to get inside an organisation's defences.
How can this be prevented?
TIME TO STOP LIVING IN
FANTASY LAND 24
National Lottery operator Camelot did not
have the greatest of years in 2016. No
doubt it took in lots of money, but it also
took plenty of flak. Not that surprising,
when tens of thousands of customers had
their online accounts breached.
CLOUD EXPO EUROPE 26
Walk into the ExCel London exhibition
centre on the 15-16 March and you will
be entering a world that promises the
infinitely possible, technology wise
REVIEW
• CYjAX Intelligence Platform 17
PREDICTIONS 2017 11
Security breaches ripped through the
castle walls of one organisation after
another last year. Can we expect 2017
to be any different? The early forecasts
are not that encouraging
WHEN WILL WE EVER LEARN? 18
Having suffered two of the largest hacks
in history, Yahoo ended 2016 on a low
note, with its approach to cyber security
brought seriously into question. What
went so wrong?
CENTRE OF ATTENTION 28
Security operations centres - SOCs -
are all the rage, it seems. But their
reputation has been called into
question, with reports that many are
falling short of target maturity levels
4
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

news
Ed Vaizey
CENTRE OF EXCELLENCE FOR DUBLIN
10-STEP CYBER SELF-ASSESSMENT TOOL LAUNCHED
Eoin Hinchy
Businesses in Scotland are facing an
unprecedented level of threat to their
operations, according to a senior police
chief and security expert. The stark
warning, from the deputy director of the
Scottish Business Resilience Centre (SBRC),
chief inspector Ronald Megaughin, comes
following the launch of a free-to-use selfassessment
tool designed to tackle the
broad concerns facing businesses.
Developed in partnership with the
Scottish Government, Police Scotland and
the Scottish Fire and Rescue Service,
'10 Steps to Business Resilience' is
intended for businesses to proactively
ensure their resilience. The assessment
covers the following topics: Keeping
the show on the road; Information
Management; Cyber Security; Protecting
Valuables; Looking after staff and
customers; Selecting and Keeping Staff;
Supplier Management/Procurement; Fraud
Prevention; Understanding and Managing
Risk; Protecting the Brand.
More information: www.10steps.co.uk
DocuSign has opened a Cybersecurity
Centre of Excellence in Dublin as part of
its ongoing commitment to Europe and
protecting its customers' data and
privacy. The centre will be committed
to conducting research into the latest
cyberattacks and trends, while
developing tools for the advanced
detection of such threats.
"Our customers are committed to
undertaking digital transformations
which are underpinned by a high level
of security and trust," commented Eoin
Hinchy, director of Information Security
at DocuSign. "This trust can only be built
on a weight of cybersecurity intelligence
and a culture of constant innovation that
ensures their data is safeguarded.
"With the proliferation of cyberattacks
continuing to grow every day, it is
essential to stay ahead of these
challenges and mitigate any risk.
This is exactly what the research and
development and the customised security
tools from the Centre of Excellence will
help us do."
HACKERS CAN 'READ' BANK CARD DETAILS 'IN SECONDS'
In response to experts from Newcastle
University revealing that criminals can work
out the card number, expiry date and
security code for a Visa debit or credit card
in as little as six seconds using guesswork,
Howard Berg, SVP UK & Ireland at Gemalto,
had this to say: "It is crucial that
organisations better understand how to
protect themselves and their customers,
AI USED TO BLOCK 'CATEGORY 3'-STYLE ATTACKS
AdaptiveMobile says it has demonstrated
protection against a range of sophisticated,
stateful attacks on SS7 networks with one
of the largest networks in APAC.
Using the latest in artificial intelligence (AI)
and machine learning, AdaptiveMobile
states, it has blocked complex threats with
asymmetric traffic flows, further solidifying
the company's commitment to use
advanced techniques in threat detection
and enabling them to meet the needs of
the most demanding Tier-1 networks.
"Using the latest in AI techniques and
as it is no longer a question of if, but when,
a hack will occur. Security measures such as
dynamic card verification, which prevents
CCV card information from being stored in
a static format, is helping to limit card fraud
online. By changing the code as quickly as
the bank wants, even if a hacker gets access
to the number, there's only a limited time
period for which it'll be valid."
cutting-edge, self-learning algorithms,
the company's Signalling Protection has
demonstrated protection against
sophisticated attacks such as network
anomaly and trajectory plausibility,
amongst others," it stated.
These types of attacks are commonly
referred to in the industry as 'Category 3'-
style attacks. "Artificial intelligence moves
beyond simple rules-based approaches,
reduces false positives, improving ease of
management and user experience for the
operators," added AdaptiveMobile.
???
5
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

news
HACKERS AND THE FEAR OF FLYING
MALWARE HAVOC UNLEASHES AN AVALANCHE
Following claims that a flaw could allow
hackers to take control of a plane, using the
in-flight entertainment system, Myles Bray, vice
president, EMEA, at ForeScout Technologies,
had this to say: "The concept of hackers being
able to take control of a plane through the inflight
entertainment system is not new. Last
year a prominent hacker claimed he made a
plane 'climb' and move 'sideways' after
infiltrating its in-flight entertainment system.
While the current claims to take control of
lighting systems and make in-flight
announcements sounds unsettling, rather
than fatal, they set a worrying precedent. As
the number of connected systems grow, the
risk of hackers gaining full access to the
network through them rises exponentially.
Without adequate security systems in place to
automate the process of identifying and
quarantining an infected system, users and
businesses will continue to be at risk."
Internet security vendor Bitdefender has
joined forces with Europol and other
partners to aid with 'Operation Avalanche'.
This is a cross-jurisdiction, cross-industry
clean-up effort aimed at targeting malware
families that have wrought havoc in recent
years, and have inflicted significant damage
to both business and consumer computer
users all over the world.
The targeted malware families include
over 20 old (yet functioning) botnets, as
well as newer and better known threats.
Catalin Cosoi, chief security strategist at
Bitdefender, commented: "Removal is a
critical step that victims need to take, in
order to ensure the extinction of these
malware families. Even if our products
have successfully detected these threats
since their emergence, the removal tool
we built as part of the cooperation with
Catalin Cosoi
Europol allows victims running other
security solutions - or no solution at all -
to successfully disinfect their machines
and clean up after the botnet."
THE SEARCH IS ON FOR I.T. TALENT
DEPLETED CYBER SKILLS POOL MUST BE REPLENISHED
A new study from Trustwave and Osterman
Research, based on a survey of 147 IT security
decision makers and influencers, has found
that a fast-moving confluence of skills
shortages, worsening threats and
disproportionate spending habits is leaving
organisations increasingly vulnerable to data
breaches, malware, phishing and a variety
of other information security problems that
can have serious or even devastating
consequences.
Some 57% of respondents said that finding
and recruiting IT talent are their biggest
challenges, with only 8% believing threequarters
or more of their staff have the
specialised skills and training needed to
handle complex issues. The study also found
that three times as many respondents would
rather grow their staff’s skills and expertise
than grow the number of people on their
team. Further, skills are lacking in key areas,
with about 40% of respondents saying their
most inadequate skill sets are in emerging
and evolving security threats.
James Hatch
The UK government's recently announced
National Cyber Security Strategy 2016 to
2021 is to be welcomed by the cyber
security industry - with reservations.
"The online threat landscape is in a
constant state of flux and the additional
£1.9 billion investment will be vital in
reducing the UK's cyber risk exposure," said
James Hatch, director of Cyber Services at
BAE Systems Applied Intelligence. "However,
whilst the government's strategy is to be
applauded, there are key issues that will
determine its ultimate success."
The strategy identifies that progress from
the 2011-2016 strategy has been slower
than expected, necessitating additional
Government intervention, he pointed out.
"Talent is a significant concern, with 'few
graduates and others with the right skills
emerging from the education and training
system'. Producing the next generation of
cybersecurity professionals will be crucial to
the success of the strategy, and both
industry and government should focus
resources on education and promotion of IT
security as a viable and value career choice
for students prior to higher education level.
"To do this, we need a collaborative
approach between government and the IT
security industry to identify the knowledge
and skills gaps in the market, and devise
education programmes tackling these
shortages - replenishing a depleted talent
pool in the long-term," he added.
6
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

case study
news
AKAMAI ACQUIRES CYBERFEND
OUTLOOK BLEAK AS PASSWORDS CRACKED
Akamai Technologies has acquired Cyberfend,
an innovator in bot and automation
detection solutions for web and mobile
environments, in an all-cash transaction. The
acquisition is intended to further strengthen
Akamai's existing bot management and
mitigation services. Credential theft and abuse
is a significant problem for online businesses
and their customers.
Recent industry estimates place the number
of compromised user credentials (eg,
usernames, passwords, email addresses)
exfiltrated during major breaches and
currently in circulation in the billions. The
value of these stolen credentials can be worth
as much as two to five times more than basic
credit card information.
NEW POSTGRADUATE I.T. DEGREES
Charl van der Walt
Thousands of UK businesses are immediately
at risk from potential compromise of their
Outlook Web Access platform. That's
according to new research from SecureData.
This suggests close to 0.5% of all organisations
in its study could be cracked using a
combination of publicly available email
addresses from previous data breaches and
poor password security behaviour by users, as
they reuse passwords between professional
and personal applications.
The researchers analysed 1.5million
compromised email addresses from 173,000
individual organisations in the UK. SecureData
could crack 92% of passwords where the
compromise included the hashed or one-way
encrypted password. From this sample of
organisations, 1,226 could be identified as
using Outlook Web Access.
Charl van der Walt, head of security strategy
at SecureData, commented: "We developed
this research as a vehicle to illustrate the
increasing security challenge, as employees mix
their corporate and personal online universes.
This is exacerbated by enterprise risk models
that fail to appreciate how attackers view their
business, reflecting instead their own view as
to what is valuable."
'BREAKTHROUGH' DATA GOVERNANCE AND PROTECTION
New cybersecurity degrees have been
launched to help fight hackers and online
criminals, as demand for skilled specialists
grows. With billions of pounds being lost to
the economy through cybercrime, Arden
University has been working with industry
specialists to develop four new IT
postgraduate degrees to give graduates
skills to fill vacancies in high-demand
sectors such as strategic IT management,
telecoms and cybersecurity.
The launch of the courses comes as the
UK government recognises the need to
improve national cybersecurity, with
chancellor Phillip Hammond pledging to
spend £1.9bn to upgrade resilience. At the
same time, cybersecurity vacancies have
grown by 73% in the last year alone.
QinetiQ's data security company Boldon
James and Varonis Systems, provider of
software solutions that protect data
from insider threats and cyberattacks,
have announced the integration of
Boldon James Classifier data classification
solution suite with the Varonis Metadata
Framework platform. This, it is said, will
enable organisations to ensure their
most valuable data is monitored and
protected against the rapidly growing
threats arising from both insiders and
external cyberattacks.
"The combined value of the Varonis and
Boldon James solutions helps to reduce
the business risk of valued and sensitive
information ending up in the wrong
hands, while enhancing decision making
and increasing the effectiveness of
enterprise search and retrieval," stated
the two vendors.
"The combined offering of Varonis
and Boldon James Classifier enables
Martin Sugden
organisations to identify, protect and
monitor their most valuable data,
wherever it is located," said Martin
Sugden, CEO at Boldon James. "This
partnership adds significant value to our
mutual customers… offering the widest
range of products and best-of-breed
integrations."
Ste
www.computingsecurity.co.uk Jan/Feb 2017 computing security
@CSMagAndAwards
7

intrusion detection
MANNING THE PERIMETER WALLS
PERIMETER DEFENCE AND INTRUSION DETECTION HAVE BEEN A MAINSTAY OF THE NETWORK SECURITY
STACK FOR WELL OVER A DECADE. BUT HOW ARE THEY EVOLVING TO MEET ESCALATING, MORE
SOPHISTICATED ATTACKS?
8
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

intrusion detection
As the industry grew smarter and
more focused on the nature of
threats it faced, next-generation
firewalls (NGFW) emerged, but these
focused on the rules at the edge of the
network, and making and expressing how
applications and services are allowed to
access the outside world. However, this
did not fully solve the problem of stopping
intrusions. "That's where next-gen
intrusion prevention systems (NGIPS) came
in, argues Andrew Bushby, UK director,
Fidelis Cybersecurity, "and even these have
now evolved."
NGIPS find and stop the more dangerous
unknown threats that push through a
next-gen firewall. "Traditional IPS were
originally designed to identify attacks
targeting known vulnerabilities," he says.
"However, the exploits hackers use have
changed - attackers are no longer servercentric
and are now using unexpected
pathways to target enterprises and
distributed endpoints. This is forcing
organisations to take a hard look at their
IPS and assess whether they need to buy
new NGIPS to optimise their existing
security stack.
"By deploying NGIPS that use modern
approaches to detecting and stopping
attacks - such as reassembling sessions,
not packets, and using Yara-based rule
sets - companies can detect modern
intrusions that traditional IPS cannot see,"
adds Bushby. "This means that
organisations can see the entire inbound
and outbound communication stream,
which is critical to detecting and stopping
attackers in their tracks."
NGIPS also need a degree of automation
to validate network-based alerts and
quarantine suspicious endpoints as well as
being easily scalable; for example, through
a cloud-based deployment. "This is
particularly important when you consider
the seemingly endless array of
'complementary' security components
companies have amassed over the years -
such as firewalls, antivirus, as well as
NGIPS - and the fact breaches are still
happening. Alerts should also have
integrated forensics, providing contextual
detail on a suspected threat. As well as
this, it's essential that new intelligence can
be automatically applied to the past when
scrutinising the rich metadata on the
network and endpoints.
Only with all these measures in place,
he points out, will NGIPS "truly be
capable of taking on the cyber threats of
the modern world".
DEFENDING AGAINST OUTSIDE FORCES
According to the InfoSec Institute, which
has been training information security
and IT professionals since 1998 with a
diverse line-up of training courses, a key
means of monitoring and protecting
against outside forces intruding beyond
an organisation's defences is to deploy a
SIEM (security information and event
management) solution.
Writing on InfoSec Institute's website,
Jatin Jain stresses how such solutions
normalise, filter, correlate, assemble and
centrally manage other operational events
to monitor, alert on, respond to, analyse,
audit, and manage security and
compliance pertinent information.
"SIEM systems provide fundamental
security operations like other product
categories. Their functions and delivery
mechanisms, hardware appliances,
virtual appliances and services vary by
vendor. They provide more efficient and
useful analysis capabilities for
information security professionals and
their organisations," states Jain, who has
wide experience in the information
security domain, embracing information
security audit, web application audit,
vulnerability assessment, penetration
testing/ethical hacking and also acted as
a corporate trainer.
Andrew Bushby, Fidelis Cybersecurity:
hackers are now using unexpected
pathways to target enterprises and
distributed endpoints.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security
9

intrusion detection
"SIEMs collect and centrally manage records
of network, application, device, security, and
user activity from different infrastructure
sources. The most common form of event
log data is an audit file generated by a
system, commonly captured via syslog
protocol. Manually reviewing many diverse
log sources has been proven ineffective, slow,
conducive to error, and frustrating to security
personnel. In addition, at some point a given
log file may be overwritten with newer data,
whereby previous audit information will
be lost."
RULE AND CONQUER
It is important to know what device sources
in your operating environment must be
supported and how your environment will
support a security information and event
management solution to receive or pull in
necessary event log data.
"For example, if a device's event log function
is activated, some SIEMs may require the use
of agents or credentialed means of access to
obtain event log data. SIEM vendors publish
the devices, support and provide updates to
maintain and expand device support,
Identification of problems, attacks and
violations for which SIEMs serve an action
[typically called an incident]," says Jain. "An
incident is an event or occurrence that
satisfies a rule and condition, or multiple
rules and conditions. Rules can also be
statistically derived event thresholds. The
capacity for real-time correlation is
determined by two factors: the amount of
events per second, and the breadth of
attributes and logic that can applied by the
SIEM's rule engine."
SIEMs also help in identifying a company's
specific issues or scenarios of interest,
extending operating controls and
communicating at different level of severity,
he adds. "An event will have a corresponding
severity as reported by a device within the
event log. It can be automatically adjusted by
the SIEM, based on the rule-rule logic or rule
customisation. A SIEM alert will also provide
underlying event triggers for further
investigation. In addition, SIEMs also offer
different event consolidation, alert
suppression and case management
capabilities to facilitate incident response,"
he points out.
"The best means for achieving SIEM
implementation success is via phases, rather
than through an 'all at once' approach. It can
break many projects into smaller phases:
initial installation, replacement and
expansion. The implementation and
maintenance of SIEM will be easier, if the
document and management process is
better," he concludes.
TOP 10 BEST PRACTICES:
Perimeter defences - monitor and report on key status, attacks and configuration changes associated with perimeter defences
Intrusion detection - monitor, respond and report on key status, notifications and incidents with regards to intrusion detection, system threats
Malware defence - monitor and report on key status, violation, issues, threats, and activity supporting malware controls
Application defences - monitor and report on key status, configuration changes, issues, violation and anomalous activity with regard to the
web, database, and other application defences
Establish key monitoring and reporting requirements prior to deployment, which includes objectives, targets, compliance controls,
implementation and workflow
Determine the system's scopes, infrastructure audit targets, necessary credentials, and verbosity
Compliance - includes management of audit data accessibility, retention, integrity, evidentiary requisites, and disposal
Access control - monitor and report on key status, transgression and anomalous access to critical resources
Resource integrity - monitor and report on key status, backup processes, configuration changes, threats, and vulnerabilities affecting network
system resources integrity and availability
Acceptable use - monitor and report on key status and issues violation activity regarding the acceptable use of resources and information.
10
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

predictions 2017
IT'S A MIXED-UP, MUDDLED UP, SHOOK-UP WORLD
SECURITY BREACHES RIPPED THROUGH THE DEFENCES OF ONE ORGANISATION AFTER ANOTHER LAST
YEAR. CAN WE EXPECT 2017 TO BE ANY DIFFERENT?
One thing that last year and just
about any recent year will be
remembered for is the succession
of big names that suffered a major
breach - leaving them red-faced, often
out of pocket and chastened by how
easily the cybercriminals tore through the
outer walls and seized their valuable
data. Or, more accurately, the data of
tens of thousands, even hundreds of
thousands, of clients who had trusted
them to keep their information safe.
The bad news is that, judging by past
performance, 2017 will be no better. In
fact, it could be a whole lot worse. Why?
Because endless warnings from the
experts about how to keep their data safe
have had seemingly little effect on far
too many organisations. A lack of a clear
strategy across the business that is
enforced at all levels is to be discovered
all too often after a breach has occurred.
For whatever reason, despite the
mayhem they see around them as others
succumb to breach after breach, they
don't put in place the safeguards that
will serve to prevent the hackers from
getting in - or at least implement systems
that will provide early detection of a
breach and minimise the damage.
FUTURE IMPERFECT
We've been speaking to a number of
security experts about what 2017 may
hold in store and here are some of their
considered predictions:
"Regulations that address the vast
majority of cybersecurity threats already
exist," says Tom Kemp, CEO of Centrify.
"It's the adoption of key technologies
that help to adhere to these regulations
that's lacking. And that isn't to say that
companies aren't trying. Many already
have teams devoted to meeting the
regulations they fall under. Still, in
2017, we'll likely see a renewed effort
by regulators to accelerate the
implementation of security technologies.
Ignoring the regulations or inching
toward adherence will no longer be
acceptable.
"After a hugely successful 2016, we'll
see increases in ransomware. Companies
may start to actually budget money to
buy back their own data after a
ransomware event. As long as the
majority of ransoms remain relatively
11
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

predictions 2017
low, companies will continue to pay
them, and they may do so without
involving law enforcement to avoid
disruption and blemishing their brands.
"We'll see widespread adoption of twofactor
authentication - a fundamental
technology that effectively addresses a
problem that's grown too big to ignore.
Despite a hack in early August that
resulted in the loss of 120,000 bitcoin
worth $65m, the cryptocurrency quickly
rebounded and has grown in popularity.
Expect some additional security measures
to be implemented in the exchanges."
NEW IDENTITY SOLUTIONS
Identity will once again raise its ugly
head, warns Garry Sidaway, SVP Security
Strategy & Alliances at NTT Security. "We
have known for a long time that
passwords do not provide the necessary
level of assurance that is required in the
mobile digital age. Convenience and
security are uneasy bedfellows and,
although passwords are convenient, they
are increasingly seen as weak tokens of
identity. The demand for convenience by
the consumer and digital workforce and
the increase in mobile phone use will
drive a renewed emphasis for identity
solutions. Combining something you
have with somewhere you are and
something you know will see the decline
of passwords as the primary
authentication method. This
combination of physical and digital, with
the emergence of advanced
authentication methods, will provide the
catalyst for new identity solutions."
"The digital workforce lives and works
in a society where mobile is king and
most other things are being replaced by
it - from mobile cash to social mobile.
Our phone is now our digital hub,
controlling how we are identified and
authenticated into our world and how
we control and interact digitally. Because
of this, we will see threat vectors
concentrate on the devices in our hand
rather than the devices on our laps.
Security is traditionally focused on
backend systems or containers - but this
approach will have to change, with
protection built into mobile devices from
the ground up."
YEAR OF THE EMPLOYEE
2017 will be the year of the employee
for multiple reasons, states Paul
Calatayud, CTO, FireMon. "As physical
cyber defences are built up within
organisations, it will become more
difficult to attack actual machines and
therefore cyber attackers will shift
towards targeting internal employees.
Another way employees will be at the
heart of cyber security in organisations is
neglect, particularly in large enterprises
with so many users accessing so many
systems. This neglect, though a natural
by-product, inevitably leads to
compromise.
"It could also be the lack of skilled
employees that will be a bigger issue
in 2017, due to the void of skilled
individuals with cyber security skills
coming through the ranks. Cyber
personnel will become a rare commodity
like we have never seen before.
Organisations have received the message
and are staffing and investing, but that
demand generates a supply that is not
available. As an alternative, there will
be new and exciting innovations and
adoption of philosophies such as DEV-
SEC-OPS. This is simply the act of
developing automation where possible
within a cyber program, in order to free
up staff resources.
"The biggest risks for business heading
into 2017, in regards to cloud adoption
and security, will be how best to manage
the risks as organisations increase their
adoption from basic non-regulated data
to more regulated data. This will put a
lot of pressure on CISOs and security
Andy Powell, Capgemini UK: in 2017,
we'll expect to see cyber-attacks take
a more sinister turn.
Jeff Costlow, ExtraHop: security budget
dollars will start going to solutions that
deliver real-time situational awareness
across the network.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security
12

predictions 2017
Garry Sidaway, NTT Security: our phone is
now our digital hub, controlling how we
are identified.
Tom Kemp, Centrify: companies may
budget money to buy back their data
after a ransomware event.
shops to move off the 'wait and see' and
into response mode."
NEXT-GEN CYBERATTACKS
2017 will see more next-generation
cyberattacks against specific individuals
and organisations, cautions Noam
Rosenfeld, SVP, Cyber Intelligence
Solutions, Verint Systems. "Carefully
planned and methodical, those attacks
will use multiple vectors - including web,
email, malicious files - dynamically
adapting to exploit zero-day and other
network vulnerabilities. The malware
carrying out these attacks will initially
investigate network vulnerabilities,
disabling network security measures and
infecting other points and devices. It will
use fewer command and control servers,
but will wait for the right time to extract
data from the network. Many
organisations will realise that they have
suffered data breaches and been under
attack for weeks, months, even years.
"CISOs will finally understand that
antivirus and next generation firewalls
aren't enough. Knowing signatures,
black-and-white listing, and recognising
pattern-based techniques won't stop the
latest threats. In 2017, CISOs will have
had enough and will drive cybersecurity
as a strategic and integral part of the
organisation - not just a series of
approximations. They won't want to
hear about the latest and greatest point
solutions - good results won't be enough
to buy the technology," adds Rosenfeld.
"Instead, security solutions must show
their ROI - that they can identify threats
operating above the control baseline and
provide actionable intelligence directing
resources to discovering, investigating,
and stopping the threats. Alert fatigue
needs to become a thing of the past.
CISOs will want to know how all the
security elements in the networks are
operating - and working together.
They'll want something that gathers all
information from all the point solutions,
giving them complete situational
awareness of the digital environment."
SCARY TIMES
2016 was a big year in IT security, and a
scary one, says Jeff Costlow, director of
security, ExtraHop. "Some security experts
estimate that ransomware took in a
billion dollars over the past 12 months,
with more than 4,000 attacks occurring
every day. In 2017, these threats are only
poised to get more sophisticated. We
already have Mirai source code and we
know ransomware is big business. This
will be the year we see the first effective
DDoS ransoms. Prior to now, there have
been DDoS ransoms, but they haven't
been nearly as effective as the
ransomware application. Enterprises
will need to equip themselves to not
only thwart these attacks, but anticipate
and detect them earlier.
"Over the next 12 months, I believe that
we're also going to see the first effective
hacks against two-step authentication
(note the difference between two-step
authentication and two-factor
authentication; two-factor uses two
different mechanisms, while two-step
uses an extra step). I've long called twostep
authentication 'one-and-a-half
factor', because it's better than a simple
password, but definitely not as good as
a full two-factor authentication,
which requires inputting two unique
authentication elements only known to
the user. So many passwords have been
leaked in the last few years, the bad guys
now have a good statistical model of a
password and will put that to use
against two-step in 2017," states
Costlow.
What does all of this mean? "2017 may
be the year that IT security finally moves
to the final stage of grieving perimeter
security: acceptance. As we've seen, over
and over again, no matter how well
13
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

predictions 2017
fortified the perimeter, bad actors get in.
And they are only getting better at it.
The time has come to acknowledge that
these malicious actors - whether
employees, contractors, or outside
agitators - are already inside the
network. In turn, expect to see security
budget dollars start going to solutions
that deliver real-time situational
awareness across the network. The days
of data centres being banks without
surveillance cameras in every hallway will
be over, because the results of this slip in
security have proven to be so
catastrophic over the past few years."
DDOS ESCALATION
Dave Larson, CTO/COO at Corero
Network Security, also homes in on the
Mirai botnet. "While it is certainly
fearsome in terms of its size, its capacity
to wreak havoc is also dictated by the
various attack vectors it employs. If a
variety of new and complex techniques
were added to its arsenal in 2017, we
may see a substantial escalation in the
already dangerous DDoS landscape, with
the potential for frequent Terabit-scale
DDoS events, which significantly disrupt
our Internet availability.
"While the motivations for such attacks
are endless, the range of potential
political and economic fallouts from such
attacks could be far-reaching. Our entire
digital economy depends upon access to
the Internet and so organisations should
think carefully about business continuity
in the wake of such events. For example,
it may be prudent to have back-up
telephone systems in place to
communicate with customers, rather
than relying solely on VOIP systems,
which could also be taken down in the
event of an attack," says Larson.
EVERYONE IS A TARGET
2016 was another year of significant
breaches across many industries, of
course, demonstrating that, while cyber
criminals are ever more intent on stealing
critical data, they are not targeting
specific verticals to achieve it. That's an
important point to fully and completely
understand, says Brian Chappell director,
Technical Services EMEAI & APAC,
BeyondTrust.
"In 2017, the simple fact remains:
everyone is a target for hackers. This will
become more relevant as the IoT
continues to expand with ever more
devices being sold that are internet
connected, each one expanding the
attack surface presented to the hackers.
As we closed out 2016, tools like Mirai
clearly demonstrated the risk that the IoT
represents, not only to the environments
hosting the devices but also to everyone
else. This year is likely to be the year of
DDoS, but it's not all bad; we can expect
to see the first commercialised anti-DDoS
organisations appearing, directly
attacking the botnets by patching
vulnerable systems forcibly, for example.
"It's not all bad," Chappell reasures us.
"This year will also see a lot of positives.
Password re-use should diminish both in
the user space and the admin space.
With a multitude of personal password
management tools available across
multiple platforms, users should
continue to be encouraged to trust these
tools and use them for different, strong
passwords across all the systems they
use. In 2017, we'll see more
organisations encouraging their users to
take up these tools, perhaps even
funding them."
RANSOMEWARE SURGE
"This year saw the shocking rise of
ransomware attacks on hospitals and
other public services, such as the San
Francisco public transit, demonstrating
the wide variety of applications for the
same ransomware threat," states Jerome
Segura, malware intelligence analyst at
Malwarebytes. "Healthcare organisations
especially will continue to fall victim to
nefarious hackers in 2017. Unfortunately,
the healthcare industry will always be
popular targets for ransomware attacks
due to the sheer amount of data stored.
Medical IoT devices are on the rise, from
insulin pumps to wireless connected
pacemakers, and hospital networks are
home to a host of files on both patients
and corporations. To make matters
worse, hospital data systems frequently
don't have the best security protection,
all too often running out of date
software. Cyber security basics still need
to be learned, from the importance of
data backups to the need for a layered
approach to endpoint security.
"While zero-day threats must be
approached with constant vigilance,
most malware is still designed based on
vulnerabilities that have already been
known to security professionals for at
least one year. For hackers, the effort to
build a new variant of pre-existing
malware is more economical than
uncovering new vulnerabilities on which
to base the creation of completely new
malware. As such, new types of existing
exploits are steadily increasing and will
continue to do so," adds Segura.
UTILITIES UNDER ATTACK
The cyber attack on the Ukrainian power
grid in 2015 gave the world a real
insight into what hackers are capable of
- and that leaves Andy Powell, VP, head
of cybersecurity at Capgemini UK, deeply
concerned. "With an increasing amount
of smart devices entering the utilities
space, and with phishing tactics and
malware becoming more refined, a
similar attack could very well be
imminent," he warns. "In 2017, we'll
expect to see cyber-attacks take a more
sinister turn. It's possible that we might
even see the first real-world hack of a
connected medical device. If hackers use
ransomware for attacks of this nature, it
will have a debilitating effect for the
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security
14

predictions 2017
Brian Chappell, BeyondTrust: Password
re-use should diminish both in the user
space and the admin space.
Jerome Segura, Malwarebytes: healthcare
organisations especially will continue to
fall victim to nefarious hackers in 2017.
healthcare, utility and, in particular, the
manufacturing industry, in which
ransomware is becoming more
prevalent, as the tools are now being
made available by state actors."
CAR CONTROLS HACKING
For Javvad Malik, security specialist at
AlienVault, the way that computers have
been steadily taking over more vehicle
functions, increasing security
vulnerabilities a result, does not bode
well for the future. "Hacking into
vehicles, accessing functions or locating
their whereabouts are becoming more
commonplace. There's a push by
automotive manufacturers to install
more intelligence, functionality and
automation into vehicles. But, with
these additions, he warns, come more
vulnerabilities. "There's no easy fix - but
the consequences of a vulnerability in
a vehicle can be a lot more catastrophic
than one on a website."
SPYING AND DRONES
There is likely to be more widespread use
of VPNs to evade new government spying
measures, suggests Robert Page, lead
penetration tester at Redscan Cyber
Security. The introduction of the
Investigatory Powers Bill will probably
mean that an increasing number of web
users will turn to VPNs and Tor in 2017 to
avoid their use of websites and services
like instant messaging applications being
disclosed to the authorities, he says.
"While this part of the bill isn't designed
to detect illegal activity outright - an
application to acquire a person's internet
connection records will only be granted
following a justifiable case - that won't
deter many users from wanting to use
conceal activity on either shadowy or
ethical grounds."
Page also predicts increased targeting
of drones by hackers. "While drones and
unmanned aircraft have great potential
to improve the speed and efficiency of
everyday services, their ability to inflict
injury and damage means that the
government and manufacturers need to
place more emphasis on enhancing their
security in 2017. With frequent reports
of low-cost, commercially available
drones being flown in unauthorised
areas, even models used by amateurs are
a threat in the wrong hands. Plans to
update EU safety and privacy rules
governing the use of drones, coupled
with the introduction of the drone code,
will definitely go some way to stem fears.
More work will need to be done with
manufacturers, however, to ensure that
cyber security fears are fully addressed."
CLOUD SECURITY
Finally, David Ferbrache, technical
director in KPMG's cyber security
practice, sees Cloud security coming of
age in 2017: "Cloud services have finally
grown up and recognised the need to
provide clients with the functionality
they need to implement effective security
and compliance solutions. A well
managed cloud environment can offer
levels of security and resilience that
many organisations would struggle to
replicate internally; and, even in
regulated industries, 'cloud as the first
choice' has become the mantra."
Executives demand certainty - even
where there may be none: "Cyber
security programmes have been well
established in big corporates. Executives
are now holding their CISOs to account
to explain what has been achieved by
their investments, occasionally
demanding unreasonable certainty.
Suddenly, the challenge has become just
what does money buy you in reducing
the impact and ideally the likelihood of a
cyber breach - and just where does cyber
insurance figure in that decision calculus.
Boards are recognising that getting the
basics right matters, but so does being
ready to respond to an increasingly
inevitable cyber breach," he concludes.
15
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

ansomware
RANSOMWARE TOP OF THREAT LIST
MORE THAN 80% OF RESELLERS THINK CUSTOMERS ARE MOST CONCERNED WITH NEW RANSOMWARE THREATS
Corey Nachreiner, WatchGuard: security
customers are wondering how best to
protect themselves.
WatchGuard's new global channel
partner survey on cyber security
reveals that 83% of resellers
believe that ransomware will be their
customers' largest concern this year. In
addition, 16% believe the majority of
their customers would pay a cyber
ransom and 65% believe at least some of
their customers would pay. This
willingness or necessity to pay, coupled
with the increasing threat of
ransomware, could prove costly for
businesses in the coming year.
"The proliferation of ransomware
reached epidemic proportions in 2016, so
it makes sense that resellers are
forecasting it as the top threat next year,"
says Corey Nachreiner, chief technology
officer at WatchGuard. "On top of cyber
extortion, security customers are hearing
about tons of other new attacks and
threat vectors each day, and they're
wondering how best to protect
themselves."
The WatchGuard survey was designed to
capture resellers' perspectives on
customer cyber threat concerns.
Conducted by independent market
research firm Vanson Bourne, the survey
examined the views of more than 1,400
WatchGuard partner organisations across
the globe.
About 4% of reseller respondents
believe that less than half their customers
have the proper resources in place to
adequately manage incoming security
alerts. Many SMBs simply don't have the
time or personnel necessary to focus on
the management of network security
solutions and the mitigation of growing
cyber threats. Only 5% of surveyed
resellers believe all their customers have
these resources in place, while 7% believe
none of them do at all.
UTM OR NGFW?
Of the total surveyed partner
organisations, 63% do not think the
majority of their customers understand
the difference between Unified Threat
Management (UTM) appliances and Next
Generation Firewalls (NGFW). Nearly 80%
do not think their customers care about
the difference between the two appliance
categories at all - and only want to know
that their business is protected by the
latest threat prevention solutions.
This suggests that security customers
are trusting channel resellers and
managed security service providers to
make informed recommendations about
security appliances and strategies. Over
the course of the last two years, nearly
75% of reseller respondents'
organisations have seen the most growth
in UTM appliance sales, while only
around a quarter have seen the most
sales growth in NGFW appliances.
16
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

product review
CYJAX INTELLIGENCE PLATFORM
The cyber threat landscape is
evolving at such a pace that
businesses need to be even more
inventive in protecting confidential data.
In many cases, threat updates and
signatures provided by security partners
aren't enough and now require a
blended approach.
The CYjAX Intelligence Platform is
designed to work with existing security
solutions where it enhances them with
brand-specific intelligence on cyber
threats. It doesn't require additional onsite
hardware or software and presents all
its findings in a customisable web portal.
Created by career intelligence and
technical experts in 2012, CYjAX
automates the collection of threat
intelligence information to enable
advanced monitoring and analysis
capabilities. A key priority is providing
factual intelligence on the latest threats,
including those from data breaches,
cloud computing, social media,
mainstream news and, yes, even the
darknet.
CYjAX has a sharp focus on protecting
Pii (personally identifiable information) -
something many financial institutions are
failing to do. Only recently, a well-known
bank suffered an unprecedented attack
on its online services resulting in a £2.5m
loss. It got off very lightly, but won't be
so fortunate when the GDPR (general
data protection regulation) comes into
force in 2018, as it calls for punitive fines.
We found the CYjAX web portal to be
very intuitive, as it's designed to present
only those findings that match your
requirements. The home page opens
with a wealth of real-time report
modules using widgets to provide
information on areas such as live
tweets, news feeds, phishing
campaigns, darknet marketplaces and
those of particular interest to law
enforcement agencies.
Along with a report overview, the home
page provides a daily brief which filters
out information not relevant to your
industry vertical. This provides handy
updates on your company's sphere of
operations and clicking on an entry
brings up a full report.
The portal can be used to view general
information about these topics, but comes
into its own when you use keyword
datastreams. These describe anything from
a brand, a person's name or domain to an
IP address, email account, credit card
number or third party.
Once keywords have been added,
CYjAX starts sending newly discovered
intelligence on them to the relevant
dashboard modules. You can also
subscribe to datastreams and receive
regular email updates on them when
new information has been discovered.
The dashboard provides full search
facilities for all the intelligence
datastores, making it easy to home in on
an area of interest. The results can be
refined, as the search page allows you to
pick a specific datastore to interrogate,
with options including darknet forums,
web pages and marketplaces.
The new DataLeak Datastore feature
will prove invaluable, as it already
contains details of around 2.5 billion
compromised email credentials. The
datastore can be searched and, once
you've advised CYjAX which domains
belong to you, its reports will provide
information about data leaks specific to
your organisation.
Called Pastes, the second data leak
module lists data files pasted into web
sites that contain Pii. Selecting an entry
reveals its entire contents and CYjAX's
API service allows this information to be
extracted and used by your resident
systems to improve their security posture.
CYjAX Intellimetrics provides
customisable dashboards with graphical
views of selected threat intelligence data.
These can be viewed over a specific
period or in real-time, allowing
businesses to identify and track threat
behaviour patterns.
Enterprises need to up their game, if
they want to stay ahead of the latest
security threats. The CYjAX Intelligence
Platform is a sophisticated solution that
works in tandem with existing security
products and delivers a critical defence
layer that protects your all-important
brand reputation. CS
Product: Intelligence Platform
Supplier: CYjAX Ltd
Web site: www.cyjax.com
Sales: info@cyjax.com
Tel: 020 7096 0668
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security
17

yahoo fallout
WHEN WILL WE EVER LEARN?
HAVING SUFFERED TWO OF THE
LARGEST HACKS IN HISTORY,
YAHOO ENDED 2016 ON A LOW
NOTE, WITH ITS APPROACH TO
CYBER SECURITY BROUGHT
SERIOUSLY INTO QUESTION.
WHAT WENT SO WRONG?
Many would have been forgiven if
they reacted to the massive breach
at Yahoo last year as beyond
comprehension. After all, we still have this
(perhaps naïve) idea that big companies
think and act big, and that it's the minnows
who are much more likely to be the victims
of hackers. And with companies of the size
and scale (and wealth) of Yahoo, one might
think they would throw infinite resources at
keeping their customers' information safe.
"A breach of this size is almost
unfathomable - even disregarding the
fact this was the second massive breach
disclosure from Yahoo in a matter of
months," says Ed Macnair, CEO,
CensorNet." There's clearly been some
historic security failings at the company
and they are now paying the price.
"We're living in an era where any data
held online is inherently insecure and, if
the right controls aren't in place, someone
will steal it. While the numbers impacted in
this case are massive, Yahoo isn't the first
and won't be the last, unless businesses do
better at protecting the information they
hold. While one would hope that most
Yahoo account holders changed their
passwords earlier in the year [when the first
breach took place], relying on that as a
method of dealing with lost details can't go
on much longer.
"It should have become clear to almost
everyone that the password/ username
method is broken and to stop events like
this we need a new system in place. The
tools, like multi-factor authentication,
already exist; we now need to force their
use and make it harder for hackers to get
what they want. This situation will carry on
repeating itself until we make a change."
OUTDATED MODEL
Paul German, CEO, Certes, refers to Yahoo's
"outdated cyber security model which takes
a, 'protect', 'detect', 'react' approach which
simply does not work. The problem lies in
the fact that, once inside a network, there
is a significant delay before a hacker is
detected, leaving them free to move
18
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

yahoo! fallout
uninhibited, accessing vast quantities of
sensitive data and wreaking havoc. A single
hack could be forgiven as unlucky, but twice
smacks of a complete unwillingness to act
and take the security of its customers'
sensitive data seriously."
As far as he is concerned, there is a
fundamental step missing - damage
limitation. "At whatever point a hacker enters
a network, they must be contained,
restricting the data they can access and the
damage they can inflict before they are
detected. This obvious step is missing from
the cyber security strategies of some of the
world's biggest organisations and is the
reason we are seeing hacks that affect
consumers on such a massive scale.
However, by looking to approaches such as
cryptographic segmentation to contain a
threat, businesses can ensure a hacker
cannot roam freely across its network,
significantly limiting the impact of an attack."
EASY ACCESS
As Steven Malone, director of security
management at email security firm
Mimecast, is at pains to point out, email is
one of the most vulnerable windows into an
organisation - which makes it no surprise
that 91% of cybercrime starts with an email.
"Considering the inherent weaknesses of
email, it is critical that organisations take
proactive measures to secure themselves
from simple phishing emails right through to
impersonation and weaponised
attachments. Nowadays, effective malware is
easily bought online, meaning that criminals
with little to no computer skills are free to
send infected emails. It is also vital that
organisations look to train employees, as
they will always remain the gatekeepers into
organisations. Some alertness can go a long
way, spotting giveaways in the emails so
perfectly crafted they could have be sent by
a colleague or close friend."
FORENSIC EVIDENCE
David Gibson, VP of strategy and market
development at Varonis, believes
organisations should be taking steps not
only to safeguard data, but also provide
forensic evidence when the worst happens.
"The first step in a data security strategy
should be to instrument your environment to
be able to: a) see who is accessing data,
when, and how; b) profile normal behaviour;
and c) alert on abuse. Step two should be to
identify sensitive data and ensure that only
the right people have access (ie, the principle
of least privilege). Step three is to implement
automated processes and human
checkpoints to verify that controls put in
place stay in place, so you don't backslide to
an insecure state.
"Interestingly, if Yahoo hadn't instrumented
their environment to detect evidence of
intrusion, they may never have 'officially'
discovered the recent two data breaches….
The upcoming breach notification
requirements will also place a new burden
on data controllers like Yahoo," Gibson adds.
Under the General Data Protection
Regulation (GDPR), the IT security mantra is
clear: 'always be monitoring'.
TOO LITTLE, TOO LATE
Once the breach had been unearthed, Yahoo
notified potentially affected users, asking
them to promptly change their passwords
and adopt alternate means of account
verification - but that was very much
slamming the barn door shut after the horse
had well and truly bolted. The first breach,
remember, took place in 2014, so whatever
remedial action Yahoo has recommended
since the discovery of the breach in October
this year is all too little, too late. The damage
has already been well and truly done. Yahoo
ARE WE PASSING THE PASSWORD TEST?
New online research commissioned by credit information provider Equifax reveals that how we manage our
passwords could mean we are leaving an 'open door' for fraudsters. According to the responses of over
2,000 people, more than a quarter (27%) change their online passwords less than once a year and 23%
never change their passwords without being prompted. It appears the over 55s are the most lax - with 29%
of them admitting to infrequently updating their passwords.
Lisa Hardstaff, identity fraud expert at Equifax, believes the fact that people now have so many passwords to
remember could be a reason why they don't regularly update their passwords. "Our research revealed that
nearly a third of consumers (31%) have more than five passwords. This demonstrates that people in the UK
are definitely doing the right thing in ensuring that, if a fraudster accesses one of their passwords, they can't
access all their other accounts by using the same password. However, good practice is to ensure that you
regularly change your passwords and, worryingly, over a quarter of Brits do that less than once a year."
Lisa Hardstaff, Equifax.
Passwords can be the first barrier that online criminals face when trying to access someone's personal details,
she adds. "So, understanding what makes a password strong can help keep information safe."
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security
19

yahoo! fallout
David Gibson, Varonis: organisations
should be providing forensic evidence
when the worst happens.
Paul German, Certes: there is a
fundamental step missing - damage
limitation.
users should have been better protected
and, even allowing for the fact that a breach
occurred at all, that intrusion and theft
should have been detected at the time.
The fact that the company was quick to
invalidate unencrypted security questions
and answers, so they couldn't be used to
access an account, is of scant comfort to
those whose data has been taken and used
for whatever purposes. The time lapse of
two years between the breach and finding
out they were victims was something of
a double blow. If the breach had been
discovered at the time, they might well
have been less impacted.
In advice to all its account holders,
Yahoo also made the following security
recommendations:
Change your password and security
questions and answers for any other
accounts on which you used the same or
similar information used for your Yahoo
account
Review your accounts for suspicious
activity
Be cautious of any unsolicited
communications that ask for your
personal information or refer you to
a web page asking for personal
information
Avoid clicking on links or downloading
attachments from suspicious emails
Additionally, consider using Yahoo
Account Key, a simple authentication
tool that eliminates the need to use
a password altogether.
These recommendations are mostly to be
found in any issue of Computing Security
magazine about the world we now live in -
and, incidentally, have lived in for some
time - as is Yahoo's warning about how an
"increasingly connected world has come with
increasingly sophisticated threats". Industry,
government and users "are constantly in the
crosshairs of adversaries", it states. That kind
of statement now seems no more surprising
than being told the sun will come up in the
morning.
It's hard to see what solace its account
holders will extract from Yahoo's undertaking
that, through what are strategic proactive
detection initiatives and active response to
unauthorised access of accounts, "Yahoo
will continue to strive to stay ahead of these
ever-evolving online threats and to keep our
users and our platforms secure".
DARK, DARK DAYS
Meanwhile, how have other industry
observers generally responded to the
breach? "With the complex, data-rich, IT
environments organisations run today, there
is always a high possibility of yet another
breach, with customer data making its way
onto the dark web," says Gavin Millard,
EMEA technical director, Tenable Network
Security. "As we continue to add more
technologies to our networks and as
attackers become more sophisticated, it's
important that organisations have a rapid
process for determining the impact of the
breach and a robust approach in addressing
the ensuing post-breach fallout."
Leo Taddeo, chief security officer, Cryptzone,
states that the loss of unencrypted security
questions and answers creates a risk for
enterprises that rely on this technique to
enhance security for traditional credentials.
"The best defence is to deploy access
controls that examine multiple user
attributes before allowing access. This type
of 'digital identity' makes it much harder for
a hacker to take advantage of the type of
information lost by Yahoo," he comments.
Alex Mathews, EMEA technical manager,
Positive Technologies, points out how almost
every year we see reports of millions of
leaked accounts of Yahoo/Hotmail/Gmail/
iTunes/etc. He stresses the need for complex
password protection on the part of users and
the responsibility that also lies with them to
do everything to keep themselves safe.
20
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

yahoo! fallout
"Despite many warnings, millions of users will
still use very simple passwords like 1111,
'qwerty', or their own names," he says.
"According to Positive Technologies research,
the password '123456' is quite popular, even
among corporate network administrators: it
was used in 30% of corporate systems
studied in 2014. Hackers use the dictionaries
of these popular passwords to bruteforce the
user accounts, so perhaps now is the time to
employ a little creativity."
Mathews also refers to the additional
protection offered by Yahoo in the form of
Account Keys: "It would be prudent for any
users that decide to continue using its service
to employ this as a matter of urgency."
CAUGHT NAPPING
Troy Gill, manager of security research at
AppRiver, regards such a breach as no
surprise. "The sad reality is this is the latest in
a long list of organisations that have been
caught napping when it comes to protecting
customers' data and I don't think we've seen
the last confession yet. In fact, as technology
infiltrates every facet of our lives, we are only
opening the door for these types of events to
be both more frequent and by all likelihood
more impactful.
"Keeping customers' data secure should be a
top priority for all enterprises. A determined
hacker can be quite difficult to detect, but
organisations need to commit to hardening
themselves to these types of attacks. This
breach serves as a stark warning to all
organisations that no company is too big
or too small a target."
Richard Cassidy, UK cyber security evangelist
at Alert Logic, raises further concerns over
how the Yahoo account data seems to have
already been monetised (in part) and firmly
distributed via various cybercriminal
networks. "It is indeed very unfortunate;
service providers such as Yahoo will always be
a high-value target for bad actor groups on
the DarkWeb, especially those looking to
prove credibility and stamp their name in the
data heist record books (per se)."
FUTURE THINKING
He adds that stopping every threat is a
panacea that many argue is impossible to
achieve. "Regardless of organisation size or
security capabilities in-house, there needs to
be a paradigm shift in how we view
susceptibility to threats, and how we architect
our current security framework around threat
detection and early warning of nefarious
activity. Relying on legacy layered security
solutions, with no correlation on activity from
application to network layer, can leave
organisations at greater risk of a data breach."
It's here that we need to shift our thinking
and architecture, Cassidy says. "Organisations
need to assess their risk status to data
breaches, understand the market they
operate in, their competitors and, of course,
the threat vectors most likely to be seen,
architecting security capabilities that reduce
that risk profile and enable better trust
relationships between third parties and
customers, all with the aim of keeping key
data security assets as protected as current
technology capabilities permit.
"Furthermore, reliance on automated
security scanning functions can lead to key
indicators of compromise going undetected;
the human expert analysis approach ensures
a level of assurance around protection from
even the most advanced malware threats or
zero day activity that may be targeted against
the organisation."
MASSIVE IMPACT
Corey Williams, senior director, products and
marketing, Centrify, says this is "less of a story
about 500 million user accounts being stolen
and more about how lax security and poor
handling of incidents can impact the very
existence of a company. The stakes for
properly securing access to corporate
resources and handling security incidents
couldn't be higher".
Ed Macnair, CensorNet: the password/
username method is broken and to stop
events like this we need a new system.
Steven Malone, Mimecast: email is one of
the most vulnerable windows into an
organisation.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security
21

anti-malware
TIME TO THINK TWICE!
OVER AND AGAIN, HUMAN WEAKNESS - AND CURIOSITY - ARE COMPLICIT IN AIDING ATTACKERS TO GET
INSIDE AN ORGANISATION'S DEFENCES. HOW CAN THIS BE PREVENTED?
While ensuring that systems and
applications are fully updated to
protect a business against malware
is essential, more can always be done -
ultimately it all comes down to where the
line is drawn between minimum level of
acceptable security and absolute overkill for
the problem at hand. At a basic level, the
following should at least be considered, says
Daniel Driver, head of perception cyber
security at Chemring Technology Solutions:
User security awareness training, in order
to make users 'think twice' before clicking
the link, plugging the USB drive in or
divulging any data to external parties that
could be used to build an attack. This will
also cover simple concepts to minimise
impact, if a user account were breached,
such as good password management to
avoid the same password being used
across multiple sites
Periodic auditing and review of the
security of the environment ensures that
no legacy equipment is left unmanaged,
user accounts are live and do not have
excessive network/system access, no
rogue device have been plugged in, and
that there isn't simply a better way to
configure a device for improved security
and operation.
"While it is important to do all of the above,
it is possible that a determined attacker will
use more advanced evasion and infiltration
techniques, such as using social engineering,
to get a valid password from an employee or
use their own zero-day threats [custom
malware]," warns Driver. "For those instances,
it is important to know that malware is
active on your system as soon as possible, so
that remedial action can be taken.
Monitoring for unusual activity on your
network provides this insight."
In addition to the prevention of malware, it
is important to consider how you respond,
should the systems be breached. "With
ransomware being a very current example,
would backups allow a user or organisation
to recover data quickly, with minimal loss of
data or service?" he asks.
In the end, he advises, it comes down to a
question of how important your data is and
how much investment an adversary wants
to make, so they can gain access to it. "You
could implement all best practices by the
latest software updates, keeping AV up to
date and using the most robust firewalls,
but a threat actor is likely to be able to
mitigate all these protections with enough
time and tenacity.
"A more sophisticated network monitoring
layer is needed, which constantly identifies
and classifies behaviour to quickly identify
malicious behaviours. As malware becomes
increasingly intelligent and devious, so a step
change is needed, as the technology used to
combat it must match it."
ON THE FRONTLINE
According to research analyst organisation
22
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

anti-malware
Forrester, endpoint security represents the
frontline in your fight against cyberattackers.
"Breaches have become commonplace
among enterprises, and your employee
endpoints and servers are targeted more
than any other type of asset," it states in the
company's report, 'The Forrester Wave:
Endpoint Security Suites, Q4 2016'.
"The effects from these security breaches
can be devastating, causing a company to
lose revenue, market reputation and market
competitiveness. Unfortunately, inadequate
endpoint security leaves the doors wide open
to a variety of attacker techniques and tools,
including malware, software exploits and
social engineering. Now, more than ever, it's
critical to have the right endpoint protection
in place.
"Security budgets have risen significantly in
the past few years, with endpoint security
budgets commanding, on average, 10% of
the overall IT security budget in 2016.2
Despite the available budget for new
investments, security pros struggle to find
the right tools to protect the expanding
attack surface posed by employee devices."
As the numbers of new malware variants
and methods of obfuscation rise, antivirus
technologies have become less effective at
protecting employee endpoints and servers.
Numerous competing technology vendors
have risen up to take aim at the stagnant
antivirus market as a result. On the other
hand, many of the traditional antivirus
vendors have not taken this lying down.
Some have adapted by either building or
acquiring new technologies that do not rely
on older, blacklist-based malware protection.
Others have augmented their anti-malware
engines with additional analysis capabilities
that go beyond static blacklisting. This has
led to a highly fragmented market with a
number of different approaches to endpoint
security, each with its own set of benefits
and challenges, adds Forrester.
To cut through the market confusion,
advises Forrester, it's useful to categorise
vendor capabilities into three core needs:
attack prevention, detection and
remediation. "Point products generally meet
one need, while endpoint security suites
meet two or all three, with varying levels of
automatic policy enforcement between
each." Before making any new purchases,
consider a vendor's ability to meet each of
these needs, it continues, specifically how
well they are able to meet those three needs:
Prevent malware and exploits from
executing. Functionally, an endpoint
security suite should create an
environment where malware can't load
into memory or an exploit is unable to
take advantage of a running process. It
may also prevent threats by reducing the
attack surface, with measures such as
system hardening and application
control
Detect malicious activity post-execution.
Knowing attackers will inevitably get past
preventive controls, modern endpoint
security suites monitor running memory
to identify malware and exploited
applications before they achieve their
malicious goals. Some solutions focus
solely on process behaviour, while the
most advanced solutions include user
behaviour in their analysis to build
context for a complete picture
Remediate and contain malicious activity
and potential vulnerabilities. Once a
modern endpoint security suite identifies
malicious endpoint activity or a potential
vulnerability, it should be able to launch
automated remediation without
significant admin involvement.
Remediation functions include
executable/file quarantining,
configuration roll-back, and targeted
blocking of process/user behaviours,
among others. Vulnerability remediation
techniques (such as patch deployment)
are included here as well; these often
augment prevention measures.
Daniel Driver, Chemring Technology
Solutions: a more sophisticated network
monitoring layer is needed.
To assess the state of the endpoint security
suite market and see how the vendors stack
up against each other, Forrester evaluated
the strengths and weaknesses of top
endpoint security suite vendors. After
examining past research, user need
assessments, and vendor and expert
interviews, it developed a comprehensive set
of evaluation criteria.
Forrester's research uncovered a market in
which, it states, Trend Micro, Sophos,
Symantec, Kaspersky Lab, Intel Security, and
Carbon Black are leaders. Cylance, Landesk,
CrowdStrike, ESET, Palo Alto Networks, IBM,
SentinelOne and Invincea offer competitive
options, it adds, while Bromium, in
Forrester's opinion, lags behind.
The full report, authored by Chris Sherman,
with Christopher McClean, Salvatore
Schiano, and Peggy Dostie, is available to
purchase at:
https://www.forrester.com/report/The+Forre
ster+Wave+Endpoint+Security+Suites+Q4
+2016/-/E-RES113145
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security
23

software verification
TIME TO STOP LIVING IN FANTASY LAND
National Lottery operator Camelot did not have the greatest of
years in 2016. No doubt it took plenty of money, but it also took
plenty of flak. Tens of thousands of customers had their online
accounts breached. That old jingle, ‘It could be you’, was one
that Camelot no doubt came to see in another light
The tail-end of 2016 was not a good
one for Camelot, the operator of
the National Lottery. It suffered two
body blows that have left its reputation
somewhat tarnished, to say the least.
Indeed, if Camelot is compared to the
mythical castled city whence its name is
derived, where King Arthur held court,
you would have to say that its attitude to
cyber security has been unreal in the
extreme, and much lacking in chivalry
and valour.
The first blow will be known to anyone
who has ever picked up a newspaper,
read one online or switched on their
television set. It dates back to last
November when thousands of customer
accounts on the National Lottery website
may have been compromised. Camelot
at the time said "around 26,500 players'
accounts were accessed. The National
Lottery operator became aware of
'suspicious activity' on a number of
players' online National Lottery accounts.
"Of our 9.5 million registered online
players, we believe that around 26,500
players' accounts were accessed," it
stated back then. "A much smaller
number - fewer than 50 - have had some
activity take place within the account
since it was accessed. This was limited to
some of their personal details being
changed - and some of these details may
have been changed by the players
themselves…. no money has been
deposited or withdrawn from affected
player accounts," Camelot added.
In fairness to Camelot, it took
immediate steps to remedy the situation.
Reputation wise, however, the damage
was already done, as many industry
commentators have been quick to note.
James Lyne, global head of security
research at Sophos, points to the
importance of using a different password
on each website. "Otherwise, a breach of
any one web service could provide access
to your entire online life. We would
recommend users change their password
on any service where they use the same
email address and password
combination. Cyber criminals have
executed numerous campaigns reusing
stolen credentials recently, so avoiding
sharing passwords across sites is key.
Sophos offers its top password tips here:
https://nakedsecurity.sophos.com/2014/1
0/01/how-to-pick-a-proper-password
MULTI-FACTOR AUTHENTICATION
The simplest way to block this type of
breach from happening is with multifactor
authentication, states Barry Scott,
CTO, Centrify EMEA. "After a user enters
their password, the site will confirm it is
really them before allowing access,
maybe by asking them to enter a specific
code or by replying to a text. Even with
multi-factor authentication in place, it is
24
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

software verification
always good practice to ensure
passwords are unique.
"I can't emphasise enough that
passwords must not be reused across
websites and multi-factor authentication
should always be enabled, if offered by
the site. In fact, users should be
demanding it from the sites they use.
Similarly, businesses need to realise
attempts to breach them are inevitable
and they should be providing customers
with multi-factor authentication as
standard, in order to protect against the
main cause of data breaches -
compromised credentials."
SIGNIFICANT ROLE
"The National Lottery breach highlights
the challenge all organisations face
today - and reiterates the fact that
consumers have a significant role to play
in protecting their online accounts,"
points out Oliver Pinson-Roxburgh,
EMEA director at Alert Logic. "Attackers
leave digital fingerprints in their network
activity or system logs that can be
spotted, if you know what to look for,
and have qualified people looking for it.
Through continuous monitoring, 24x7,
and being able to distinguish normal
from abnormal, organisations can
identify and act against sophisticated
attackers.
"A passphrase is also highly
recommended, instead of a password.
You can take a common phrase and
create a pattern that means something
to you, then add minor edits, as a way to
keep passphrases different. An example
is: 'The sun rise is great today'. A simple
passphrase could be: Tsr!Gr82day. The
passphrase is 11 characters long and
contains number, upper/lower case
letters and a symbol. The exclamation
mark (!) substitutes for the 'i' in the word
is. You can add something specific to
make the passphrase different on
multiple accounts."
REGULATION COMPLIANCE
Finally, David Navin, head of corporate
at Smoothwall, comments: "No matter
how big or small, all companies must
protect their data, and that of their
partners and suppliers. They need to
comply with regulation and build a
layered security defence which spans
encryption, firewalls, web filtering and
ongoing threat monitoring as well as a
proactive stance. Companies need to
have all the measures and contingency
plans in place so that if a breach does
occur, they are able to recover and instil
customer confidence as soon as
possible."
£3 MILLION PENALTY
And the second blow that Camelot has
suffered of late? The financial penalty
of £3 million that the Gambling
Commission imposed on the company.
This followed an in-depth investigation
relating to an allegation that a
fraudulent National Lottery prize claim
had been made and paid out in 2009,
but which only came to light last year.
It was found that Camelot had breached
the terms of its operating licence in
three key aspects: its controls relating
to databases and other information
sources; the way it investigated a prize
claim; and its processes around the
decision to pay a prize.
The £3m penalty package was paid by
Camelot for the benefit of good causes.
This includes £2.5million to represent
the amount that would have been
received by good causes had the prize
claim not been paid.
If life is a lottery, Camelot will be
hoping that it fares better in 2017. That
said, it is but one of many organisations
that have suffered significant breaches
of late - and anyone predicting that
this year will see several others fall into
the same trap definitely won't need a
winning ticket to prove it.
‘Barry Scott, Centrify: passwords must
not be reused across websites.
James Lyne, Sophos: a breach could
provide access to your entire online life.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security
25

cloud expo
EVERY EMERGING TECHNOLOGY,
ONE DIGITAL TRANSFORMATION
WALK INTO EXCEL LONDON ON THE 15 AND 16 MARCH
AND ENTER A WORLD OF THE INFINITELY POSSIBLE
Whether you represent a small startup
or a vast corporation, the
Cloud is now a reality in the way
we all do business every day. We're way past
if. We're way beyond when. We're now at
how. And the ‘how’ is very much here in a
one industry-leading event over two packed
days, in the presence of the leading minds
and leading suppliers. That makes Cloud
Expo Europe 2017 is a must-visit event.
Register online for your FREE ticket at:
www.cloudexpoeurope.com/NetworkCo
mputing
Cloud Expo Europe offers dedicated and
cutting-edge content…
This is a unique opportunity to learn firsthand
what is new and what is next in the
cloud sphere - from conference programmes
packed with hundreds of real practitioners
including Financial Times, ITV, LEGO, Lloyds
Banking Group, LV=, NHS Choices, Ministry
of Defence, Spotify and Schuberg Philis.
Be inspired by over 600 top experts,
including number 1 rated CIOs, acclaimed
global Cloud Leaders, Cloud gurus from Box,
BT, GamingWorks, Google, McLaren
Technology Group, Microsoft, Paypal,
Skyscanner, Spotify, Twitter, Telefonica, l+D,
Vodafone, IBM and VMware.
At the UK's largest technology event, you
can meet all the people that matter…
Source the latest products and solutions
from 500 cutting-edge suppliers, including
Commvault, Docker, Gamma, IBM, Intel,
Interoute, Novosco, Navisite, NTT
Communications, Pure Storage, Salesforce,
Samsung, T-Systems, Trend Micro, VMware,
Veeam, Western Digital and Zanyo.
Network with thousands of your peers;
with a projected attendance of over 20,000,
there has never been a better opportunity to
meet industry visionaries, business leaders
and people who have faced - and overcome
- the same challenges as you.
Surround yourself with rich content, reach
new heights and discover…
2017’s instalment welcomes new features
and content, including DevOps Live,
Containers and Open Cloud methodologies,
FinTech advances, IoT programmes,
Big Data trends and a real-life, fullyfunctioning
Date Centre.
You get all of this within one location,
at one time and with one ticket. Once
inside, the possibilities are endless…
safety, security, certainty. It's what Cloud
Security Expo offers.
No one implementing cutting-edge cloud
technology can afford to ignore security.
26
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

cloud expo
Cybersecurity is a very real issue that needs
very real solutions. Cloud Security Expo 2017
is where you can go to find them.
Secure your cloud with confidence, save
yourself money, time and hassle and ensure
your business is locked down tight, free
to employ the latest breakthroughs and
business-winning technology.
The educationally-led conference and
exhibition covers the pressing security needs
of cloud service providers and major
organisations adopting cloud technology.
Security professionals such as CISOs
and heads of IT security, plus senior IT
professionals, including CIOs, CTOs and
cloud architects will gather together to
hear from the experts in the field discuss
prevailing security issues, including
Almairall, Aviva, Canadian Imperial Bank
of Commerce, Shell International, Sky
scanner, Twitter and UBS.
At Cloud Security Expo, you're in safe
company. Lots of it.
To say everyone will be there who really
matters gives some idea of the event’s
reach. If they're anything in cloud security or
cloud innovation, then they're likely to be at
Cloud Security Expo. There are more than 80
of the world's leading suppliers delivering
services and solutions critical to cloud
security: including AVG Business by Avast,
cPacket Networks, CensorNet, Darktrace,
GlobalSign, Hitachi ID Systems, Dual
Security, Forcepoint and Trend Micro.
Find out more about Cloud Security Expo
at www.cloudsecurityexpo.com
Putting 'things' into action @ Smart IoT
London…
You know the what of 'things'. You probably
understand the why of 'things'. What you
need to fully grasp now is the how of
'things'. That's just where Smart IoT London
will come to your aid. Wherever you are on
your IoT journey - whether you're exploring
how to become a data-centric business
or you are looking at the next steps of
securing, analysing and integrating this
data with your existing or new
applications and processes - Smart IoT
London really is the place to be and to get
into the thick of 'things'.
The Urban IoT Showcase will deliver just
this by highlighting how some of the most
progressive and exciting IoT programmes
developed for the urban environment,
utilises intelligent technologies, and how
applications will benefit citizens, businesses,
policy makers and planners. Smart IoT
London is collaborating closely with
Innovate UK, the Digital and Future Cities
Catapult and leading academics to create a
unique space where technology providers,
enterprise, city management teams, city
planners, and the investment community
can engage and harness the potential of IoT.
For more information, visit
www.smartiotlondon.com
With IoT comes Big Data…
The interpretive and practical 'how to'
conference and exhibition, Big Data World,
is where you can source ideas, inspiration,
products and services from suppliers
including Qlik, Splash, Alteryx, Proxem,
Dataiku, Differentia consulting and Time
Tender. You can gain the latest insights from
more than 80 big data thought leaders,
business government leaders and global
visionaries, including Booz Allen Hamilton's
Kirk Borne, IBM's evangelist Jeremy Waite,
Skype's Mike Hyde, Spotify's Will Shapiro,
eBay's Davide Cervellin and Google's Juan
Felipe Rincon.
With big data comes the ever-evolving data
centres. Cue Data Centre World…
Data Centre World is the compelling and
practical event, dedicated to tomorrow's
world of data centres in what is the biggest
gathering and most truly global event that
you are likely to visit.
Whether you are responsible for a server
room or a tier 4 data centre, or anything in
between, you can equip yourself with the
latest knowledge and skills at Data Centre
World. Housing products from a total of
30 exhibitors, the DCW Green Data Centre
returns to London for the second time!
This year, the interactive feature is an outof-this-world
force, spanning up to 400m 2
and containing over 30 of the world's
leading suppliers, including Dunwoody,
Fireworks, 2BM, Riello, Uninterruptable
Power supplies, Huber + Suhner, IPU Group,
Excool. From cooling units and fans, to
cables and perimeter fencing. This is an
exceptional experience in the offing and
just another solid reason to be at Data
Centre World 2017.
Visit www.datacentreworld.com for more
information
ALL OF YOUR TECHNOLOGY NEEDS
IN ONE LOCATION
Building on the success of 2016 events,
which saw 18,515 attendees flood the
ExCeL Centre for Cloud Expo Europe, Cloud
Security Expo, Smart IoT London and Data
Centre World, the time is almost here to
welcome Big Data World to the event
stack: boasting five industry-leading events
in one location. This is a great opportunity
to update your knowledge and skills across
the whole technology stack - from data
centres to the cloud, covering security, big
data issues and the Internet of Things -
with just one ticket. Learn from the
experts, enhance your skills and be part of
the UK's outstanding business technology
event in March.
Register online for FREE here:
www.cloudexpoeurope.com/NetworkCo
mputing
FACTFILE....FACTFILE....FACTFILE
WHAT: Cloud Expo Europe
WHEN: 15-16 March 2017
WHERE: ExCeL Centre, London, UK
HOURS: 9.30am-5pm
WEB: www.cloudexpoeurope.com
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security
27

security operations centres
CENTRE OF ATTENTION
SECURITY OPERATIONS CENTRES - SOCS - ARE ALL THE RAGE, IT SEEMS. BUT THEIR REPUTATION HAS
BEEN QUESTIONED, WITH REPORTS THEY ARE FALLING SHORT OF TARGET MATURITY LEVELS
With increased pressure to rapidly
innovate and align security
initiatives with business goals,
security operations centres (SOCs) provide
the foundation for how organisations
protect their most sensitive assets, and
detect and respond to threats. However,
recent findings show that the majority of
SOCs are falling below target maturity levels,
leaving organisations vulnerable in the event
of an attack.
This is according to Hewlett Packard
Enterprise (HPE), which has just published its
fourth annual 'State of Security Operations
Report' (2017), providing deep analysis on
the effectiveness of organisations' SOCs and
best practices for mitigating risk in the
evolving cybersecurity landscape.
Published by HPE Security Intelligence and
Operations Consulting (SIOC), the report
examines nearly 140 SOCs in more than 180
assessments around the globe. Each SOC is
measured on the HPE Security Operations
Maturity Model (SOMM) scale that evaluates
the people, processes, technology and
business capabilities that comprise a security
operations centre. A SOC that is well
defined, subjectively evaluated and flexible is
recommended for the modern enterprise to
effectively monitor existing and emerging
threats; however, 82% of SOCs are failing to
meet this criteria and falling below the
optimal maturity level, claims HPE. "While
this is a 3% improvement year-over-year, the
majority of organisations are still struggling
with a lack of skilled resources, as well as
implementing and documenting the most
effective processes," the company states.
"This year's report showcases that, while
organisations are investing heavily in security
capabilities, they often chase new processes
and technologies, rather than looking at the
bigger picture, leaving them vulnerable to
the sophistication and speed of today's
attackers," says Matthew Shriner, vice
president, Security Professional Services,
Hewlett Packard Enterprise. "Successful
security operations centres are excelling by
taking a balanced approach to cybersecurity
that incorporates the right people, processes
and technologies, as well as correctly
leverages automation, analytics, real-time
monitoring, and hybrid staffing models to
develop a mature and repeatable cyber
defence programme.
STRONG CONNECTION
There has never been a stronger connection
between security initiatives and business
goals, adds Shriner. "The speed of
organisations' adoption of new innovations
such as cloud, IoT and big data platforms is
matched head-on by advancement of the
attackers. The sophistication, agility and scale
of attacks has made speed an imperative for
any successful security operations centre and
has led to a renewed focus on automation,
real-time detection and response at scale.
"Along with this focus, we are continuing
to see a struggle to find and maintain skilled
resources necessary to run security
operations. Automation and outsourcing
have been utilised to ease this burden with
varying degrees of success. Throughout our
assessments, performed on six continents,
we have seen a multitude of SOC people,
process, and technology configurations. Our
28
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

security operations centres
Meg Whitman, CEO, speaking at the
Hewlett Packard Enterprise Discover
2016 London.
data provides us with a view of the most
effective configurations, along with insights
into the opportunities and limitations of
automation and outsourcing.
"This year has also seen a sharp decline in
maturity for organisations that are opting
out of real-time security monitoring in favour
of post-event search technologies. While this
is a disturbing trend, organisations that have
adopted hunt team capabilities as an add-on
to their existing real-time monitoring
programs have seen success in rapid
detection of configuration issues, previously
undetected malware infections, and SWIFT
attack identification."
BAD AND GOOD!
Over the last five years, HPE has found that
26.61% of cyber defence organisations that
were assessed failed to score a security
operations maturity model (SOMM) level 1 -
a 1% decrease over last year and a drop
for the second year in a row. "These
organisations operate in an ad-hoc manner,
with undocumented processes and
significant gaps in security and risk
management," it states. "Yet, after the
assessments conducted this year, we found
that over the last five years 18% of assessed
organisations are meeting business goals
and are working toward or have achieved
recommended maturity levels, which is 3%
better than last year's findings and a 5%
improvement in two years."
The assessments have shown some
interesting trends: Consistency of mission,
technology, management, and staff has a
strong effect on the maturity of cyber
defence organisations. Teams with low
turnover, strong business alignment, and
who follow multi-year plans tend to have
greater capabilities as well as overall maturity.
Organisations are continuing to try a variety
of models to create right-size operations,
including partnering with service providers or
off-shoring specific roles or functions (such
as level 1 monitoring). This has mixed results
and often solving one challenge creates
several new ones.
Hunt teams that perform analysis on
historical logs (as opposed to real-time
analysis) are being adopted rapidly. HPE
found that significant time and effort is
being spent on data hygiene,
contextualisation and preparation before
these hunt teams are able to distinguish true
threats from a myriad of misconfigured
systems and process deficiencies in the
management of IT assets. Increasing levels
of workflow and process automation allow
organisations to improve consistency,
bandwidth, and speed of operations.
Many are investing in security incident
investigation and management toolsets.
Deliberate and diligent implementation of
these capabilities as well as proper
management has led to positive results.
"The uneven distribution of maturity results
across industries can be directly correlated
with the experience of negative financial
impact from malicious attacks, says HPE.
"Organisations that have experienced direct
financial loss due to malicious attacks do a
better job of immediately maturing to a
higher level. This group of organisations
continues to grow significantly in number."
KEY OBSERVATIONS
According to the report, therefore, SOC
maturity decreases with hunt-only
programmes. The implementation of hunt
teams to search for unknown threats has
become a major trend in the security
industry. While organisations that added
hunt teams to their existing real-time
monitoring capabilities increased their
maturity levels, programs that focused solely
on hunt teams had an adverse effect.
www.computingsecurity.co.uk @CSMagAndAwards Jan/Feb 2017 computing security
29

security operations centres
Hewlett Packard Enterprise
Discover 2016 London.
In a few instances, organisations have
gone as far as opting for open hunt as the
sole means for detection and response,
while eliminating SIEM-based real-time
monitoring efforts. Many of these
organisations were frustrated by security
operations that were difficult to staff and
not producing the expected value, and thus
decided to try something new. The result?
Much of the same.
"Searches that return data from
misconfigured applications and systems, but
not much in terms of useful results about
threats to the organisation," reveals HPE.
"The maturity of these organisations actually
regressed and risks increased, as response to
known-bad threats slowed and decreased in
consistency. In most cases, the operational
context of the previous solution was lost in
the transition to a new approach.
EARLY ADOPTION OUTCOMES
While most organisations in the early
adoption phase of this emerging area of
security operations are experiencing mixed
results, there are some that have successfully
added threat hunt capability to their security
programs in complimentary ways to existing
real-time operations.
"HPE is working with organisations that
have leveraged the mature methodologies
that made their SOC programs successful
and expanded those lessons learned into
threat hunt."
Here are some other key observations from
HPE's findings:
Complete automation is an unrealistic
goal. A shortage of security talent
remains the number one concern for
security operations, making automation
a critical component for any successful
SOC. However, advanced threats still
require human investigation and risk
assessments need human reasoning,
making it imperative that organisations
strike a balance between automation
and staffing
Focus and goals are more important than
size of organisation. There is no link
between the size of a business and
maturity of its cyber defence centre.
Instead, organisations that use security
as a competitive differentiator, for market
leadership, or to create alignment with
their industry are better predictors of
mature SOCs
Hybrid solutions and staffing models
provide increased capabilities.
Organisations that keep risk management
in-house, and scale with external
resources, such as leveraging managed
security services providers (MSSPs) for costaffing
or in-sourcing, can boost their
maturity and address the skills gap.
As organisations continue to build and
advance SOC deployments alongside the
evolving adversary landscape, a solid
foundation based on the right
combination of people, processes and
technology is essential. To help
organisations achieve this balance,
HPE recommends:
Mastering the basics of risk identification,
incident detection, and response, which
are the foundation to any effective
security operations program, before
leveraging new methodologies such as
hunt teams
Automating tasks where possible, such
as response automation, data collection,
and correlation to help mitigate the skills
gap, but also understanding the
processes that require human interaction
and staffing accordingly
Periodic assessment of organisations'
risk management, security and
compliance objectives to help define
security strategy and resource allocation
Organisations that need to augment
their security capabilities, but are unable
to add staff should consider adopting a
hybrid staffing or operational solution
strategy that leverages both internal
resources and outsourcing to a MSSP.
There will be great challenges ahead this
year and beyond, adds Matthew Shriner,
with further adoption of the new style of IT,
adhering to new regulations such as GDPR,
an increase in politically motivated attacks
and more. "I remain steadfast in the belief
that organisations' best defence will be to
remain steady with their security operations
foundations. Focus on the people. The
people will drive the process and the process
will ensure the most effective use of the
technologies.
"Excel at the basics and enhance capabilities
with analytics to uncover advanced attacks
with greater visibility across the organisation,
providing confidence for your business to
innovate securely," he advises.
30
computing security Jan/Feb 2017 @CSMagAndAwards www.computingsecurity.co.uk

and network with thousands of security
80 leading international vendors
WWW.CLOUDSECURITYEXPO.COM/COMPUTINGSECURITY
All free of charge. Secure your ticket at
150 expert speakers,
and technology professionals.
Access over
ALL THE KNOWLEDGE YOU WANT,
ALL OF THE CONFIDENCE YOU NEED.
No business can afford to ignore cloud security.
Cloud security is a very real complex issue
that needs very real solutions. Cloud Security
Expo 2017, taking place on the 15th and 16th
March at ExCeL London, will give you the
confidence you need. And more.
15-16 March 2017 ExCeL, London
CO-LOCATED WITH
Register for your FREE ticket today at
www.cloudsecurityexpo.com/ComputingSecurity
BIG DATA
WORLD
ORGANISED BY
15-16 March 2017 ExCeL, London
www.bigdataworld.com
EVERY EMERGING TECHNOLOGY.
ONE DIGITAL TRANSFORMATION JOURNEY.
DIMAOND SPONSOR
KEYNOTE THEATRE SPONSOR
GOLD SPONSORS SILVER SPONSORS EVENT PARTNERS CONTINUING
PROFESSIONAL
EDUCATION
PLATINUM SPONSOR
THEATRE SPONSOR