Issue 4 | April 2016 www.securityadvisorme.com
reshaping security Why sophos believes synchronised security is the next leap forward Next-gen Cloud storage endpoint security security
Critical Infrastructure
STRATEGIC INNOVATION PARTNER
STRATEGIC PARTNER
CONTENTS
FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) Group CEO Nadeem Hood Publishing Director Rajashree Rammohan raj.ram@cpimediagroup.com +971 4 375 5685
10
EDITORIAL Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 375 5678
SECURITY MADE SIMPLE
Editor Annie Bricker annie.bricker@cpimediagroup.com +971 4 375 1643 Deputy Editor James Dartnell james.dartnell@cpimediagroup.com +971 4 375 5684
An exclusive interview with Harish Chib, VP, MEA, Sophos, who talks about why the future of security is sychronised.
Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 375 5683 ADVERTISING Commercial Director Chris Stevenson chris.stevenson@cpimediagroup.com +971 4 375 5674 Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 375 1647 Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 375 5676 CIRCULATION Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 375 5682
06
Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 375 5673 Designers Analou Balbero analou.balbero@cpimediagroup.com +971 4 375 5680
DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh
16
webmaster@cpimediagroup.com +971 4 440 9100 Published by
Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Al Ghurair Printing & Publishing Regional partner of
© Copyright 2016 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.
SECURITY INSIDE Intel Security’s Raja Samani on his company’s commitment to help customers address the increasingly urgent need to shorten response time.
Photographer Charls Thomas
Registered at IMPZ PO Box 13700 Dubai, UAE
26
There has been a dramatic increase in cyberattacks on critical infrastructure but regional organisations remain unprepared.
PRODUCTION AND DESIGN
Neha Kalvani neha.kalvani@cpimediagroup.com +971 4 3751644
UNDER SIEGE
24
CLOUD AND VULNERABILITY MANAGEMENT Wolfgang Kandek, CTO of Qualys, on how to avoid the stumbling blocks on the road to security.
ARE YOU FAILING SECURITY BASICS 101? Patching, backups, firewall configuration… when it comes to security, make sure you take care of your infrastructure before you invest in next-level tools.
32
34
THWARTING ATTACKERS WITH THREAT INTELLIGENCE Five steps to incorporate threat intelligence into your security awareness programme
IT GETS CLOUD STORAGE SECURITY ALL WRONG Two recent reports confirm that your greatest security threat is your users, not outside hackers.
news
Help AG signs up Tenable Network Security Help AG has announced a new partnership with Tenable Network Security, which provides continuous network monitoring solutions. The agreement, which makes Help AG Tenable’s authorised gold Partner for the UAE, Qatar and Saudi Arabia, will allow the systems integrator to offer the vendor’s suite of nextgeneration security solutions for continuous network monitoring and vulnerability management to enterprises in the region. “The introduction of mobile devices, virtualisation, and cloud-based applications in enterprise IT in recent years has resulted in a host of new vulnerabilities and exploits. Without the right visibility tools to identify the resulting security gaps, organizations run the risk of falling victim to breaches and suffering the loss of sensitive business-critical data,” said Stephan Berner, Managing Director at Help AG. Help AG intends to support its customers by building a set of value added services around these technologies. In parallel, Help AG will leverage the vendor’s continuous network monitoring and vulnerability solutions in its own IT environment to enhance the capabilities of its Managed Security Services (MSS) division. “Besides giving us a technical edge, utilising these solutions ourselves on a day- to-day basis will enable us to grow our knowledge and capabilities, which translates to better implementations and smoother deployments of these technologies for our customers,” said Berner.
4
04.2016
Qualys expands Cloud Agent platform Qualys has announced the availability of cloud agents for LINUX and Mac OS, adding to the platform’s existing support for Windows. Support for these operating systems is key to securing elastic cloud environments and endpoints where these operating systems are predominant. The Qualys Cloud Agent Platform combines the power of the Qualys platform with lightweight agents that are extensible, centrally managed and selfupdating, allowing global businesses to continuously assess the security and compliance of their IT infrastructure and applications. “The increasing number of IT assets, explosion of endpoint devices and escalating threat landscape is dramatically complicating enterprise IT and security,” said Philippe Courtot, chairman and CEO for Qualys. “IT and
Philippe Courtot, CEO, Qualys
security professionals have the daunting task of ensuring that all assets are up-to-date, compliant and secure. With the availability of the Cloud Agent on all major computing environments, companies can now inventory all their IT assets, get the visibility needed to secure them against cyber-attacks on a continuous basis and take action with Qualys’ new patching capabilities.”
Gemalto announces CEO succession
Olivier Piou - CEO, Gemalto
Gemalto has announced that retirement of CEO Olivier Piou which will be effective by the end of August 2016. The Board of Directors will be proposing that current Chief Operating
Officer Philippe Vallee to become an Executive Director of the Board and the company’s new CEO, effective 1st September 2016. In addition, Piou will be proposed by the Board to continue to serve as a Non-Executive Director of the company. Olivier Piou, out-going CEO, said “We always take a long-term view about our business and manage change proactively. After such a large number of years at the helm, I believe that this autumn will be the right time to bring in a new leadership, which is ready and able to execute on our next phase of growth. September 2016 is the time when we accelerate the preparation of the Company’s next strategic plan. By transitioning management then, I want to give the new CEO the space to design what will come next for Gemalto.”
www.securityadvisorme.com
news
Souq.com launches Norton e-store Souq.com has unveiled its partnership with Norton by Symantec to host a new Norton brand e-store on its retail site for customers in the UAE and Kingdom of Saudi Arabia (KSA). The e-store will provide a one-stop shop for customers looking to protect their devices using Norton’s flagship service, Norton Security. Norton’s security solutions, including Norton Security Standard, Norton Security Deluxe, and Norton Security Premium, will be available on Souq.com website and via its mobile application. In addition, customers can take advantage of multiple payment options, including secure payment online and cash on delivery. Tamim Taufiq, Head of Middle East
Partnerships, Norton by Symantec, said, “Our partnership with Souq. com is the beginning of something exciting for us as a brand. As the largest e-commerce platform in the Middle East, Souq.com is in a prime position to offer existing and new Norton customers with one of the best online shopping experiences for our products and services. As cyber-crime continues to infiltrate into our everyday lives, it’s vital that consumers in the Middle East protect themselves and their devices. The new e-store offers an easy way for everyone to be just a click away to help protect their identity, digital assets, and sensitive data from falling into the wrong hands.”
A10 Networks names new VP for worldwide marketing and communications
Lee Chen, CEO, A10
A10 Networks has announced that Neil Wu Becker has been appointed vice president of worldwide marketing and communications. Reporting directly to CEO Lee Chen, Neil is responsible for driving A10’s brand awareness, marketing strategy, and sales enablement. “Neil brings a unique skillset to the A10 Networks team. He is an awardwinning marketing and communications veteran with extensive experience
www.securityadvisorme.com
developing and managing strategic global communications plans for a broad spectrum of companies in the tech sector, from Fortune 100 firms to earlystage startups,” said Lee Chen, CEO of A10 Networks. “Neil’s impressive ability to drive organizations to new levels of success -- including at Cisco, one of the world’s largest technology companies -- will greatly benefit our global partners and customers looking to grow with us.” Neil brings more than 15 years of marketing and communications leadership experience to A10 Networks. For eight years at Cisco, he led several communications teams that supported Cisco’s largest multi-billion dollar business units and its biggest growth opportunities. Most recently, Neil served as the head of public relations and corporate communications at Micron Technology, where he successfully ran and helped grow the worldwide PR function and oversaw the development of the company’s strategic positioning.
77%
of respondents to Intel Security survey believe smart homes will be as common in 2025 as smartphones are today Source: Intel Security
Gartner Says global IT spending to decline Worldwide IT spending is forecast to total $3.49 trillion in 2016, a decline of 0.5 percent over 2015 spending of $3.5 trillion, according to Gartner. This is down from last quarter’s forecast of 0.5 percent growth. The change in the forecast is mainly due to currency fluctuations. “There is an undercurrent of economic uncertainty that is driving organisations to tighten their belts, and IT spending is one of the casualties,” said John-David Lovelock, research vice president at Gartner. “Concurrently, the need to invest in IT to support digital business is more urgent than ever. Business leaders know that they need to become digital businesses or face irrelevance in a digital world. To make that happen, leaders are engaging in tough cost optimisation efforts in some areas to fund digital business in others.” “As an example, the savings from legacy system optimisation and enhancements are being redirected to fund digital initiatives. It’s about doing more with the same funds,” said Lovelock. “Typically, less than 10 percent of organisations are in cost optimisation or cost cutting mode. However, the need to spend on digital businessinitiatives in a time when revenue growth does not support runaway IT budgets is forcing more organisations to optimise as a first step.”
04.2016
5
feature
Under siege There has been a dramatic increase in cyberattacks on critical infrastructure but regional organisations remain unprepared.
6
04.2016
www.securityadvisorme.com
feature
T
he threat against critical infrastructure such as power grids, water supply systems, and oil and gas plants, is getting greater and at the same time potential adversaries are learning techniques from the exposure of sophisticated state-sponsored cyber attacks. Recently, Eugene Kaskpersky, Founder and CEO of Kaspersky Lab, has famously remarked that ‘a bad bad incident’ awaits critical infrastructure as cyber-terrorism attacks could become a harsh reality before slow-moving government agencies act to secure them better. Often, organisations with critical infrastructure to protect are even slower to move on security infrastructure upgrades than corporate enterprises. Just how much at risk is our region’s critical infrastructure? “These days, critical infrastructure every in the world is a potential target. Cyberattacks on critical and industrial environments are on the rise and Kaspersky Lab has detected incidents in every corner of the world. As the world’s largest exporter of oil and gas, the Middle East is a particularly attractive target for threat actors, whether it’s statesponsored or criminally minded,” says Matvey Voytov, Solution Business Lead, Critical Infrastructure Protection Business Development, Kaspersky Lab. He cites the examples of highly complex Shamoon attack on Saudi Aramco and other incidents including the attack on RasGas. “In addition to these outside attacks, the Middle East has its own dangerous cyber gangs such as Desert Falcons – cyber mercenaries operating exclusively in the region and attacking a number of different industries, including military and government organisations, as well energy and utilities providers.” Adam Philpott, Director –EMEAR Cyber Security, Cisco, agrees that attacks on critical infrastructure have become a growing cause of concern for governments and private providers www.securityadvisorme.com
around the globe – whether inflicted by cybercriminals seeking financial gain or by hackers as political acts. “The trepidation around these threats is justified, as research demonstrates that attacks on critical infrastructure have increased in both prevalence and sophistication and will continue to grow in the near future,” he adds. Ryant Brichant, CTO for Global Critical Infrastructure, FireEye, echoes a similar opinion: “Critical infrastructure faces a substantial level of risk across the world. Unfortunately, hackers are not just motivated by monetary gains but also notoriety and credibility – it’s very appealing for a hacker to attain fame among his/her circle of peers for carrying out a certain attack, especially if it’s a high-profile incident. The ramifications behind hacking the world’s most critical infrastructure and assets are far more severe to national economies than any other type of hacking attempt we have seen today.” One of the reasons why the region’s critical infrastructure is susceptible to cyber threats is the fact that organisations that run these facilities using supervisory control and data acquisition (SCADA) gear are still gathering data about threats and aren’t close to implementing new defences to counter them. “If you look at the control systems for critical infrastructure such as within the utilities sector, historically they were asynchronous control sessions to a
main frame unit and security was pretty straightforward to achieve. However, the adoption of IP in most organisations means that the control networks in production facilities have become interconnected and could potentially be subject to the same attacks as any other systems in a connected world,” says Nicolai Solling, Director of Technology Services, Help AG. Today any SCADA or DCS system will be based on protocols such as IP, MPLS and other normal network technologies plus standard operating systems such as Windows, Linux and Unix– thereby creating a similar threat picture as any other connected system. But obviously with a much higher impact as production is controlled by the system which if affected can lead to decreased productivity. Solling warns lack of any productivity or in the worst case, overload of production environment, can cause larger scale damages. Security experts say the emphasis should be on detection and rapid response rather than prevention when it comes to critical infrastructure security. “The prevention and preventive protection mindset has recently failed us at almost every occasion. This is why organisations and CISOs are shifting to a detection and response mindset. They acknowledge the fact that breaches are very likely to happen, and it’s a question of quickly you can close the gap and respond, and how you can adapt your defense strategy to the evolving threat
Critical infrastructure faces a substantial level of risk across the world. Unfortunately, hackers are not just motivated by monetary gains but also notoriety and credibility. - Ryant Brichant, CTO, Global Critical Infrastructure, FireEye
04.2016
7
feature
landscape,” says Roland Daccache, Senior Systems Engineer, Fidelis Cybersecurity. The real issue is that, in most cases, conventional prevention technologies can’t be used efficiently inside critical and industrial environments. These technologies weren’t designed for the unique conditions of critical infrastructure environments, such as airgaps, technological processes continuity and highly specialised software and hardwares. Voytov from Kasperksy says just because traditional prevention approaches aren’t always appropriate in critical/ industrial environments, that doesn’t mean we should rely on detection and response to make up the gap. The key difference between traditional information security and industrial cybersecurity is the high stakes: a successful breach on critical infrastructure can have an impact far beyond information or financial damages, it can cost lives or result in environmental destruction, among other serious consequences. “Prevention is better than cure and rapid response is always required because you don’t know when threats can affect your organisations investment. There needs to be the right technology investment in place, and neither end-user or vendor can have the slightest idea of the severity of a threat. We also have to understand that when a device is compromised, how much of that compromise can actually be mitigated. The last thing one needs is a broken down system. That’s why
As the world’s largest exporter of oil and gas, the Middle East is a particularly attractive target for threat actors, whether statesponsored or criminally minded. - Matvey Voytov, Solution Business Lead, Critical Infrastructure Protection Business Development, Kaspersky Lab.
security is always implemented as layers,” says Nader Baghdadi, Regional Enterprise Director, Fortinet. Tareque Choudhary, Head of Security and BT Advise at BT Global Services, agrees: “With cyber attacks growing more and more sophisticated, you need to detect problems earlier, and at a greater distance from your perimeter, to protect your key infrastructure and operations. If you want to manage and pre-empt attacks, you need a clear understanding and visibility of the global threats you’re facing as they emerge.” The key to being prepared for massive cyberattacks on critical infrastructure is creating a framework that fosters collaboration between private and private sector partners, as no single business or no single level of government has sole ownership or control over critical infrastructure. “Countries and companies must collaborate now, more than ever, to
If you look at the control systems for critical infrastructure such as within the utilities sector, historically they were asynchronous control sessions to a main fame unit and security was pretty straightforward to achieve. - Nicolai Solling, Director of Technology Services, Help AG
8
04.2016
protect the services essential to a nation. Threats to a company’s information systems and assets could come from anywhere. Whether the incident comes as a direct physical attack or an electronic one, the nature of these events is essentially borderless. No single company could possibly possess all of the intelligence, expertise and resources needed to combat threats originating from such a plethora of fronts,” says Philpott from Cisco. The strategic approach to cyber security is based on the hard reality that it is not possible to defend all of a country’s digital assets without the collaboration and integration of all of the primary stakeholders from the private and public sectors, and citizens using the nation’s digital networks. “The U.S Government have shown through the Automated Indicator Sharing Program and the recent cyber security law signed last December that governments have to take an active role in supporting the private sector in general and specifically those engaged in critical infrastructure. The sharing of threat intelligence will be vital for protecting critical infrastructure and governments have to take an active leading role, setting an example and encouraging the private sector to step out of the shadows and share threat intelligence that they have derived from their own environments,” says Cherif Sleiman, GM-Middle East, Infoblox. www.securityadvisorme.com
cover feature
Security made simple Harish Chib, VP-MEA, Sophos, tells us why synchronised security, which enables endpoints and network security components to directly share information, will revolutionise threat detection.
10
04.2016
www.securityadvisorme.com
cover feature
W
hy is it important for organisations to have comprehensive
security solutions? Most organisations struggle with lack of visibility into the state of network and endpoint. Absence of context and timely intelligence further aggravate security challenge. Even with a so-called bestof-breed approach, different security solutions fail to share useful security information and as a result a security event soon snowballs into a security incident. Attackers and cyber-criminals take advantage of such gaps and target endpoints to make further progress into the network, being able to fly under the radar, eventually inflicting substantial damage to network, users, data and reputation as well. The strategy of adding layer upon layer of disparate security technologies really is no longer practical or effective. It is costly, complex and out of reach for the vast majority of businesses who simply don’t have the resources to deploy, maintain and coordinate all these products. With an ever-increasing threat vector, there is a need to enable complete visibility at the desktop and at the gateway. What steps should organisations take to enhance security? It is important for organisations to adopt a proactive approach with respect to their security measures. They must first reassess their security posture, and develop, manage and control a new and improved cyber security infrastructure. They must also educate employees of the perils of cyber-attacks and ensure that they conform to the organisation’s cyber security policies. They need to start looking at cyber security as a part of their IT infrastructure and not as an add-on. The three challenges that organisations must address are improving cyber security awareness, realising that lack of preparedness
www.securityadvisorme.com
is putting sensitive data at risk, and making a concerted effort towards improving their cyber security infrastructure to protect endpoints and networks. What is your take on next-generation security? “Next generation” security is simply a way to describe the latest technologies in endpoint and network protection to make security better and faster. Sophos has been actively delivering next generation technologies in both network security and endpoint security, and in other areas of our portfolio as well. The two factors that differentiates Sophos from other vendors is that we deliver industrial-strength, nextgeneration technologies, but in a way that can be consumed and managed by organisations of any size; and second, we are taking the industry beyond “next generation” with the next step of synchronised security – enabling the next-gen endpoint and next-gen firewall to actively communicate with each other to improve the effectiveness and manageability of security for organisations of any size Can you elaborate on your IT security solutions portfolio? What differentiates your solutions? Sophos has a broad portfolio of solutions for network protection, end user protection and server protection. These include UTMs, wireless access points, secure Web Gateway, endpoint protection for mobile and desktops,
SafeGuard encryption, virtualisation security and server security. In the development of our solutions, we have also kept the needs of pragmatic enterprises in mind; this means our solutions can be deployed and managed easily. Additionally, Sophos also offers a wide range of easy-to-integrate OEM solutions including AV, anti-malware, anti-spam, data loss prevention (DLP) and unified threat management (UTM). Sophos believes security should be comprehensive, it should work as a system, and it must be simple to use; these are guiding principles that govern our product development. Our philosophy ‘Security Made Simple’ guides every aspect of our business. We realise that the world needs an answer to progressively complex threats and this is not going to change anytime soon. Unlike other organisations in the cyber security domain, we do not believe the answer to such threats lies in complex security solutions. Our core focus is delivering comprehensive and highly advanced solutions that are easy to deploy, manage and control. Also, with the recently launched Security Heartbeat feature, which is fully enabled and included as a part of our Sophos XG Firewall/UTM and Sophos Cloud Managed Endpoint Protection, we have revolutionised the world of IT security. With Security Heartbeat, we deliver synchronised security that enables network and endpoints to share meaningful data that protects organisations from nextgeneration threats. This helps us offer
Sophos believes security should be comprehensive, it should work as a system, and it must be simple to use.
04.2016
11
cover feature
an unrivalled security proposition and deliver the next level of IT security. Sophos has coined the term Synchronised Security. What does it mean? What is your company’s vision on it? Sophos is the first security vendor to deliver synchronised security, directly linking next-generation endpoint security and next-generation firewall to share threat intelligence that enables faster detection of threats, automatic isolation of infected devices, and more immediate and targeted response and resolution. Synchronised security automates incident response via instant sharing of threat, security, and health information between endpoint and network. It eliminates the manual work of trying to figure out who, what and when a compromise happened. Synchronised security is a key innovation in next-generation security protection, and we are delivering that through Sophos Security Heartbeat.
What is Security Heartbeat and how does it work? Sophos is first to bring synchronised security between endpoints and networks in our new Sophos XG Firewall with Security Heartbeat. The Security Heartbeat pulses continuous, real-time information about suspicious behavior or malicious activity between endpoints and the next-generation firewall or UTM. When a new Sophos protected endpoint is added to the network, its Security Heartbeat automatically connects to the local Sophos XG Firewall and the endpoint immediately starts sharing health status. If suspicious traffic is identified by the firewall, or malware is detected on the endpoint, security and threat information is instantly shared securely via the Security Heartbeat. The firewall can automatically take action to isolate the endpoint from internal and/or
12
04.2016
The Security Heartbeat is fully enabled and included as part of the Sophos XG Firewall and Sophos Cloud-managed endpoint protection.
external networks and trigger additional action on the endpoint to mitigate risk and prevent data loss. After the threat has been removed, the endpoint uses the Security Heartbeat to communicate updated health status back to the network, which then re-establishes normal service to the endpoint With Security Heartbeat, organisations of any size can advance their defenses against increasingly coordinated and stealthy attacks and drive a dramatic reduction in the time and resources required to investigate and address security incidents. IT organisations can benefit from advanced threat protection capabilities without requiring additional agents, layers of complex management tools, logging and analysis tools, or expense. The Security Heartbeat is fully enabled and included as part of the Sophos XG Firewall and Sophos Cloud-managed endpoint protection. Why is the Security Heartbeat so significant in today’s market? As an innovative leader, Sophos is driving this exciting new vision of synchronised security. Complexity is the enemy of effective security and products or technologies that are too hard to deploy or too hard to use don’t do any good. As the only vendor in the world with a balanced business at scale across endpoint and network security we are the first to be able to connect the endpoint and network directly. To make security simple, we
have created a single, cloud-based management console that will span our entire portfolio. What type of companies are you targeting with this solution? What is your strategy for the Middle East region? Security Heartbeat is a solution which most organisations would benefit from, irrespective of their size and domain. However, it is seen that when it comes to securing data amid resource constraints, mid-market enterprises face more acute challenges as compared to their enterprise counterparts. With Security Heartbeat we aim to target this underserved mid-market as there is a huge demand for solutions which provide complete, enterprisegrade IT security encompassing the entire IT infrastructure. Sophos enjoys presence across the MEA region, which spans across 45 plus countries. The region is set to take a big leap in digitisation and we are ready to help with our demonstrable competence and experience of protecting customers of various verticals and sizes. Businesses and institutions in the Middle East and Africa are showing growing awareness of the need to bolster cyber resilience and enhance their cyber security infrastructure. We cover all aspects of securing a digital enterprise and have a wide portfolio of disruptive security innovations.
www.securityadvisorme.com
Event
Driving enterprise resilience The Gulf Information Security Exhibition and Conference (GISEC) returned to the Dubai World Trade Centre this year for its fourth edition. The cybersecurity event put the spotlight on the growing complexities of the threat landscape and how IT players can address such issues.
H
eld under the collective banner of Future Technology Week (FTW), GISEC 2016 gathered regional and international technology and cybersecurity experts and leaders under one roof to delve on the critical issues surrounding the Middle East IT market. According to the event’s organiser, DWTC, the consolidated platform arrives as Internet of Things (IoT) technologies are seeing rapid regional growth in the adoption of secure connectivity, enterprise mobility and Big Data services. With the increasing volume of data, and the emergence of a more connected world, information is being seen as one of the most valuable commodities for any industry. GISEC aimed at highlighting the need for data to be strongly guarded and encouraged organisations of all shapes and sizes to understand how they can shield their systems from hackers and data theft. The event featured keynote presentations from top-notch experts the likes of Rt. Hon. Dr Liam Fox, MP, Former Secretary of State for Defence, United Kingdom; Mark Hughes, President, BT Security; Harshul Joshi, 14
04.2016
www.securityadvisorme.com
Event
SVP, Cyber Security Governance, Risk and Compliance, DarkMatter; Ibrahim Abdalla, Head of IT, Abu Dhabi Aviation; and Adam Philpott, Cybersecurity Director, EMEA, Cisco among others. “Attackers today are so resilient and are becoming increasingly sophisticated. Since we know that breaches are now the new normal, the good news is that all businesses have started to think: ‘How do we do security differently?’ said Adam Philpott, Director, Cybersecurity, EMEAR, Cisco. “Technologies must provide market-leading levels of security effectiveness to detect and block threats and this begins with visibility,” he said. “Enterprises need to understand that once business and security decisions are made in tandem, security solutions become part of their operating fabrics. Visibility across the whole corporate www.securityadvisorme.com
network is critical to managing security. It is not enough to just defend the threat coming into and out of the network; the organisations has to be able to manage the threat across the whole continuum – before, during and after the attack.” Altogether, FTW, hosted over 180 exhibitors who displayed a range of innovative solutions and products. Wael El Kabbany, VP, BT Security, highlighted that GISEC has always been a great platfrom to engage with regional and global organisations and showcase solutions that will help them enhance their situational awareness and readiness in order to combat a more sophisticated generation of cyber threat actors. “As businesses in the region undergo a fundamental digital transformation and more and more organisations migrate to the
cloud, the need for an effective and comprehensive cybersecurity strategy arises,” said El Kabbany. “Organisations are beginning to realise that the traditional ‘perimeter wall’ approach to cybersecurity will no longer suffice in a new era of threats. Responding to threats in real-time is the need of the hour and the future will see a proactive and intelligencedriven information security strategy assume even greater importance.” GISEC also also witnessed engaging and thought-provoking panel discussions on topics such as How CNI and government are winning the struggle to protect themselves from SCADA and Computer Network Exploitation; IoT and the inherent risks brought by increasingly connected living; and ensuring consumer-centric innovations are not threatened by emerging risks and more. 04.2016
15
interview
Turning security inside out Raja Samani, CTO, Intel Security, EMEA
R
aj Samani, Chief Technology Officer, EMEA for Intel Security says he is proud to part of a company that is actually taking action in the cybercrime arena. “You can talk to some vendors, and they will say that public private partnerships are important, but in reality they haven’t actually participated,” he says. As an advisor to the EUROPOL Cyber Crime Centre and active member of the Cloud Security Alliance, Samani is hardly all talk. In addition providing his expertise to Intel Security, Samani splits his time with numerous initiatives to improve the awareness and application of security in business and society. He was inducted into the Infosecurity Europe Hall of Fame in 2012, won the Virus Bulletin Péter Ször Award for the investigation he co-authored on the takedown of the Beebone Botnet, and was named in the UK’s top 50 data leaders and influencers by Information Age. The Middle East region is an important area for Intel Security, according to Samani. “There are remarkable things happening in this region,” he says. “For example, we have worked with oil and gas entities here to create the first digital oil fields. This 16
04.2016
Intel Security’s Raja Samani on his company’s commitment to help customers address the increasingly urgent need to shorten response time and simplified threat defence strategies.
Middle East is actually dedicated to using technology for the greater good.” The relationship between cybersecurity vendors, enterprise customers and law enforcement agencies is certainly changing, and Samani puts this shift succinctly. “It really isn’t about finding a vendor anymore it is about finding a partner. When an incident occurs, it is about being the ‘grown up in the room’. I don’t know what other companies are doing, but that is what Intel Security is doing.” And what Intel Security is doing is nothing short of remarkable, according to Samani. “We are enabling businesses to do truly disruptive things. Be it healthcare, or farm to table foods, cloud or even criminal services – they are all intertwined with technology these days and we are supporting those businesses to use their technology in new ways.” With a future that will inevitably be built on the foundation of interconnected machines, there are a few concerns when it comes to security in the up and coming IoT space. “I’m concerned about the lowering of technical barriers to being a hacker these days,” says Samani. “Anyone can be a hacker now, it doesn’t take any technical expertise and that is a problem.” As for the remedy – “Staying
informed is the best weapon. We need to stay one step ahead, and that is what we are helping our customers do at Intel Security.” Prior to Intel, Samani worked across numerous public sector organisations, in many cybersecurity and research orientated working groups across Europe. He is also the author of the Syngress books ‘Applied Cyber Security and the Smart Grid’, “CSA Guide to Cloud Computing”, and the technical editor of “Industrial Network Security (vol2)” and “Cyber Security for decision makers”. Samani is currently the Cloud Security Alliance’s Chief Innovation Officer and previously served as Vice President for Communications in the ISSA UK Chapter where he presided over the award of Chapter Communications Programme of the Year 2008 and 2009. He is also Special Advisor for the European CyberCrime Centre, also on the advisory council for the Infosecurity Europe show, Infosecurity Magazine, and expert on both searchsecurity. co.uk, and Infosec portal, and regular columnist on Help Net Security. He has had numerous security papers published, and regularly appears on television commenting on computer security issues. www.securityadvisorme.com
In Association with:
CISOCouncil
www.mesecurityawards.com @mesawards, #mesadubai
Headline Sponsor
Digital Risk
DRA
A l l i a n c e
Middle East Security Awards & Conference MESA Conference - The Largest Ever Gathering of CISO’s from the Middle East. CERT Keynotes & Speakers
MESA CISO100 Awards
(ISC)2 Security Awards (Community Choice)
Awards Gala
Eng. Bader Al Saleh Director General - Oman Cert
10th May, 2016 6:30 PM Onwards
MESA Conference & Awards
May 10 - 11 , 2016
The Address Marina Hotel. Dubai | United Arab Emirates Dr. Amirudin B Abdul Wahab Cybersecurity, Malaysia
International Keynotes
Gary Hayslip, CISO City of San Diego
Phil Cracknell Advisor Arriva Group
David Fowler Online Trust Alliance
Register Online Limited Seats Available Awards - Conference - Workshops
from Middle East and other continents 30+CISO’s sharing thier experience and best practices.
CISO Speakers & Infosec Leaders
Gold Sponsors
Silver Sponsors
Silver Sponsors
Strategic Keynote Partner
Exhibitors
Bronze Sponsor
RAS INFOTECH LIMITED
Official Publisher
Exclusive Information Security Media Partner
Media Partners
Support Partners:
Organized By:
Emirsec Investing in digital future
report
DNS attacks on the rise Malicious DNS infrastructure creation rebounds to near record levels, according to Infoblox DNS Threat Index
T
he Infoblox DNS Threat Index broke with previous trends by rebounding to a near record high in the fourth quarter of 2015, and found more than 90 percent of newly observed malicious domains worldwide are hosted in the U.S. and Germany The Infoblox DNS Threat Index is an indicator of malicious activity worldwide that exploits the Domain Name System (DNS). Cybercriminals create new domains or hijack legitimate domains as a foundation for unleashing a variety of threats ranging from simple malware to exploit kits, phishing, distributed denial of service (DDoS) attacks, and data exfiltration. The index tracks creation of malicious domains tied to 67 separate threat categories globally, using data from a range of sources including government agencies, Internet service providers, enterprise network operators, and open sources. Q4 2015 FINDINGS After dipping in Q3 2015, the threat index rebounded in Q4 2015 to 128— near the record high of 133 set in Q2 2015. This breaks with previous cycles where record high threat levels 18
04.2016
(indicating the planting of malicious new infrastructure) were followed by several quarters of relative quiet as cybercriminals used that infrastructure to harvest data and harm victims. It also means the threat index has been well above its historical average in 2015. Although too early to judge definitively, this may indicate a new phase of sustained and simultaneous plant/ harvest efforts, pushing the index into uncharted territory. Exploit kits appear to have cemented their place as a significant component of the index. While Angler remains the top threat, the unexpected resurgence and rapid rise of the RIG exploit kit demonstrates the ability of cybercriminals to adapt older kits to target new locations and implement new techniques. Infoblox is also identifying the top countries that serve as hosts for malicious domains and exploit kits. Despite what most would suspect—that malicious domains would be hosted out of cybercriminal hot spots where infrastructure is not well policed, such as Eastern Europe, Southeast Asia, or Africa—it turns out that in Q4 2015 the United States hosted 72 percent of newly observed malicious domains and
related infrastructure (servers, storage, networking equipment, etc.) used to launch cyberattacks. Only one other country of origin, Germany at just under 20 percent, registered above 2 percent. A SHIFT IN THE ENDLESS CYCLE OF PLANTING AND HARVESTING As attackers and threat researchers play a constant game of cat-andmouse, the Infoblox DNS Threat Index has historically shown periods of increased activity and subsequent lulls in malicious domain creation—a cycle referred to as planting and harvesting. The plant/harvest cycle is relatively easy to understand, and has historically provided some indication of future trends. During the planting phase, cybercriminals rapidly create DNS infrastructure and set up domains as a base for launching attacks. The threat index rises to re ect this signi cant increase in the number of malicious domains associated with malware and exploit kits. As this phase ends, the attackers begin to harvest the extensive infrastructure they have built to launch attacks, steal data, and generally cause harm to their victims. The threat index, which tracks the appearance of new threats and locations, will www.securityadvisorme.com
report
correspondingly fall, even if this doesn’t mean overall malicious activity has subsided. Yet while the index dipped from Q2 to Q3 2015—the likely start of a harvesting cycle—it rebounded immediately in Q4 2015 to near its all-time high. This appears to be a break in the plant/ harvest cycle, and may indicate a new trend toward sustained creation of malicious infrastructure along with the simultaneous harvesting of stolen data. Regardless of past cycles, what is readily apparent is that the index for all of 2015 has been well above its historical average, the rst time that has happened in the three years this report has tracked malicious domain creation. EXPLOIT KITS AND DNS SECURITY Exploit kits are toolkits for hire that deliver malware via drive-by download. The main purpose is to lower the technical bar for spreading malware, as the attacker does not need to know how to create or deliver the exploit itself in order to infect systems. Many of these kits even feature a user-friendly interface to manage and monitor the malware campaign itself. The payload will vary depending on what the current user of the exploit kit speci es. Past payloads have included all kinds of malware, such as banking malware, advertising click-fraud malware, and ransomware. Exploit kits typically take advantage of security holes or vulnerabilities in operating systems, browsers, and popular software such as Adobe Flash and Java. Users are exposed to the kits (and payloads) either via spam or malicious ads on compromised web sites. The kit’s infrastructure is generally composed of three components: A back end containing a control panel and payloads; a middle layer which contains the exploits and creates the tunnel to the back end server; and the proxy layer, which serves the exploit directly to the victim. The exploitation/ infection chain is generally similar across exploit kits: www.securityadvisorme.com
• A victim visits a website fully or partially under the attacker’s control. • The victim is redirected through various intermediary servers. • The victim unknowingly lands on server hosting the exploit kit. • The kit attempts to install itself by exploiting vulnerable software on victim’s system. • If it is successful, a malicious payload is delivered. The main distinctions are the vulnerabilities used to infect visitors and the tricks used to defeat antivirus defenses. While exploit kits mostly target computers, mobile devices can also be compromised, and are increasingly targeted because of the vast number of people using them for tasks such as email, web sur ng, banking, and social media. Also, users typically take fewer security precautions with mobile devices, making them easier to invade. Attackers are expected to gradually shift to delivery of mobile malware through mobile browser web pages, essentially the same approach that drives most infections on conventional computers. When an exploit kit succeeds in delivering its payload onto a victim’s computer or mobile device, that payload is now behind the company’s or service provider’s firewalls. The malware can spread to other devices and communicate back to its commandand-control (C&C) server through the Internet to download further malicious software or exfiltrate data. Very often, communication between the infected device and C&C server requires DNS.
Protects Against Dynamic Security Threats Simplifies IT Security Structure Provides Security for Email, Web and Database Systems
ANGLER EXPLOIT KIT Angler is one of the most sophisticated exploit kits currently used by cybercriminals and leads exploit kit DNS activity again in Q4. Angler is notorious for pioneering the “domain shadowing” technique used to defeat reputation-based blocking strategies, and for infiltrating malicious URLs into legitimate ad networks, taking visitors 04.2016
19
report
who click links in the infected ads to websites that insert malware. Angler exploit kits are often quickly updated with the latest zero-day vulnerabilities in popular software and use sophisticated obfuscation techniques, making it difficult for traditional antivirus technologies to detect them. The constant evolution of Angler exploit kits means organizations need to invest in protection technologies that not only address one stage of the exploit, but can detect and disrupt activity across the entire kill chain. RIG EXPLOIT KIT RIG, an older exploit kit that had been far back in the pack in usage during previous quarters, surged into second place among new infections in Q4, with almost twice as many appearances as the thirdplace kit, Magnitude. This indicates that as exploit kits are updated, we may see the reappearance of past threats in a new guise in coming years. RIG was first identified in 2013 as Goon, and like other exploit kits at the time, RIG usage increased following the demise of the Blackhole exploit kit (the most prevalent web threat as of 2013, when its creator was arrested). TrendMicro’s report for 2014 shows RIG at 11 percent market share, behind SweetOrange, Angler, and Magnitude. In early 2015, the RIG 2.0 source code was leaked, and this likely drove the RIG developer to create a new release. According to SpiderLabs, by mid 2015 RIG 3.0 was averaging 27,000 infected machines per day, with 90 percent of the traffic resulting from malvertising. Infoblox analysis of RIG activity in 2015 shows that it began using domain shadowing techniques similar to those pioneered by Angler to defeat reputation-based blocking strategies. Several members of trust groups in which Infoblox participates reported seeing threat actors commonly associated with the SweetOrange and Qakbot exploit kits now using RIG instead. Data from Cisco revealed 20
04.2016
more than 700 subdomains used for the shadowing, with several large spikes of two to three times the average during the rst part of Q4. Further analysis showed that of the 44 IP addresses seen delivering RIG, 43 belonged to AS 35415 (an autonomous systems ID in the Netherlands that approximately maps to hosting provider Webzilla) and were leased to Eurobyte, a hosting company based in Russia. On Oct 6, 2015, FireEye detected advertising network on clickads. net hosting a malvertising campaign redirecting to RIG, which corresponds to Cisco’s observations. Heimdal Security reported that RIG was also being served up through Google SEO poisoning, which refers to use of the search engine’s optimisation tactics to promote malicious websites. THE U.S. AND GERMANY ACCOUNT FOR MORE THAN 90% OF MALICIOUS INFRASTRUCTURE With this quarterly report, Infoblox is identifying the top countries for hosting infected systems. It is important to note that this is not an indication of “where the bad guys are.” Exploit kits and other malware can be developed in one country, sold in another, and used in a third to launch attacks through systems hosted in a fourth—which is part of what makes stamping out cybercrime so difficult. However, such a list can be an indication of which countries tend to have either lax regulations or policing, or both. Identification of those countries helps shine a light on needed improvements. That said, the clear country of choice for hosting and launching attacks using malicious DNS infrastructure in Q4 2015 is the United States, which accounted for an astonishing 72 percent of malicious domains with a knowable country of origin. Germany at 19.7 percent was the only other country to register above 2 percent. www.securityadvisorme.com
report
www.securityadvisorme.com
cybercriminals are taking advantage of this fact. Of course there are other countries that can also boast solid infrastructure, so location is probably the second factor “favouring” Germany in this regard—it sits near a number of Eastern European countries that have cybercrime rings, yet is generally viewed as a safe country for doing business. Rounding out the countries that accounted for more than one percent of malicious infrastructure were:
Ireland
1.14%
Turkey
1.27%
1.79%
Switzerland
1.8%
As the world’s top economy, the U.S. is clearly a desirable target. What this analysis shows is that it is also a soft target—not only in the sense that individuals and businesses are vulnerable to cyberattack, but (just as important) in that hosting infrastructure in the U.S. is very easy to penetrate and put to malicious use. It is a common assumption that cybercrime originates from hotspots in Eastern Europe, Southeast Asia, and Africa. However, this analysis demonstrates the underlying infrastructure used to launch the attacks themselves sits elsewhere— safely and comfortably in the most developed countries. Two observations can be drawn from this information. First, location does not denote protection; just because a domain is hosted in the U.S. or Germany does not make it safe. Secondly, criminals are just as likely to take advantage of the rich technology and service infrastructure that exists in these countries as is any legitimate business, and it would be difficult to harden that infrastructure against exploits without limiting much of the speed and responsiveness that makes it attractive for business. It would be nice to think that, at the very least, hosting providers would be quick to take down a malicious domain once it is identified, thus limiting the damage. After all, providers in the U.S. don’t face the same language barriers, cross-border jurisdiction issues, policy differences, etc. that confront an international policing and take-down effort. Unfortunately, not only does the U.S. define the average for response time, it also has hosting providers— large and small—who are very slow to respond. If there is an area of focus for improvement, this is it. The report speculates that Germany registered as high as it did (nearly 20 percent) for two reasons. First, like the U.S., it has a sophisticated Internet infrastructure, and as with the U.S.,
The United Kingdom
SUMMARY The Infoblox DNS Threat Index for all of 2015 has been well above its historical average, and finished the year near record levels. More alarmingly, the historic plant/ harvest cycle appears broken, which indicates both a greater sustained level of infrastructure expansion, and makes it difficult to predict future trends. Older exploit kits are also seeing new resurgence as they are adapted to take advantage of the latest techniques, adding a new twist to the “whack-a-mole” game between threat researchers and cybercriminals. Finally, Infoblox is highlighting the top source countries for malicious domain creation in hope that greater awareness and scrutiny can help slow the spread of malware. Infoblox will continue to monitor new malicious domain- creation activity to help its customers better prepare to handle threats to their infrastructure and data. 04.2016
21
opinion
Next-gen endpoint security tools to replace antivirus The market for next-generation endpoint security tools has doubled each of the last two years
T
he market for nextgeneration endpoint security tools has doubled each of the last two years, and will continue to grow at a compound annual growth rate of 67 percent for the next five years -- but that growth could skyrocket if more vendors are certified as antivirus replacements. Growth has been dramatic because most of the vendors are still very young, said David Monahan, research director at Enterprise Management Associates. With new companies, even a small increase in revenues can translate to a high percentage growth rate. “In addition, organisations recognise they need better prevention or detection and are buying at a breakneck pace to augment their current protection,” he said. “The thought is that antivirus protects against nuisance threats and the new stuff can then focus on the rest.” 22
04.2016
Companies can set policies allowing, say, only software from certain trusted organisations to be installed by end users, and other software can only be installed with permission from IT.
Currently, the size of the nextgeneration market is about half a billion, according to a report released last month. This compares to an IDC-estimated $9 billion for the traditional antivirus market, which translates to a relative ratio of about five percent. If widespread certification happens, the cash cow the traditional vendors are still experiencing will be in jeopardy, and the relative size of the market could expand a hundredfold, said the report. That means that either the next-generation market will grow dramatically, Monahan said, or it will grow not quite as much but the traditional market will shrink. “Both are a possibility,” he said. “If the auditors accept more of the solutions as antivirus replacement -- thus allowing business to buy the more effective solution instead -- they will then drop pay-for antivirus because it saves them money not to use two solutions when unnecessary.” www.securityadvisorme.com
opinion
In fact, two vendors, Carbon Black and SentinelOne, have already been certified as antivirus replacements. “This was not a trivial exercise, but it offers an additional payoff for those companies,” the report said. “If either of these companies gains proportionately more market share over the next year, other vendors may decide to make the investment in certification as well, but both will still have a head start of more than a year.” For example, the Payment Card Industry Data Security Standard requires that retailers and other organisations that deal with card payments have anti-virus software installed on all systems that can be infected by malware. Coalfire Systems, which is certified to evaluate vendors for PCI DSS compliance, tested Carbon Black’s Enterprise Protection product can be used instead of antivirus because it was able to block attempts to install malicious software, as well as stop cyber threats that evade antivirus using zero-day and targeted attacks. Carbon Black uses application control -- a type of whitelisting -- to ensure that malicious software is never installed on user devices. Companies can set policies allowing, say, only software from certain trusted organisations to be installed by end users, and other software can only be installed with permission from IT. Or they can allow certain types or groups of users to manually approve unauthorized software, but send a report to IT. There are various possible levels of prevention, said Kevin Flanagan, director of corporate communications at Carbon Black. “And IT doesn’t need to be responding all the time to requests for software approval,” he added. As a result, he said, Carbon Black doesn’t just stop known malware, but brand-new malware, variations on old malware designed to slip past traditional antivirus, zero-day exploits, and targeted advanced attacks. www.securityadvisorme.com
According to the EMA report, Carbon Black is currently the leading next-generation endpoint security vendor by revenue, with 24 percent of the total market. In addition, Carbon Black is the leading vendor by licenses sold, with 16 percent of the market. By comparison, 2-year-old SentinelOne, the other vendor to seek certification, has a much smaller share of the market -- one percent by revenue, and one percent by licenses sold. It also takes a different approach to malware prevention than Carbon Black, looking at the behavior of applications. “We operate within the kernel space, looking at all the kernel-level processes,” said Scott Gainey, CMO at SentinelOne. “We try to identify malicious patterns.” The company was tested by AV-test last June, and it caught 100 percent of malware in the AV-test reference set of malware discovered in the previous month, compared to the industry average of 99.1 percent. But AV-test doesn’t do enough to evaluate vendors unknown threats, Gainey said. “That’s critically important,” he added. In February, Gartner named SentinelOne a “visionary” in the company’s magic quadrant for endpoint protection platforms, saying, “the solution performs well in antivirus tests without relying on traditional signatures, indicators of compromise, or whitelisting.” However, as a new company, it’s missing some of the extended features offered by more established players in the space, such as URL filtering, port protection, and enterprise mobility management. Gartner also warned that attackers are always looking for new ways to avoid detection. “As SentinelOne becomes more popular, its approach will come under more scrutiny from attackers,” wrote Gartner analyst Peter Firstbrook in the report. 04.2016
23
opinion
Cloud and vulnerability management Wolfgang Kandek, CTO of Qualys, on how to avoid the stumbling blocks on the road to security.
s
ecurity is a big challenge for many businesses. The growth in data breach stories in recent years proves that companies of all sizes can be successfully attacked – from small organisations like a Sharjah-based bank, to large companies such as Saudi Aramco, and the Hilton Hotels chain, there wasn’t a week that went by last year without news of a new attack hitting the media. To some extent, this growing awareness of security has been useful for IT teams. Data breaches cause damage to organisations’ brands and lead to customer attrition. Management is now confronted with information on security from many outside sources and IT security is quickly gaining board level attention. The World Economic Forum released its 2016 report in January and held up lack of IT security as one of the biggest risks to businesses being successful in the future. Cyber-attacks are listed as the number one risk to economic growth for companies – emphasising the need to have a sound IT security strategy. However, in the Middle East, economic challenges due to falling oil prices have put companies in a position where they are forced to make sacrifices. When corners are cut for the sake of budgeting reasons, it often puts IT security projects 24
04.2016
www.securityadvisorme.com
opinion
in jeopardy. In turn businesses are left vulnerable to a host of attacks, as cybercriminals are often opportunistic and wait for when their targets infrastructure is at its weakest to strike. This is accelerating an already present effect: IT is looking for alternative options to the traditional capital expense-heavy approach that on-premises products have attached to them. Software as a Service tools fit the bill here as one can start small, increase usage as needed and only get billed for metered usage. In addition, the existence of free tools for asset discovery can help businesses to get an accurate picture of their IT assets, one of the fundamental building blocks for better IT security management. Making the move to cloud security The growth of cloud computing has had a big impact on the IT industry as a whole. Alongside the changes in budgeting and economics of running IT for enterprises, the shift to cloud-based IT is affecting security as well. In the past, all company data would have been based on internal IT assets and storage. This centralised approach meant that firms could concentrate on securing the perimeter, adding defence in depth through layering more technologies over the top of the corporate firewall. However, this accretion of technologies has not kept up with either the shifts in how companies run their IT or the aggressive development of the malware sector either. Today, any employee can access company information from mobile devices while they are out of the office; while often companies supply these devices and keep them secure, many employees are using their own phones, laptops or tablets as well. Line of Business teams can buy in their own applications without involving IT in the selection process or asking about security; the data they create after these decisions never gets saved on company IT assets. Many applications have shifted to third party providers or to the cloud. The www.securityadvisorme.com
perimeter that was so secure in the past has now become irrelevant. At the same time, IT teams have to meet shorter vulnerability windows between issues being found and exploits published. What took more than 60 days a decade ago in 2006 was reduced to eight days in 2014. In 2016, the vulnerability window is now less than 48 hours. All this change means that IT has less visibility into the current status of IT assets, as well as all the services that are being used across the business. To combat this, IT security needs to become global and work in real-time; moving security and vulnerability scanning services to the cloud can help. Making use of cloud services in this way helps IT deliver better service back to the business, while also providing better quality data on the company’s security position. With Cloud services, even if company IT assets are mobile, they can be checked regularly to ensure that they are up to date and secure. Making use of cloud helps IT to gain back visibility and deliver information and security on a continuous basis. Companies in the Middle East have shown great confidence in the future of cloud services, with a recent study showing that 95 per cent of enterprises have already implemented or plan to implement cloud based models in their ecosystem. For smaller firms cloud security is even more attractive as it offers capabilities and levels of protection that could not be achieved by their internal teams. Operators of cloud services work at scale in secure data centres and have to focus on securing their implementations; in fact this emphasis on security within multi-tenant environments is critical to their ongoing success as a business. As a result, Cloud vendors have to build security into their infrastructure from the start. For small and mid-sized businesses, the decision around Cloud security should be a simple one to make. The key approach is to start with an inventory
IT security needs to become global and work in real-time; moving security and vulnerability scanning services to the cloud can help.
of existing on-premises and external IT assets. Once an overview of all assets has been created, it’s then possible to continuously monitor external applications and internal IT assets for flaws and misconfigurations. The ongoing emphasis on continuous monitoring with short windows to fix deployments ensures that all endpoints, even roaming laptops, are secured against attack. For larger companies, the move to the cloud can be more complex. However, the journey should begin by introducing asset management tools that cover the whole business across internal or fixed IT assets as well as those that are primarily used outside the business and never touch the corporate network. This asset data is the basis for ongoing security, so it should be continuously updated. Using cloud for scanning avoids some of the IT overhead that traditional vulnerability management products have, as they can scale up and down based on the volume of scans that are required. While critical applications and mobile devices might get scanned every day to check for problems, internal IT assets may only need to be scanned every week. Overall, this asset list will provide IT with a better picture of security for the whole business. 04.2016
25
Insight
Are you failing Security Basics 101? Patching, backups, firewall configuration … when it comes to security, make sure you take care of your infrastructure before you invest in next-level tools.
S
ecurity tools are getting more sophisticated. DevOps is bringing us automation in operations, and a more holistic way of looking at how we manage infrastructure. But all too often, we’re not doing basic things to improve security and reliability, like protecting against known vulnerabilities. Hewlett Packard Enterprise’s 2016 Cyber Risk Report points out that “29 percent of all exploits samples discovered in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice.” It takes an average of 103 days for companies to patch known network and security vulnerabilities, according to a study vulnerability risk management vendor NopSec ran last year; that goes down 26
03.2016 04.2016
to 97 days for healthcare providers and up to 176 days for financial services, banking and education organisations. That’s not taking into account misconfigurations, or lack of communication between different teams. “If you’re blocking email from an IP address because it’s sending you phishing messages, you probably don’t want it to be logging in to your SQL database either, but your email and database admins probably aren’t sharing that information,” points out Paul Mockapetris, the chief scientist at THREATstop, which offers a cloud service for blocking known malicious IP addresses by regularly updating the block lists on your existing firewalls. It sends the details over DNS “for the same reason the bad guys use it for data exfiltration; it pretty much goes everywhere and every device in the world understands it.”
“We want to show that security can be understandable and simple,” says Mockapetris (best known as the coinventor of DNS). “We can configure all your firewalls for you automatically.” Chris Bridger’s, THREATstop’s senior director of security points out the benefits of automation. “Ensuring security controls are in place that govern network access and apply appropriate protection filters to block threats in near real-time becomes a challenge for any organisation’s security policy. As the threat landscape is constantly changing, an automated approach which removes the time costs, as well as the potential for human error, has become an essential component.” But Mockapetris makes a point that applies beyond THREATstop’s Shield service. It might not sound as sexy as threat intelligence systems with www.securityadvisorme.com
Insight
dramatic visualisations, he admits, “but you can fix a lot of your life by doing all that simple stuff.” CaaS – get used to it The idea of configuration as a service – and treating infrastructure declaratively – is part of the automation and standardisation that enterprise IT departments are going to have to get comfortable if they want private and hybrid cloud to work. If you run Azure Stack, Microsoft’s forthcoming hybrid cloud solution, you’ll be following a much more prescriptive way of working. “In the past, we left how to patch systems as an exercise for the customers. Now we’ll provide an update, and an orchestration system together with the patch,” explains Vijay Tewari from Microsoft’s Enterprise Cloud team. “We will orchestrate the patch across the system so it does not take down any workloads.” The system will check itself as part of the update, he says, using the same Test in Production system it will use to avoid configuration drift. “How do you know the system has deployed correctly? Six months down the line, how do you know it’s still configured well? TIP is a series of scheduled tests for that. And when we use automation to patch the system, we run TIP to check the system is healthy, then we patch it and then we run TIP again so wee that we got what we expected.” That won’t be disruptive and it shouldn’t involve scheduling downtime. Before Azure Stack, Tewari worked on Microsoft’s Cloud Platform System, a hyperconverged appliance built with Dell hardware running the Windows Azure Pack. “For CPS, we release three patches a year. We can patch a customer on premise without bringing down their workloads,” says Tewari. For your existing servers, there are plenty of tools for avoiding configuration drift in a more automated way, like a combination of Upguard’s Guardrail to look for changes in configuration over time, or between different servers, www.securityadvisorme.com
PowerShell Desired State Configuration scripts to apply the right configuration and Pester to run integration tests to make sure that configuration does what you want it to. Doing that kind of configuration management at scale, as a service, is what Microsoft’s Operations Management Suite is designed for. It’s a mix of automation (including backup and recovery) for Windows Server, Linux, VMware, Azure, AWS and OpenStack, with security and compliance tools and log analytics that let you see how well you’re doing at the basics, like applying patches and getting configuration right. “It’s helping IT have a deeper view that makes their world easier,” claims Microsoft’s Jeremy Winter. Skills gap continues to be a problem Some of that is analysis you could already do with a tool like Splunk, but many customers didn’t have the expertise for that, he found. “I asked customers ‘why aren’t you using big data? Why don’t you have big analytics systems?’ and they told us ‘I don’t know how to make head or tails of the all data in there; I’m not a data scientist, I’m not the expert that can string this all together, I’m busy at my own job,’ and that’s where the readymade solutions came from,” Winter explains. “This correlation between what’s changing, this correlation of configuration and understanding the desired configuration state of your environment, and then overlaying that with security, compliance and everything else; it’s not an individual bunch of siloed tools; it’s a mashup of that information that’s where you get the power. You bring all your data into this environment and you start to have a nervous center for all this information, so you can correlate across it.” But as more customers started using the service, Winter started noticing an interesting side effect that he calls ‘data exhaust’; patterns of information that emerge from the data customers are creating inside OMS. By uploading their
Hewlett Packard Enterprise’s 2016 Cyber Risk Report points out that “29 percent of all exploits samples discovered in 2015 continued to use a 2010 Stuxnet infection vector that has been patched twice.
logs in the Security and Audit Collection, customers don’t just get alerts about attacks that are happening. They also add their information about attacks to the details Microsoft gathers from its own system, making it easier to spot malicious IP addresses that are engaged in attacks. There’s also a social, community aspect emerging, Winter says. “Another thing we saw – and it seems really simple; how long a patch takes to apply. How long is it taking other people?” That kind of comparison can be invaluable (rather than invidious), because it’s going to help you see how you’re doing on the basics. And if you don’t get those right, the most sophisticated threat intelligence systems can’t protect you. 04.2016
27
feature
How an audit can shore up your security strategy A review of network security is much like a personal tax audit, but a bit less painful.
I
nformation security audits are on the rise, as organisations look to not only bolster their security postures, but demonstrate their efforts to other parties such as regulators. Audits, which are measurable technical assessments of systems, applications and other IT components, can involve any number of manual and automated processes. Whether conducted by internal auditors or outside consultants, they are an effective way for companies to evaluate where they stand in terms of protecting data resources. The high-profile data breaches of recent years have forced many organisations to take a closer look at their security technologies and policies, experts say. 28
04.2016
“Public exposure to the steady volume of company breaches have led to increased scrutiny from legislators and compliance organisations,” says David Barton, CISO at security technology provider Websense. “A comprehensive security audit programme is one way to satisfy the scrutiny of those compliance organisations.” Audits can be complex, however. There are many standards in use, including some for regulated industries as well as independent standards developed by active industry control groups, says Sean Pike, program director, eDiscovery and Information Governance, at research firm IDC. “For each standard there are many more attempts at encapsulating the required audit components into control or common-control frameworks meant to guide the security audit,” Pike says.
“Each control framework typically has a tremendous amount of controls that are meant to assist [an] audit—anything from user passwords to data storage or physical controls. An audit can be overwhelming for even the most mature organisation.” Trends such as the rise in cloud services and mobile technologies are making audits even more complicated. “One of the immediate ways that an audit is effected is that it’s more difficult to determine where enterprise data is or where it moves throughout the course of a business process,” Pike says. Here are some suggestions from experts on how to conduct an effective security audit: Scope out the audit and do the necessary prep work: “The keys to a successful audit start long before the audit is actually conducted,” says Rich www.securityadvisorme.com
feature
Wyckoff, manager of information security at Fletcher Allen Health Care. Developing the scope for the audit and work with the auditors beforehand to agree on what they will be auditing. “I’m of the mindset that I want an auditor to help me find pieces of the business I don’t know about,” Wyckoff says. “While no one likes to see the dirty laundry of their organisation, we can’t address and resolve what we don’t know is a problem.” By developing the scope up front with the auditors, IT security can ensure that the auditors will spend time reviewing certain parts of business operations and give security an impartial view of those operations. Along with scoping the audit, IT security needs to work with auditors to understand what else they might have on their agenda. www.securityadvisorme.com
“Different audits may require different resources, so understanding the audit scope and schedule up front allows you to make sure that the appropriate individuals attend the necessary meetings,” Wyckoff says. “There’s nothing worse than sitting down for an audit meeting to quickly realise you do not have the appropriate resources in the room to answer the questions the auditors were looking to ask.” Once the scope is identified and agreed upon, you can start working the prep work. “It is a good idea to get a list of requested items from the auditors in advance so you know exactly what documentation they will be looking for,” Wyckoff says. “If any cloud services are within the scope of the audit, you may want to request any service audits such as a SOC 1 or SOC 2 audit from the service organisation.”
When preparing for an audit, it’s critical to understand what the auditors are looking at and how it’s relevant to your environment, adds Josh Feinblum, vice president of information security at security technology company Rapid7. “Your preparation and response are wholly driven by the evaluated controls and purpose of the audit,” Feinblum, says. “Are the auditors using prescriptive benchmarks like ISO 27001, FedRAMP, or PCI DSS? Is the audit being done to help your organisation improve its controls?” Eliminate any disconnect between IT and the compliance/audit function: “This is drastically important,” Pike says. “One of the biggest problems with IT audit is that the results are often meaningless. The reason they are meaningless is because IT controls and audit control tests don’t always get to the root of a potential risk.” 04.2016
29
feature
For example, a control test might request verification that user passwords are changed every 30 days. “In response, an IT professional might provide the auditor with a screenshot of a domain policy that, sure enough, shows a box that is checked and a setting of 30 days for changing passwords,” Pike says. “The problem is that this evidence alone doesn’t actually tell an auditor enough to actually verify that all users are forced to change their passwords every 30 days,” Pike says. “There could be a number of exceptions or technological problems that allow user passwords to remain unchanged indefinitely.”
to understand that several standards require auditing a specific control. Audit that one control in a meaningful manner and pass the results through to every standard as opposed to doing a poor audit five times.” The second, and probably more important way to narrow the gap, is to use analytics. “Especially for the enterprise market there have been significant advancements in injecting audit process into technology,” Pike says. “These solutions can eliminate false positives and create a focused view of where systems might have problems.” Major auditing firms are leading the charge in developing customised
Instead of auditing one control over and over to meet different standards, it’s more effective to understand that several standards require auditing a specific control. Audit that one control in a meaningful manner and pass the results through to every standard as opposed to doing a poor audit five times.
Unfortunately, there is often a lack of coordination between IT and the audit function. “The auditor has a task to do and the IT professional probably views it as a burden,” Pike says. The two need to communicate about exactly what’s needed. Leverage efficiencies: For most organisations, a security audit is hard because there’s too much to do and a knowledge gap between the auditor and the IT group, Pike says. “Over the last several years we’ve seen a concentration on narrowing the knowledge gap in two ways,” Pike says. One is by using frameworks that consolidate audit control tests. “Instead of auditing one control over and over to meet different standards, it’s more effective 30
04.2016
systems in highly regulated industry to tackle well-known audit challenges, Pike says. “Currently some of these solutions can be expensive, but over the next few years should find their way into the mid-market,” he says. Make sure the audit is comprehensive: The IT infrastructure now extends well beyond the walls of the organisation, and the audit needs to reflect that. “Our audits/assessments involve a cross-functional approach that involves an assessment of tools, processes and response procedures,” says Myrna Soto, corporate senior vice president and global CISO at media company Comcast. “The emergence of mobile technology and cloud services expands the
technical capabilities required” to conduct an effective audit. Traditional protocols can’t be assumed to be applicable for areas such as cloudbased computing capabilities or data storage, Soto says. “Testing containers and portability of data stores in the cloud—for us, a private cloud infrastructure—is important,” she says. “Network zoning has evolved as a result of cloud infrastructure capabilities and effective assessments/audits must account for multiple vulnerabilities.” As an example, network security audits account for one vector, but when you’re assessing something for the Internet of Things, including multiple connected devices performing multiple functions, that requires a comprehensive end-to-end assessment of security protocols for a variety of transactions, Soto says. “Protocols can include access controls, data masking, authentication and intrusion prevention,” Soto says. “Needless to say, the evolution of technologies has required an evolution of assessment needs and ultimately audit practices.” Barton agrees that security audits need to be comprehensive and cover areas such as understanding all ingress and egress points for data within the organisation and the controls applied to those points; knowing where all sensitive information is stored within the organisation; knowing what systems support revenue generation and where they reside related to security controls; and evaluating internal security policies. Ensure strong audit leadership: Whoever owns the audit function, whether it’s the CFO, CIO or some other executive, must be held responsible for the results and effectiveness of an audit. “Hopefully, this will create the culture change necessary to perform effective audits,” Pike says. “It doesn’t necessarily mean that a breach is his or her fault. What it does mean, however, is that the audit owner should ensure that employees in [the] organisation can answer difficult questions about IT capabilities and architecture.” www.securityadvisorme.com
feature
5 characteristics of exceptional internal audit leaders PwC identified five characteristics consistently exhibited by the most effective internal audit leaders that all Chief Audit Executives should adopt:
and working as a team to solve problems. Fully 73 percent of these leaders use co-sourcing as part of their talent strategies.
is communicating with a variety of internal and external stakeholders who each have different expectations of the function.
1. Create and follow through on a vision. PwC found that very effective internal audit leaders possess a strong vision that aligns with both a company’s strategic direction and stakeholders’ expectations. These leaders translate their visions into strategic plans and invest in capabilities in support of their vision, especially data analytics and technological tools that allow them to innovate on process. 2. Source and retain the right talent. According to PwC’s study, CAEs identified talent shortages as the most significant barrier to increasing their contributions as leaders. Additionally, as business transformation continues to evolve, additional new skills are needed. PwC says the most effective internal audit leaders exhibit two talent behaviors that stand out from the pack: a focus on mentorship and talent development, and an ability to source the right talent when needed. PwC says very effective internal audit leaders also have a “no hierarchy in the room” policy, which facilitates staff development through open discussion
3. Empower the internal audit function. Organisational position and the support of stakeholders plays an important role in the effectiveness of internal audit leaders. PwC found that 78 percent of very effective internal audit leaders are vice presidents or hold senior positions in their organisation. Additionally, PwC found stakeholders are gravitating toward more senior leadership talent to fill the CAE role, noting their responsibility to empower the CAE by setting a culture that supports the importance of a strong control environment.
5. Partner with the business in meaningful ways. The most effective internal audit leaders set themselves apart by partnering with the business in meaningful ways. PwC says internal auditors should be able to stand out in three specific behaviors to become a very effective leader: 1. Develop relationships built on trust. 2. Build partnerships across the lines of defense to play greater roles in coordinating risk management across functions. Use those connections to raise their level of engagement across the organisation, taking on leadership roles in working with management, compliance, legal and other assurance functions to develop an integrated assurance strategy.
If an auditor goes out to the field to audit a development workflow in an environment regulated by the Health Insurance Portability and Accountability Act and knows little about HIPAA, development processes or the actual workflow, the audit isn’t going to work, Pike says. “Auditors must have the requisite knowledge www.securityadvisorme.com
4. Demonstrate executive presence. Underscoring the need for leadership talent in the CAE role, PwC found that 90 percent of very effective internal audit leaders excel in demonstrating executive presence. They bring bold perspectives and think broadly about the company. PwC notes that internal audit leaders must inform, educate and influence stakeholders as well as earn their trust. One of the trickier challenges internal audit leaders face
required to approach [an] audit with skepticism,” he says. Those in charge need to make sure audits account for the latest technology trends within the organisation. The combined influence of mobile, cloud, big data/analytics and social media has brought about new challenges for security auditors.
PwC notes that some very effective internal audit leaders have taken to renaming the internal audit function (e.g., to audit services) to rebrand it as a collaborative functions that partners with the business.
“It is a steep learning curve for the auditors along with the CIOs, CISOs and risk professionals,” says Khushbu Pratap, principal research analyst at Gartner. “Digital business innovation disrupts risk and security management. Clearly, this also brings about new challenges on providing independent assurance on such risks.” 04.2016
31
Insight
Thwarting attackers with threat intelligence Five steps to incorporate threat intelligence into your security awareness programme
I
n our recent articles, we highlighted that every significant and public attack exploited people to either get an initial foothold in a target organisation or as the entire attack vector. These attacks highlight the need for awareness as a top concern of security programmes. However, the reality is that generic awareness materials are of little use. Just saying that you have an awareness programmeme, with standard content, does little good in taking advantage of the exposure the ongoing attacks are generating within your organisation and the general public. Awareness programmes should incorporate Threat Intelligence, which provides digestable products of continuous adversary monitoring, organised research, and threat analysis. The result is timely and actionable 32
04.2016
information about the likely attack vectors and targets of your potential and actual attackers. This intelligence can be made compelling and relatable to audiences seeing similar attacks in the news. Security awareness teams need to make their materials and focus relatable and directly relevant in order for them to be useful. Threat Intelligence, as described above, details the most useful information, while balancing nascence, relevance, and timeliness of the data. The following recommendations provide some high level guidance on how to integrate Threat Intelligence into your awareness programmemes. Detail, within reason, real or imminent attacks against your organisation One of the most frustrating aspects of implementing awareness programmes is that many people seem to believe that their organisation is an unlikely or
1
uninteresting target, has a sufficient security programme in place that they don’t have to worry about potential attacks, or that it simply won’t happen to them. Therefore, security policies and guidelines are more of a nuisance than a valuable business function. While your intent should not be to scare people, there has to be an effort to communicate that there are issues that need to and can be addressed. With that realisation, people should hopefully believe that it can happen to them, and be motivated to take the right actions. Use news events when you don’t have your own incidents to detail Hacks like Anthem, Sony, Google, CENTCOMM, and just about any other newsworthy event seems to demonstrate time and time again that hacks are ongoing, and the direct result of a failure on a human level. This highlights that all of these organisations never thought
2
www.securityadvisorme.com
Insight
it would happen to them, but they all became the victims of highly public and embarrassing attacks, which cost the organisations tens of millions of dollars. The point to get across is that attacks that exploit the end users are ongoing and pervasive. They all represent that the threat is imminent. Detail what to look out for When you inform people that there is a likely threat, which provides the motivation to take action, you need to similarly inform them specifically about what they should be looking for. If an attack is imminent, such as the Syrian Electronic Army attack previously mentioned, you can inform your users that they should be on the lookout for phishing messages. You can tell them the type of messages to expect and provide examples of messages that have been previously employed by the attackers. Also, many people were victimised by the Anthem hack. Those victimised by or aware of the compromise need to be made aware that they should expect phishing email messages taking advantage of the hack. This leverages the incident to increase overall user awareness. Whatever the likely attack vector is, the information should be detailed with the employees in mind.
In the ideal world, people should be constantly on the alert for potential attacks and know how to respond. Again, that is not what we experience in the real world.
3
Specify how to react Telling people what to look for does little more than promote annoyance or generate fear. Providing people with the actions to take if they perceive themselves to be under attack gives them control. The threat, actualisation, and prescribed actions should be specific and should include how to prevent the attack and who to report the potential incident to. Clearly, when you tell people what to do or not to do, however that just prevents the attack from being successful against that individual. However, even a minimally committed
4
www.securityadvisorme.com
attacker will move on to the next potential victim. When someone reports the attack in progress, the security team can then take actions to prevent the attack from being successful against less aware individuals. For example, if there is a phishing message involved, the security team can delete copies of messages to other individuals off of the email server. If you know that people are being sent to a specific domain, you can block the domain. You can also send out a more specific message to all people informing them of the specific nature of the actual attack, which also helps people realise that attacks against your organisation are real. Ensure the security team is aware of the intelligence and recommended actions You should not take for granted that the security team might not be fully aware of the issues and how to respond. Too frequently there is an inaccurate assumption that people know how to respond and react correctly. The “security team” should be broadly defined to include the Help Desk (or whomever receives security-related calls), email administrators, web administrators, physical security, and any other group that might be responsible for taking an action if there is a potential attack. These people need to know specifically what their responsibilities are. They need to know how to respond
5
to users reporting potential attacks. They should know the specific actions to take in response to the pending attacks. Again, their actions depend upon their roles and responsibilities, but they should be well defined in advance. The last thing you want is for a user to properly respond to and report an incident, and then the people contacted do not know what to do. Summary Creating a culture of awareness, action, and communication improves both incident detection and response. Your user base becomes aware and active when it comes to potential attacks. This increases the effectiveness of the security team, exponentially growing its capacity to detect and respond to attacks. In the ideal world, people should be constantly on the alert for potential attacks and know how to respond. Again, that is not what we experience in the real world. While we don’t wish that any organisation should be targeted, the fact is that just about every organisation is the potential victim of many ongoing attacks. The phishing scams resulting from the Anthem hack made many organisations a potential targets, and this attack is in no way unique. However, these potential and actual attacks can be outstanding catalysts for making your awareness programmes incredibly effective. Don’t squander these ongoing, incredible opportunities. 04.2016
33
opinion
IT gets cloud storage security all wrong Two recent reports confirm that your greatest security threat is your users, not outside hackers
A
pair of research reports on cloud storage behaviours reiterates what has been an enduring and entirely unnecessary reality about data storage: The greatest threat to your store is not outside hackers, it’s your own staff. The first comes from survey conducted by Ipswitch File Transfer, a maker of secure file transfer and data monitoring software. It asked 555 IT professionals across the globe about their file sharing habits and found that while 76 percent of IT professionals say it is important to be able to securely transfer files, 61 percent use unsecured file-sharing clouds. It also found 32 percent of IT professionals don’t have a file transfer policy in place, 25 percent plan to 34
04.2016
establish one, and another 25 percent said their company has a file transfer policy, but the enforcement is inconsistent. Twenty-one percent reported they might have had a data breach in the past but they were not entirely sure, while 38 percent said their processes to identify and mitigate risks are inefficient. Another survey by document management and digital imaging firm Crown Records Management and Censuswide, released on Clean Out Your Computer Day (February 8), found that 55 percent of IT decision makers in companies with more than 200 employees do not have a policy in place for email data retention, 58 percent do not audit their paper-based data regularly, 60 percent don’t practice regular reviews of files stored in the cloud or on-premises, and 64 percent do not filter what goes into the cloud.
Topping it all off, 76 percent don’t have a system helping them to differentiate between data which must and should not be retained. “What this points out is something that’s been around a long time, and cloud storage is just the latest place it shows up. People are running full out and often don’t take the time and do discovery and inventory to make sure things are more in order to adhering to the policies,” says Jean Bozman, vice president and principal analyst of Hurwitz & Associates. We live in the now so we’re just trying to do the best we can now, she added. “But having looked at disaster recovery and high availability, it’s very important to take that pause, whether it’s over a holiday weekend of whatever and just document what you have.” Paul Castiglione, senior product marketing manager of Ipswitch, says www.securityadvisorme.com
opinion
a lot of cloud file sharing services are adding security features to cover for bad behavior, which is increasingly necessary. “If we were all perfect individuals, there wouldn’t be errors. But stats also show that in companies with data loss, one-third of the incidents was due to human error, one-third to process and network errors and one-third to malicious activity. So two-thirds of data loss is stuff I can control inside my network. Sure, I want to train my employees so they don’t make dumb mistakes but also provide the technology to make it impossible for them to make a mistake,” Castiglione says. He adds that while training is a critical aspect of compliance, automation should be in place so they can’t do anything wrong in relation to file transfers and exchanges between on-premises and the cloud. Many customers he’s encountered don’t allow manual file transfer at all. “It may seem shocking but in the moving of secure data, it’s typically to support an established business process of some kind,” he said. “If I automate it, that will reduce human error, improve efficiencies, help employees with efficiency and not allow them to send a file to the wrong FTP server in Russia,” said Castiglione. Failures of policy and attention Richard Stiles, vice president of product development with cloud storage provider StoAmigo, faults the vendors for letting the lawyers dictate the policies. “In most cases, what ends up happening is an attorney will write the policy for the protection of the vendor or cloud vendor and the client suffers because these policies are written to protect the vendor. They list things like how they are not responsible for down time, not responsible for data loss, and so on,” he says. He also says most cloud storage companies take a hands-off approach when it comes to storage. “Let’s say I upload something to my cloud storage. That vendor that is selling me storage www.securityadvisorme.com
A lot of cloud file sharing services are adding security features to cover for bad behavior, which is increasingly necessary.
doesn’t part care what I’m putting in that server, all they care about is how much space I’m taking. There is no monitoring of the quality of the upload or download and no guarantee of checking for corruption between sender and receiver,” he says. And that especially goes for cleaning up your old data stores. Don’t expect your provider to do that for you, nor should you want it to. “I can’t imagine a client being ok with a third-party poring through their digital content in the cloud for them. Anyone who cares enough to back it up on cloud storage will have some expectation of privacy for the content,” Stiles says. Cloud storage providers don’t get involved in data management, so once it gets to the storage repository, it sits. The host is not in the loop on the management of the data once it gets there because, quite frankly, the data is none of its business. So storage management, including deduplication and removal of old data, is your responsibility, not your provider. “It all starts with the company,” Stiles says. “They have to determine the value of the data. For some companies, the data is not that important, while for others, it’s their life blood. People who use Facebook don’t care about their digital content. But if you are an attorney or a photographer, managing content is your life blood. So it all starts with the client.” Is automation the answer? Castiglione advocates automation to reduce human error, and says that
there must be specific features and functions. For starters, any automation services or software should insure they have visibility to the file level, not just the folder level, and know who has accessed the files down to the file level. Also, make sure there is access control to insure their provider offers proper access control. That said, he says cloud storage providers have lots of room for improvement. “Most of the file share vendors came from a place of offering simple to use consumer collaboration tools, not from a place of protecting the file and access. So it’s a totally different mindset,” Castiglione says. Read your contract carefully. “My advice for anyone is read the terms and conditions. See what will they hold themselves responsible for and what is your responsibility for your data. That tells you what recourses you have,” he says. “Some cloud storage companies do a good job on educating their clients on what to do and how to do it. Others not so much. You’ll see free services with a lot of free storage but you get what you pay for. There may not be a lot of support on the back end,” Stiles adds. And Bozman says make the time to look over what you have. “Schedule some time to look, or if your people are running full out, hire some additional headcount to help with that kind of thing. If they are all supporting production it’s hard to stop and take a look. We run very lean and mean in it today. The ratio of people to devices is very high,” she says. 04.2016
35
products
Brand: HID Global Product: FARGO DTC5500LMX
Brand: Pivot3 Product: Edge Protect
What it does: Pivot3’s Edge Protect is a hyperconverged SAN storage solution for mid-sized and remotely distributed surveillance applications. Edge Protect delivers enterprise-class IT capabilities on off-the-shelf x86 server hardware, enabling users to realize the benefits of highly efficient shared storage and builtin failover without the complexity or cost typically associated with infrastructure based on separate servers and SAN storage. What you should know: Edge Protect provides highperformance storage and server infrastructure for up to 200 video surveillance cameras, at a price point competitive with direct attached storage (DAS) typically deployed in mid-sized NVR applications. Ideal for small, medium and distributed environments in the retail, financial, educational and healthcare markets, Edge Protect’s unique architecture ensures all storage is accessible by all cameras regardless of physical location. With built-in server failover, video management and recording functionality is protected during any hardware failures, a highly sought after feature typically only found in large, complex enterprise surveillance implementations.
36
04.2016
What it does: HID Global’s latest Direct-to-Card (DTC) FARGO DTC5500LMX ID Card Printer/ Encoder is designed to meet the highvolume, card issuance demands of large government agencies, universities, healthcare facilities and other large enterprises. The company also announced its new FARGO HDP5600 ID Card Printer/Encoder that builds upon its award-winning high definition printing (HDP) solutions for retail stores, recreation facilities, governments and other organizations focused on brand image and/or visual security. What you should know: The new FARGO HDP5600 ID Card Printer/Encoder, says the company, delivers the highest quality for image and text printing available in the market. With its new 600 dpi printing capabilities, the HDP5600 doubles the resolution of its HDP5000 predecessor for crisply defined barcodes and accurately reproduces small text including complex characters, such as Kanji, Arabic and Cyrillic.
Brand: Sophos Product: Sophos Sandstorm
What it does: Sophos Email Appliance now includes Sophos Sandstorm, an advanced, next-generation sandboxing technology that quickly and accurately detects, blocks and responds tosophisticated, constantly-changingcyber threats. Sophos Sandstorm uses powerful cloud-based technologyto isolate and address these types of threats before they enter a business network. Information technology managers are provided with detailed reports of threat behavior and analysisfor further investigation and action, if required. What you should know: Sophos Sandstorm determines
potential threat behavior across multiple operating systems, including: Windows, Mac and Android; physical and virtual hosts; networks; web mail; Word and PDF documents; more than 20 file types; mobile applications and more. Sophos Sandstorm is available as a subscription option in Sophos Email Appliance 4.0. Sophos Sandstorm is also available as an option fort he Sophos Web Appliance, an advanced web protection solution that scans web content and blocks the latest web threats. Customers will also have the option of adding Sophos Sandstorm to Sophos UTM 9.4, a comprehensive firewall solution, which is currently in beta. www.securityadvisorme.com
Prepare your network for the threats you may not see.
Gain complete visibility & control over Encrypted Traffic with Blue Coat Learn more at www.bluecoat.com
blog
Where Is Identity Management heading? V. Balasubramanian, Marketing Manager, ManageEngine
F
ive years ago, Mozilla launched its new identity management system, Persona (originally called BrowserID). At the time, a sense of optimism was in the air. Everyone thought that the new technology would ease the strain of remembering numerous passwords to gain access to various websites. The alternative — outsourcing unified identity management to social media giants including Twitter, Facebook and Google — raised data privacy and reliability concerns. So everyone hoped that Persona would emerge as a strong unified authentication system and a credible alternative. Fast forward to 2016. Though Persona has progressed well on the technology front, the aforementioned concerns remain, and Persona has failed to gain popularity. Mozilla has now announced that it will be shutting down Persona by the end of this November “due to low, declining usage.” Despite its imminent closure, Persona managed to advance the field of identity management. It introduced verified email protocol, which enables users to use one email address to log in to any website that supports the protocol — much like logging in to websites with a Facebook account, for example. That means end users do not have to create site-specific passwords. Instead, they can log in to multiple websites using a single email 38
04.2016
address. End users enjoy the twin benefits of not having to remember multiple passwords and not passing along information about their browsing pattern to social media giants. Persona’s pending shutdown reiterates a few important facts and indicates the direction in which the identity management market is moving: • Password-based authentication is still the dominant mode, and passwords are here to stay. Life with fewer passwords is still a distant dream. • Unified authentication systems are clearly needed, but they cannot stand-alone. In most cases, end users cannot avoid creating sitespecific passwords. At best, unified authentication systems could co-exist with traditional, site-specific, passwordbased authentication. • Data privacy concerns loom large and stand in the way of large-scale adoption of identity management through social media. Identity management analysts and industry luminaries have long been predicting the disappearance of passwords. Unified authentication technologies including Persona and password alternatives such as biometric authentication, iris authentication, facial authentication and even authentication through watches, jewelry and electronic tattoos are all steps in this direction. Interestingly, none of the alternative approaches have been viable so far, for various reasons. Passwords are easy to create and are absolutely free. The alternatives, on the other hand, are
typically expensive, difficult to integrate with existing environments, difficult to use and require additional hardware components. So, where is identity management heading? The future of identity management will most likely be a combination of password management and unified authentication. However, it seems that password-based authentication will continue to be the most prominent mode, and users will have to create and manage passwords. Wherever possible, unified authentication systems will be leveraged. Federated identity management solutions, which help subscribers use the same identity to access multiple Web applications, will complement password management. Privileged account management solutions that support federated identity management, along with traditional password management, will prove to be highly beneficial. Persona will soon be gone. The news has rekindled debates on the death of passwords, the emergence of alternatives, and the future direction of identity and access management. Plans to launch projects similar to Persona are also being discussed in various forums. But the future direction of identity management appears certain: a sound blend of password management and unified authentication. The two will complement each other — one cannot outweigh the other or stand-alone. www.securityadvisorme.com
For more information, please contact arrow team on + 971 4 501 5814 | www.arrowecs.ae
For deeper network security
look beyond the obvious.
Dell™ SonicWALL™ next-gen firewalls provide a deeper level of network security without slowing down performance. Not all next-generation firewalls are the same. To start, Dell SonicWALL next-generation firewalls scan every byte of every packet while maintaining the high performance and low latency that busy networks require. Additionally, Dell SonicWALL network security goes deeper than other firewalls by providing high-performance SSL decryption and inspection, an intrusion prevention system that features sophisticated anti-evasion technology, and network-based malware protection that leverages the power of the cloud. Now your organization can block sophisticated new threats that emerge on a daily basis. Go deeper at: www.sonicwall.com/deepernetsec
Copyright 2013 Dell Inc. All rights reserved. Dell SonicWALL is a trademark of Dell Inc. and all other Dell SonicWALL product and service names and slogans are trademarks of Dell Inc.