Issue 7 | July 2016 www.securityadvisorme.com
DEVICE ADVICE
HOW TO PROTECT YOUR MOBILE WORKFORCE
Privacy and authentication in IoT
Guide to SIEM
Importance of cyber hygiene
Strategic Innovation Partner
STRATEGIC PARTNER
CONTENTS founder, CPI MEDIA GROUP Dominic De Sousa (1959-2015)
06
Publishing Director Rajashree Rammohan raj.ram@cpimediagroup.com +971 4 440 9139
DEVICE ADVICE
Editorial Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 440 9129
How to protect your mobile workforce
Editor James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9114 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130 Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 440 9147
10
An exclusive interview with FireEye Founder, Vice Chairman and CTO Ashar Aziz on his vision for the impact of a ‘cyber-geddon.’
Circulation Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 440 9119 Production and Design Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 440 9159 Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9148 Designer Neha Kalvani neha.kalvani@cpimediagroup.com +971 4 440 9156
14
DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas webmaster@cpimediagroup.com +971 4 440 9100 Published by
18
Registered at IMPZ PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Al Ghurair Printing & Publishing Regional partner of
© Copyright 2016 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.
The means and motivation
20
privacy and authentication in IOT
26
putting the eye in IOT Axis Communications CTO Johan Paulsson shares insights on the potentials of IoT-enabled cameras in enabling organisations to make smart decisions.
30
performing risk assessment
Gemalto’s Manfred Kube shares insights on how secure authentication can be a good foundation for the Internet of Things.
IT risk assessment involves progressive steps that ensure a proper evaluation of IT risks and its impact on your organisations.
Securing networked ecosystems
the importance of cyber hygiene
Network monitoring is essential and service providers need to be able to view their network in realtime. pillars of next-gen endpoint protection These core functions can detect the most advanced attack methods at every stage of their lifecycle.
34
38
Qualys Middle East’s Hadi Jaafarawi discusses what everyone should be doing to ensure proper cyber hygiene practices. securing the cloud Orange Business Services Security Solutions expert Tan-Hoang Nguyen shares different best practices in cloud security.
news
Intel considers sale of cybersecurity business Intel is considering selling its security business as the company tries to focus on delivering chips for cloud computing and connected devices, according to recent reports. The Intel Security business came largely from the company’s acquisition for $7.7 billion of security software company McAfee. Intel announced plans to integrate some of the security technology into its chips to ensure higher security for its customers. With the surge in cyber threats, providing protection to the variety of Internet-connected devices, such as PCs, mobile devices, medical gear and cars, requires a fundamentally new approach involving software, hardware and services, the company said in February 2011, when announcing the completion of the McAfee acquisition. Intel has been talking to bankers about the future of its cybersecurity business for a deal that would be one of the largest in the sector, according to reports, citing people close to the discussions. It said a group of private equity firms may join together to buy the security business if it is sold at the same price or higher than what Intel paid for it. “Intel has a decent security play right now and security is paramount to the future of IoT,” Moorhead said. “Hardware-based security is vital to the future of computing.” Intel is declining to comment on the report, a company spokeswoman wrote in an email. The company rebranded its McAfee business as Intel Security in 2014.
4
07.2016
BT, Fortinet announce global partnership BT and Fortinet have recently announced an agreement that will integrate Fortinet’s FortiGate enterprise firewalls into BT’s global portfolio of managed security services. Under the agreement, BT customers will benefit from the protection provided by Fortinet’s Security Fabric architecture and BT’s global reach and expertise in managed security services. Mark Hughes, CEO, BT Security, said, “We are committed to supporting our customers with solutions that can help them stay secure and support their journeys into the digital world. Together with Fortinet, we provide them with security solutions to protect themselves against today’s evolving threat landscape without additional complexity or slowing down their networks.” Integrated into BT’s managed security services, Fortinet FortiGate enterprise firewalls will provide next-generation firewall, application control, intrusion
Mark Hughes, BT Security and Ken Xie, Fortinet
prevention, web content filtering, Virtual Private Networking (VPN), spyware prevention and malware defence. Ken Xie, Founder, Chairman of the Board and CEO, Fortinet, said, “BT’s global reach combined with our intelligent and adaptive Security Fabric are a powerful combination, which underlines our success together in the fast-growing worldwide managed security services market. We are excited to expand our already strong relationship to provide the security technologies customers need to protect and grow their businesses.”
Infoblox releases DNS Threat Index for Q1 2016
Rod Rasmussen, Infoblox
Infoblox has recently released the Infoblox DNS Threat Index for the first quarter of 2016, which highlighted a 35-fold increase in newly observed ransomware domains from the fourth quarter of 2015. According to the network control company, the dramatic uptick helped propel the overall threat index, which measures creation of malicious Domain Name System (DNS) infrastructure including malware, exploit kits, phishing, and other threats, to its highest level ever.
Rod Rasmussen, Vice President, Cybersecurity, Infoblox, said “There has been a seismic shift in the ransomware threat, expanding from a few actors pulling off limited, small-dollar heists targeting consumers to industrialscale, big-money attacks on all sizes and manner of organisations, including major enterprises. The threat index shows cybercriminals rushing to take advantage of this opportunity.” The United States continues to be the top host for newly created or exploited malicious domains, accounting for 41 percent of the observations, a significant drop from last quarter’s 72 percent lion’s share. Five other countries and regions saw major increases in activities including Portugal with 17 percent; Russian Federation with 12 percent; Netherlands with 10 percent; United Kingdom with eight percent; and Iceland with six percent.
www.securityadvisorme.com
news
McAfee Labs Report reveals mobile app collusion threats app that can execute Intel Security has released its financial transactions McAfee Labs Threats Report: or make financial API June 2016, which highlights calls to achieve similar the dynamics of mobile app objectives; and service collusion, where cybercriminals misuse where one app manipulate two or more apps controls a system service to orchestrate attacks capable and receives information of exfiltrating user data, or commands from one inspecting files, sending fake Raj Samani, Intel Security or more other apps to SMS messages and so on. orchestrate a variety of malicious activities. McAfee Labs has observed such behaviour “Improved detection drives greater across more than 5,000 versions of 21 efforts at deception,” said Raj Samani, VP different apps. and CTO, EMEA, Intel Security. “It should McAfee Labs has identified three types not come as a surprise that adversaries of threats that can result from mobile app have responded to mobile security collusion, which include information theft efforts with new threats that attempt to where an app with access to sensitive hide in plain sight. Our goal is to make it or confidential information willingly or increasingly harder for malicious apps to unwillingly collaborates with one or more gain a foothold on our personal devices, other apps to send information outside the developing smarter tools and techniques boundaries of the device; financial theft this is when an app sends information to another to detect colluding mobile apps.”
Dell announces new SonicWALL ATP service Dell has launched SonicWALL Capture Advanced Threat Protection Service, which according to the company, enhances organisations’ ability to safeguard against today’s shape-shifting cyber threats. Dell Security is incorporating the VMRay third-generation Analyzer threat detection analysis engine with the Lastline Breach Detection platform and the Dell SonicWALL Sonic Sandbox threat analysis engine, to deliver a three-layer level of defense that organisations need to safeguard against today’s unknown threats. According to the company, this new cloud offering reinforces their commitment to delivering comprehensive protection against
www.securityadvisorme.com
the meteoric growth of zero-day attacks targeting businesses today, as identified in the Dell Security 2015 Threat Report. Curtis Hutcheson, general manager, Dell Security, said, “With the new Dell SonicWALL Capture service, Dell Security is offering the most effective advanced persistent threat (APT) prevention solution in the market, and this service a significant proof point in our strategy to integrate best-of-breed partners into our Connected Security platform. It gives our customers and partners access to the latest leading detection technologies, integrated with Dell SonicWALL next-generation firewalls to provide more comprehensive and proactive security solutions.”
$11.5B
expected IT spending by governments in the Middle East and North Africa region on IT products and services in 2016 Source: Gartner
Facebook founder’s social media accounts hacked Last month, Facebook founder Mark Zuckerberg was victimised by a hacking incident, where attackers managed to breach his social media accounts including Twitter and Pinterest. Someone posted to Zuckerberg’s Twitter feed on 6th June, claiming to have found his password in account information leaked from LinkedIn. A group calling itself the OurMine Team took credit for breaking into Zuckerberg’s Twitter, Pinterest and Instagram accounts. “You were in LinkedIn Database with password ‘dadada’,” read a message supposedly posted by hackers from Zuckerberg’s @finkd Twitter account. It’s worth noting that Zuckerberg or his representatives rarely use this account, the last tweet dating from January 2012 and the previous one from March 2009. It has been reported that social media accounts of other celebrities including founding Rolling Stones member Keith Richards, American comedy rock duo Tenacious D and late TV personality Ryan Dunn were also compromised. Various reports assumed that the breaches were related to the recently leaked database of LinkedIn accounts that was stolen in 2012.
07.2016
5
feature
Device advice Mobile is the new endpoint in IT. Here is how to protect mobile devices and data.
6
07.2016
G
etting the job done using mobile devices as you move around has brought in its wake many benefits and improved productivity to organisations in the Middle East. However, at the same, it has also exposed these organisations to a wide range of exposures and risks. Every year, millions of mobile devices lost, stolen or discarded with personal information still in device memory. Loss of a mobile device, which has personal identity and network access credentials, puts an organisation at the risk of unauthorised network access and data breach. The results from the Cisco Connected World-International Mobile Security survey show that while most employees are aware of the risks that mobility presents to enterprise security, most www.securityadvisorme.com
feature
still report engaging in risky behaviour when using their mobile devices. In fact, 26 percent of respondents from the total survey sample said they take more risks with company-issued devices than their personal devices. The reason, according to those who reported being bolder with online behaviour when using a company-issued device, is the belief that IT will provide support if something goes wrong. This attitude likely includes the belief that current threat defense software will help to provide protection. “As employees demand more freedom and flexibility with regard to mobile device use at work and consumer devices provide an increasingly cost-effective and attractive way to keep employees engaged and productive, IT must remain vigilant about ensuring an appropriate experience and protecting the network and corporate intellectual property,” says Scott Manson, Cyber Security Leader, Cisco. To develop an effective mobile security strategy, it is essential to understand an organisation’s mobile security risk profile and the new type of threats. “Mobile devices continue to emerge as new threat vector. It’s been 10 years since the arrival of the first mobile malware in 2004, but it is only within the past few years that it has become a true threat to end users. Indeed, the rapid growth in smartphone and tablet usage over the past two years has led to the inevitable rise in targeting of these devices by cybercriminals. In just the first six months of 2015, Sophos Labs discovered 610,389 new Android malware samples, bringing the total to approximately 1.9 million,” says Harish Chib, VP, Middle East and Africa, Sophos. Bilal Baig, System Engineering Manager, Trend Micro, says cybercriminals globally have ramped up their attack on mobile devices, and www.securityadvisorme.com
Mobile devices continue to emerge as new threat vector. It’s been 10 years since the arrival of the first mobile malware in 2004, but it is only within the past few years that it has become a true threat to end users. - Harish Chib, VP, MEA, Sophos.
ransomware is one of the main threats. “We did see a similar trend a few years back, but that was basic and simple, today the attacks on mobile devices has really intensified, given its wide spread use, in homes, government, and the corporate environment. There is also a rise in compromised/malware applications, which are showing up in trusted vendor app stores. We are definitely seeing a very large increase in malicious and high-risk mobile apps, mainly within the Android ecosystem,” he says. Mathivanan Venkatachalam, Director, Product Management, ManageEngine, agrees that infiltration through apps is one of the key threats that we need to consider this year. Loosely built or vulnerable apps sometimes behave as backdoors for hackers who can enter devices or even network and take control. As most apps store some amount of the device owners’ personal or official information, this gives attackers access to enterprise data, leading to infamous “man in the middle” enterprise attacks. To fully determine an organisation’s mobile security posture, a comprehensive security assessment against an organisation’s specific business environment is needed. The fundamental questions include: • What are the corporate mobile data assets that require protection? • What, how and where the corporate data systems are accessed by mobile
employees? • How mobile devices are being used, protected and managed? • Do employees know the procedures in responding to an incident? “Firstly, educate users on mobile security risks and ask them to exercise caution and ensure responsible mobile usage. A lot of users are often found missing out on even most basic tips like using stronger passwords. Secondly, users should be careful while accessing corporate data from free over-the-air networks like the ones you get at an airport or in a coffee-shop. This runs the risk of exposing company data to malicious users sniffing the wireless traffic on the same access point. It is advisable to enforce acceptable mobile usage policies, such as providing VPN technology, which requires that users connect through these secure tunnels,” says Chib from Sophos. Manson from enterprises need comprehensive visibility over their entire mobile data ecosystem – the device, the app, the network, etc. – and not just a device-level solution. “Data on the device is only half of the mobile security challenge – data migration to the cloud being the other half. Enterprises need a mobile security platform that not only protects data everywhere, but also empowers users with the apps and devices that they want to use. With a comprehensive solution organisations will have the necessary 07.2016
7
feature
visibility, control and threat intelligence to deliver on a comprehensive mobile security strategy,” he adds. Besides, enforcing the baseline security configuration for all devices, industry experts say companies should extend encryption and authentication to mobile devices as well. “Organisations must have a way to enforce sound security policies, like strong passwords, authentication procedures and lockouts. When a device is forced to lockout the data must be encrypted. The data on mobile devices is unencrypted (and absolutely unprotected) when the device is successfully authenticated,” says Amit Parbhucharan, General Manager, Beachhead Solutions. Sophos also promotes the idea of extending encryption to mobile devices, to enable a more holistic mobile security strategy. “The task of enterprise mobile security really boils down to three basic needs. Firstly, it’s about protecting the user and device; secondly, it’s about protecting access to the enterprise network and finally, defending enterprise data,” says Chib. Ghareeb Saad, Senior Security Researcher, Kaspersky Lab, says Mobile Device Management (MDM) should also be the cornerstone of a mobile security strategy, supported by employee education. ‘To reduce the complexities that arise from BYOD, Mobile Device Management (MDM) needs to be one of
These techniques significantly reduce the risk of data breaches, while also giving employees complete flexibility to be as productive as possible, by utilising additional factors to establish a user’s identity. - Marc Hanne, Director of Sales, Identity Assurance, HID Global
the pillars of a mobile security strategy implemented by organisations. By enabling MDM functions, it is easier to deploy unified mobile security policies and grasp more visibility through a single management console and ensure the security of an organisation isn’t compromised,” he says. Dimitris Raekos, General Manager, ESET Middle East, agrees, “MDM provides deploying, securing, monitoring and managing mobile devices from smartphones, tablets and laptops used in the workplace. Simultaneously protecting the corporate network, MDM also optimises the functionality and security of mobile devices within the enterprise as well as controls and protects the data and configuration settings for all mobile devices in a network. It also supports costs and business security risks are lowered.”
Loosely built or vulnerable apps sometimes behave as backdoors for hackers who can enter devices or even network and take control. - Mathivanan Venkatachalam, Director, Product Management, ManageEngine
8
07.2016
With the rise of unsecured applications across mobile devices, MDM is very important in managing apps that are on each device. Through MDM, you can also block and remove rogue apps on devices to reduce the risk of dangerous mobile malwares. Marc Hanne, Director of Sales, Identity Assurance, HID Global, adds that security administrators and IT directors will need to review which technologies allow them to best engage with their employees to create an optimal access experience, while ensuring security is maintained. IT managers looking for a solution to these security risks need to examine the prospect of implementing a strong two, or multi-factor authentication solution for mobile access networks and data. “These techniques significantly reduce the risk of data breaches, while also giving employees complete flexibility to be as productive as possible, by utilising additional factors to establish a user’s identity,” he says. Increased mobility may have led to some incredible advances for businesses, but if you don’t take proper steps and put in place risk control processes it could lead to catastrophic security issues. It is also important to remember that it doesn’t end with the organisation. The business and employees both need to do their part to ensure best practices are followed and education is provided to spread the awareness. www.securityadvisorme.com
INTERVIEW
The means and motivation FireEye Founder, Vice Chairman and CTO Ashar Aziz discusses the company’s transition to an as-a-service model – and his vision for the impact of a “cyber-geddon” – with Security Advisor Middle East.
W
hat are your thoughts on the recent drastic – 19 percent – drop in the company’s stock price? We don’t react to drops in stock price. There are factors which you can never fully control, so as executives of a business, our focus always has to be on the business itself. How do we grow the business, what’s the right strategy and how do we execute that strategy? We’re investing in our go-to-market strategy around our product portfolio, and are making good strides. If there’s anything we need to do more of, it’s explain that our model is becoming subscription-oriented versus up-front product-oriented. Tell me about your new FireEye-as-aService platform. Introducing it must be a transitional phase for you. There are a lot of attractive features to FireEye-as-a-Service. One is that it comes with a team of security professionals that have the insight and training to react appropriately with contextual knowledge. It’s not just a case of the product, you also have to recruit, train and retain a whole team to understand sophisticated cyberattacks and to make sure that the kill chain analysis and the remediation and follow up is done exactly right. We take care of all that. FaaS is unique in that respect, that it’s our technology as well as our people, utilising our own intelligence and providing that as a 24/7 service. 10
07.2016
www.securityadvisorme.com
INTERVIEW
Increasingly, customers are choosing to consume SaaS-based form factors, which explains why we are investing in FaaS. We are transitioning our product portfolio and our business model as a result of that reality. Based on your discussions with customers in this part of the world, do you think FaaS will be fit for smaller organisations? Absolutely. We’re providing skilled personnel, who are difficult to recruit and retain, and that’s especially the case for SMEs. Even for larger organisations, it’s hard to find skilled professionals. In 2011, you said that “cyber-geddon” was a possibility, but couldn’t define what that was. Do you have a clearer idea of what it is now? I’ve always had an inkling of what it meant, but I don’t know when it will happen. It’s a very sophisticated and coordinated cyber-attack concurrently launched on multiple critical infrastructures. We’ve seen concurrent attacks in the physical space, but we have yet to see them in a destructive nature in cyberspace. The question is: why haven’t we? The reason has to do with the ability and skillset to inflict such a sophisticated and coordinated attack. This is in the hands of nation states. They have the means, but not the motivation. Those that have the motivation today don’t have the means. However, the clock is ticking down on the latter. When that happens, I believe cyber-geddon will occur. Think about terrorist groups. They don’t think twice about bringing down towers or killing random people. If they had a weapon that could affect millions of lives at the same time, would they hesitate to use it? Why is Kevin Mandia ideal to take the company forward as CEO? Kevin is one of the world’s leading security executives, and understands the services, product and technology spaces very well, and so it‘s the right time and decision from the board to nominate him. It’s not as if this was done suddenly, this is a process that www.securityadvisorme.com
has been in the planning phase for over a year. Is cybersecurity now more important than it ever has been? It’s a very important part of being a business, whether you’re an IT business or one with many touchpoints in cyberspace. The increase in these touchpoints means our legacy architectures need extra care. The risks have become very apparent over the last few years. It’s always difficult to make predictions, but I think the trends over the last five to seven years have shown the importance of having a robust security plan in place. How do you think the US and the world in general perceives the Middle East as a cyber-threat? While the Middle East is a cybersecurity venue, it’s also a region of conflict, and any hot zone in the world, including the Middle East, will manifest in cyberspace, and is an extension of human society. Any conflict that exists in human society will exist in cyberspace. Conflicts, whether they are economic competition or military escalation, manage themselves as cyber espionage or cyber warfare. The Middle East has a lot of non-state hacker groups pretending to be state hacker groups, you have state hacker groups who are at odds with each other, who have reason to strike each other. As long as these hostilities stay or increase – and everything we’ve seen points to them increasing unfortunately – we should expect to see lots of spillover into the cyber domain. On the other side of the coin, is the Middle East a target for cybercriminals? It’s not weaker than any other part of the world because organisations have vulnerabilities everywhere. It’s just that there are a lot of high stakes organisations here. Critical commodities emanate from this part of the world, so the motivation for destruction or commoditisation of these events will always be high on an attacker’s list, so it is vulnerable across a number of different dimensions.
Commodities, energy and banking infrastructures are all targets. The most troubled parts of the Middle East bank in Dubai and governments themselves who are coordinating are at risk. Would you say it’s more vulnerable to financial crime or hacktivism? It’s vulnerable to both. If I had to pick, I’d say financial crime. Which type of threat has the potential to cause the most harm now and in the coming years? Attacks on critical infrastructure. A large, energy-producing company in Saudi Arabia was targeted and taken down and that was just on their IT infrastructure, it didn’t spill over into their refinery controls. That would’ve been an escalation, and I think that kind of escalation could happen. Why would hackers confine themselves to refineries and production, when they could go after electrical grids, water supplies or natural gas infrastructure? Those would all be fairly destructive. You could also bring down the stock exchange or a major bank. These are all critical vulnerabilities in any nation’s architecture. Are top figures in organisations responsible for cybersecurity? They’re aware of it, but I wouldn’t say they’re responsible for it. It should be directed at appropriate people to take action for it. Will new acquisitions play a big part of your strategy in the coming year? We have a two-pronged strategy in order to have the world’s best product and services portfolio. One is organic development, of which we have a substantial amount across the organisation, including our cloud-based components. We’ve inorganically acquired certain assets, including the Mandiant capability around incident response. We will continue on the organic development front, and as and when M&A opportunities arise we will be keen to pursue them. We’re now rapidly gaining share in network forensics as a result of our hugely successful nPulse acquisition. Our acquisition strategy has shown itself to be pretty sound. 07.2016
11
DDoS:
A Clear and Present Danger
More complex attacks are lurking just under the surface
DDoS attacks are rampant!
On average a DDoS attack results in 17 hours of effective downtime
17 hours
A typical company is hit with 15 attacks per year
Bad guys are targeting everyone but certain industries more frequently
33%
Online ente
d gambling
t
ia and web conten
Advertising med
28%
il
d online reta
rtainment an
an Traditional
Multi-vector DDoS targets by industry
All other
22%
17%
High bandwidth attacks are the rule not the exception
! ! 12
07.2016
73% 60%
of Multi-Vector DDoS attacks had an average peak bandwidth of more than 30 Gbps of organisations reported at least one DDoS attack reaching 40 Gbps or more
40% 23% 14% 12% 10% 1%
30-40 Gbps 40-50 Gbps 20-30 Gbps 10-20 Gbps More than 50 Gbps 0-10 Gbps www.securityadvisorme.com
DDoS investment vs the cost of “effective downtime” Just because you don’t experience crashes, doesn’t mean your customers are notexperiencing “effective downtime” in annoying delays and time-outs. The average “effective downtime” lasts 17 hours.
$
$
76%
78%
Amount of time that order processing is offline
Time to service restoration
What you don’t know could be hurting you
66%
Customer satisfaction
62%
Lack of flexibility to adopt to future threats
Hybrid provides the most control and cost efficiency IT Security Team, Chief Security Officer and CIO play key leadership roles.
26%
34%
Outsourced to MSSP antiDDoS provider
Hybrid (On-premise with cloud bursting option)
19%
21% Hosting provider (including CDN)
On-premise appliance
Consider what DDoS protection steps make most sense
1 Be proactive, not reactive
2 Install dedicated multivector DDoS protection
3 Integrate threat intelligence for greater efficacy
4 Add a DDoS cloud bursting service to combat volumetric attacks
Source: A10 Thunder TPS www.securityadvisorme.com
07.2016
13
opinion
Privacy and authentication in the Internet of Things by Manfred Kube, Head, Marketing M2M and Internet of Things Solutions, Gemalto
F
rom tiny sensors to mammoth machines, the Internet of Things (IoT) is exploding at an enormous rate. Intel noted that 10 years ago there were two billion smart objects connected to the wireless world, now with IDC projecting 200 billion connected devices operating amongst us by 2020, the IoT is a digital revolution tipped to eclipse any of those that came before it. However, as with any metaphysical network, there is the very real threat of data breaches; infringing on our personal privacy, security and data. So how can data be safeguarded in this rapidly expanding network of connected devices and what can the companies that build these devices do to convince consumers they are safe to use? From tablets and phones, to thermostats and smart meters, the answer lies in building microsegmented stages of authentication that in turn makes data more secure but also honours consumer’s right to personal privacy. Secure authentication and authorisation as a foundation The introduction of smart devices 14
07.2016
has created an untold potential both for consumers and businesses, but with it has come the opportunity for hackers to steal valuable information from personal data to the intellectual property that makes a company or product unique. In the wider context of IoT, this idea of user or device authentication becomes ever more prevalent. For instance, when we go to unlock our connected car with our mobile phone, we want to be reassured that only we, the owners, are authorised to do so – preceded by successful ‘authentication’. This means ensuring the users of a device (and/or account) are who they say they are and have the authorised credentials to access the information thereafter, helping form the core basis for securing the communication of and with a device within these expansive networks. However, having only a single user authorised also poses challenges or limitations. For example, what if a defect is detected in a connected device? The supplier will more than likely require access to the device remotely, in order to deliver software updates to solve these issues. This is evident in iPhone software updates whereby the device receives the software remotely, but is only installed once you accept the terms and conditions and permit the download to www.securityadvisorme.com
opinion
commence. If Apple didn’t have the initial authority to send you the software, you wouldn’t be able to approve the download and maintain the health of your device effectively or efficiently. Another practical example from the brave new IoT world is the concept of virtual car keys you can “carry around” on your mobile phone but can also share with other family members or service staff at a garage and authorise them (e.g. for a limited time) to use your car (after successful authentication, of course). This also initiates negotiations though, between the consumer who purchases the connected device, and the supplier who provides them. A level of trust needs to be established whereby the public has to be certain that the correspondence has come directly from the named source and not someone who poses a security threat to the network. With several recent high profile cyber security attacks such as the TalkTalk and Ashley Maddison sagas, it is increasingly important for businesses to reassure their customers that these growing networks will be secure and enable the user to take control of their data. One of the ways companies are tackling this problem of false user authentication is through biometric data – that is, using individual’s unique ‘biology’ to access their data. This includes unique means of identification such as fingerprints and iris scans that are incredibly difficult to replicate. www.securityadvisorme.com
The use of biometrics and behavioural biometrics (gestures, swipe and pattern predictions), is creating a unique level of user identification; truly attributing the sense of ‘personal’ between the user and a device. This significantly increases the security credentials of the device and acts as a major barrier between hackers and their access to data. When “things” communicate in the IoT, credentials residing in tamper-resistant secure elements embedded in devices can not only secure network access and communication but also support secure services such virtual private networks, e.g. for software updates. Maintaining consumer trust Gone are the days where data captures simply included a name and address. Increasingly data collected and transmitted by these smart devices goes beyond personally identifying information and creates a detailed pattern of our everyday lives in real time. So, how can we reduce these fraudulent acts within the IoT and what steps must the manufacturers take when creating these devices? This is something that is being researched into daily as the business case for cyber security has never been more prevalent. Manufacturers have a duty to take measureable steps to ensure we feel safe with the networks our devices are accessing and more importantly, allowing us to control who is authorised or permitted to do so.
One method to ensuring this is through incorporating end-to-end encryption throughout the data exchanging process. This essentially renders the information useless to anyone without authorised access, preventing cyber criminals from using data as ransom. Privacy, security and trust cannot be deemed an afterthought for IoT, with such valuable information at hand. With the increased impact of IoT services, “security by design” is essential - right from the start of the development process. In order for the IoT to truly reach its potential, consumer trust must remain prevalent. Trust in large corporations has diminished in recent years by the apparent mishandling of customers data by previously tried, tenured and trusted brands. Once that trust goes, it can be extremely hard, if not impossible to get back and this can be damaging, and in some case fatal, for brands. The four best practices for IoT protection: Evaluating risk – developers need to understand all the potential vulnerabilities. Evaluation processes should cover privacy, safety, fraud, cyberattacks and IP theft. Evaluating risk is not easy as cybercriminals are continually working on launching new threats. As there is no one size that fits all it is advisable to bring in a security expert at this stage. Security by design – it is key that device security is duly considered at the development stage. This should include end-to-end points and countermeasures, including tamperproof hardware and software. Securing the data – strong authentication, encryption and securely managed encryption keys need to be included to secure information stored on the device and in motion. Lifecycle management – security is not a one-off process and then you can forget about it. It is imperative that IoT devices are protected for the lifecycle of the device, be it a stand-alone product or integrated into a car, for example. 07.2016
15
insight
Countering cyberattacks in oil and gas By Katharina Rick, Partner and Managing Director at Boston Consulting Group
T
oday, concern about cybersecurity is particularly high within the oil and gas industry, which faces a far wider spectrum of threats – threats that are potentially more severe in comparison to other key industries. In the Middle East, specifically, the rate of cyber-attacks targeting companies in the oil and gas sector is notably high, especially compared to global figures. In fact, according to Repository of Industrial Security Incidents (RISI) data, cyberattacks against oil and gas organisations in the Middle East make up more than half of the recorded instances. In parallel, in the U.S or other Western countries, they make up less than 30 percent of the recorded instances. In recent years, there has been a growing prevalence of cyber-attacks in the region. In 2014, Kaspersky Security Network revealed that, the previous year, more than 650,000 ransomware infection incidents had taken place across the Middle East and North Africa (MENA) region – including the oil and gas sector. A year later, in 2015, cybersecurity firm Symantec reported that Trojan Laziok, an aggressive malware programme, had attempted to steal data from energy companies around the world, some based in the Middle East. Remarkably, 25 percent of the attempted cyber-attacks 16
07.2016
targeted companies in the UAE versus 10 percent in both Saudi Arabia and Kuwait and 5 percent in both Oman and Qatar. This, of course, raises three pivotal questions: Why are oil and gas companies in the Middle East more vulnerable to attacks? How can organisations that have fallen victim to cyber-attacks ensure a quick recovery? And what can they do to fend off future attackers? The reality is, in recent years, companies in the region have invested heavily in newer IT infrastructure and solutions – including multiple mobile devices connected to the oil and gas companies’ networks. Given their
Transactions in the oil and gas arena are broad in scope and range from sensitive information on well sites to end-user consumption at the pumps.
widespread popularity and ability to store sensitive or confidential data, mobile devices are increasingly turning into an open frontier for cyber-attacks. In the Middle East and Africa, the situation is especially dire considering the region’s high mobile phone penetration rates. And this trend shows no sign of waning: independent market research company eMarketer predicts that over 789 million people in the Middle East and Africa will own at least one mobile phone by 2019 – and it is fair to assume that they will be bringing their device to work. In this day and age, inadequate boundary protection is a strong point of vulnerability. It can make it difficult to detect nefarious activity and can create avenues that allow outside parties to interface with systems and devices that directly support a company’s control processes. It can also provide an “easy” access route to industrial control systems – as most communication protocols for measuring and control devices are not www.securityadvisorme.com
insight
as well-encrypted as those for business communication systems. Another critical point of vulnerability is information flow enforcement. If false data is fed into the system or information is siphoned off, most companies would likely never know that for a fact – it could even go completely undetected. There is wide speculation that the colossal malware attack on oil giant Saudi Aramco’s systems in 2012 was actually a cover-up for earlier information flow breaches. Insufficient control of information flows can allow attackers to establish unsanctioned and damaging commands and controls with potentially severe consequences for the physical infrastructure, the value of national assets and personal safety and health. The potential points of attack are plenty. Transactions in the oil and gas arena are broad in scope and range from sensitive information on well sites to end-user consumption at the pumps. The danger posed by largescale threats is significant, given the physically expansive infrastructure of oil and gas production and distribution. For instance, the ramifications of a successful cyberattack on an oil and gas company in the Middle East could carry grave implications on national security. In most countries in the region, the www.securityadvisorme.com
oil and gas sector is the main source of income for the government and accounts for 60 to 70 percent of fiscal spending resources. Governments in the region, including those of Saudi Arabia and Qatar, have crafted multi-phased national cybersecurity strategies and developed related policies and frameworks, focusing specific attention on critical infrastructure and national interests. For example, the Qatar National Cyber Security Strategy (NCSS) “was developed by the National Cyber Security Committee, presided by the Ministry of Information and Communications Technology, in light of the strategic thrusts of Qatar’s National ICT Plan 2015 to protect the national critical information infrastructure and to provide a safe and secure online environment for the different sectors.” These various bodies and efforts notwithstanding, individual oil and gas companies in the Middle East need to take primary responsibility for their cybersecurity strategies themselves. The Boston Consulting Group (BCG) recommends a risk-based approach centered on three steps. These include: • Developing an understanding of the precise risk to the company’s assets and the effort and resources necessary to mitigate them • Building and sustaining a multilayered defense system • Managing cybersecurity risk on a consistent basis To conclude, the increasing technological complexity of today’s oil and gas industry – driven by, for example, the industry’s spiraling deployment of data mining and analytics technologies, sensor and networking technologies, industrial systems, and systems integration technologies – is rendering it increasingly vulnerable to cyberattacks. To protect themselves, their shareholders, and their customers adequately, oil and gas players in the Middle East must make cybersecurity a highest priority and an ongoing consideration at the executive level. 07.2016
17
opinion
Security in the age of networked ecosystems By Janet Bishop-Levesque, Chief Information Security Officer, RSA
T
here can no longer be any question: the age of connected machines has arrived. Today, it is not only humans who network through digital devices: everyday objects, from cars and energy meters to coffee machines and fridges, use communication systems to connect in the so-called ‘Internet of Things’ (IoT). These connected devices promise to turn the world around us into a series of ‘smart’ networked environments; for everything in the ‘real world’ there will soon be a digital equivalent, collecting and sharing data to enhance our lives. The promise of networked ecosystems The value such networked environments already create cannot be doubted. Car insurers, for example, are using connected devices to monitor the way in which people drive; enabling 18
07.2016
them to lower premiums for safe drivers. Meanwhile, connected medical equipment, such as glucose monitors, is allowing clinicians to monitor patients’ health while they are away from the clinic. The applications of IoT are limitless and promise to change the world around us completely. For example, in the near future connected vehicles will form mesh networks on the road; exchanging critical safety information such as their speed and direction, and linking up with roadside sensor nodes to enable self-driving motorcades. Meanwhile, our homes will become networked and connected. Beds, for instance, will be able to anticipate when we will wake up and then pass that information on to the coffee maker to brew a fresh pot before work. This is a future once only dreamed about in the pages of science fiction books, yet it is rapidly becoming a reality. However, one substantial caveat
remains: for the world of networked ecosystems to deliver, connected devices must be made much more secure than they are today. The security challenge The main challenge stems from the fact that the technology used to connect devices comes from the world of industrial machineto-machine communications. This technology was only designed to function in trusted environments. Once communications devices are connected to public networks – as they must be if networked ecosystems are to come about –they are exposed to cybercriminals. When we consider the range of hacks and cyber-attacks that already plague the ‘human’ Internet the threat that an unsecured Internet of Things poses is clear: we are moving from an environment where we need to secure many millions of smartphones, laptops, www.securityadvisorme.com
opinion
servers and the likes, to a world where we must secure many billions of devices across a wide range of environments. People today, or the information generation, expect all this access, but for this environment to successfully live on, we need to factor in the very real implications of a successful attack on an IoT enabled system. The impact of cybercrime today is by and large financial – if, for example, customer data is hacked from a business, that business might lose customers and see a fall in its share price. But what if, in the IoT world, a healthcare monitor is hacked? Or a vehicle while it is in motion? The implications of such attacks go much further than the financial and underscore just how important it is to get security right from the outset. Securing networked ecosystems Managing risk is a key part of innovation. Flying is a risky activity, yet, we do it every day because we know sensible safeguards have been put in place to ensure our safety. So too with connected ecosystems. There is no silver bullet to IoT security, but there www.securityadvisorme.com
are measures manufacturers and IoT network operators can put in place. First, devices need to be secured before they are connected to any network. One way to achieve this is through stringent ID management and governance systems. Each device needs to be given an identity – in the same way people in businesses are given an ID to log on to the corporate network. This ID ensures that devices connecting to a network are authentic, while related systems manage which data the devices are ‘allowed’ access, and for how long. This level of control will play a crucial role in stopping illegitimate objects being placed onto a network for nefarious purposes. Second, we can learn a lot from the analysis and data science approaches championed in disciplines such as security analytics, governance and sharing. Using such data analysis, IoT service providers will be able to model their risk profile across their network, allowing them to beef up security in areas where risk is considered high; in much the same way a financial organisation models risk and then amends its investment portfolios accordingly. Finally, network monitoring is essential. Service providers need to be able to view their entire IoT network in real-time and have the analytics tools and network probes in place to identify suspicious activity while it happens. This approach means security teams can tackle threats as they emerge and resolve them before they have affected the network. Towards a networked world We are moving to a world which is more interconnected than ever, and as a result more efficient and rewarding. But it is also a world that will enable an increasing range of attack vectors for the unscrupulous and protecting against them will be the great challenge for the Information Generation. 07.2016
19
feature
6 pillars of next-gen endpoint protection Taken together, these core functions can detect the most advanced attack methods at every stage of their lifecycle, writes Tomer Weingarten, CEO, SentinelOne
A
dvancements in attack evasion techniques are making new threats extremely difficult to detect. The recent Duqu 2.0 malware, which was used to hack the Iranian nuclear pact discussions, Kaspersky Lab, and an ICS/SCADA hardware vendor, is a prime example. To keep up, a new security model that uses a different approach to the traditional ‘evidence of compromise’ process is needed. 20
07.2016
This Next Generation Endpoint Protection (NGEPP) model needs to address six core pillars that, when taken together, can detect the most advanced attack methods at every stage of their lifecycle:
1
Prevention NGEPP must leverage proven techniques to stop known threats in-the-wild. A layer of preemptive protection can block existing threats before they can execute on endpoints.
Instead of relying only on one vendor’s intelligence, it’s now possible to collectively tap more than 40 reputation services via cloud services to proactively block threats. This approach also uses a lightweight method to index files for passive scanning or selective scanning, instead of performing resourceintensive system scans.
2
Dynamic Exploit Detection Using exploits to take advantage of code level vulnerabilities is a www.securityadvisorme.com
feature
sophisticated technique used by attackers to breach systems and execute malware. Drive-by downloads are a common threat vector for carrying out exploit attacks. NGEPP should provide antiexploit capabilities to protect against both application and memory-based attacks. This should be achieved by detecting the actual techniques used by exploit attacks – for example: heap spraying, stack pivots, ROP attacks and memory permission modifications -- not by using methods that are dependent on static measures, like shellcode scanning. This approach is much more reliable, since the exploitation techniques themselves are not as easy to change or modify as the shellcode, encoder, dropper and payload components used in malware.
3
Dynamic Malware Detection Detecting and blocking zero-day and targeted attacks is a core NGEPP requirement. This involves real-time monitoring and analysis of application and process behaviour based on lowlevel instrumentation of OS activities and operations, including memory, disk, registry, network and more. Since many attacks hook into system processes and benign applications to mask their activity, the ability to inspect execution and assemble its true execution context is key. To protect against a variety of attacks and scenarios this detection capability is most effective when performed on the device. For example, even if an endpoint is offline, it can be protected against USB stick attacks. While many vendors now offer endpoint visibility, which is a leap forward, it cannot detect zero day attacks which do not exhibit any static indicators of compromise. Dynamic behavioural analysis that does not rely on prior knowledge of a specific indicator to detect an attack, is required when dealing with true zero threats.
4
Mitigation Detecting threats is necessary, but insufficient. The ability to perform mitigation must be an integral part of www.securityadvisorme.com
NGEPP. Mitigation options should be policy-based and flexible enough to cover a wide range of use cases, such as quarantining a file, killing a specific process, disconnecting the infected machine from the network, or even completely shutting it down. In addition, mitigation should be automated and timely. Quick mitigation during inception stages of the malware lifecycle will minimise damage and speed remediation.
5
Remediation During execution malware often creates, modifies, or deletes system file and registry settings and changes configuration settings. These changes, or remnants that are left behind, can cause system malfunction or instability. NGEPP must be able to restore an endpoint to its pre-malware, trusted state, while logging what changed and what was successfully remediated.
6
Forensics Since no security technology will ever be 100 percent effective, the ability to provide real-time endpoint forensics and visibility is a must for NGEPP. Clear and timely visibility into malicious activity that has taken place on endpoints across an organisation is essential to quickly assess the scope of an attack and take appropriate responses. This requires a clear, real time audit trail of what happened on an endpoint during an attack and the ability to search for indicators of compromise across all endpoints. To completely replace the protection capabilities of existing legacy, staticbased endpoint protection technologies, NGEEP needs to be able to stand on its own to secure endpoints against both legacy and advanced threats throughout various stages of the malware lifecycle. The six pillars described above provide the 360 degrees of protection required for the Cloud generation, where the endpoint has become the new security perimeter. 07.2016
21
interview
You’ve got mail Email security is still a struggle for many companies, with spam and phishing showing no signs of going away. Brandon Bekker, MD, Mimecast MEA, tells us how to stay one step ahead of the bad guys.
E
mail continues to be the most common attack vector. Why is it still elusive to achieve email security? Though there have been incredible advancements in email security technology, businesses often cannot deploy this new technology quick enough to counter the evolving cyber threats that threaten their security. And often, cybercriminals prey on human error and misjudgment; disguising their attacks in ways that seem legitimate to even the savviest of email recipients. What are the best practices you recommend for email security? Whilst Mimecast provides a TTP (Targeted Threat Protection) suite of solutions to protect users from accessing malicious URLs, email attachments and to counter whaling attacks, we also encourage businesses to engage with their staff and interrogate their business practices to boost their cyber resilience. Some examples of this includes: • Educate employees about these types of attacks and what to look out for – emails from the CEO or CFO requesting immediate action. • Test employees once trained by using simulations in the form of staged whaling messages intentionally sent to key individuals. • Implement advanced email gateways to ‘stamp’ messages as ‘external’ and raise suspicion when they seem to have come from someone inside the organisation. • Introduce specialised advanced email threat technology to identify and block these attacks. 22
07.2016
• Update procedures to include multi-level authentication and approvals to make it harder for a single person to transfer funds or hand over sensitive information. How can you spot phishing emails? Phishing emails often contain one or more of the following signs: • It is from someone you don’t recognise • The link’s destination domain appears incorrect • You didn’t initiate the action and weren’t expecting to be contacted • The sender’s name doesn’t match their email address • It is not specifically addressed to you (e.g., Dear Customer) • There are spelling or grammatical errors • It includes a long list of recipients • It contains a vague message from a seemingly familiar source • It makes an offer that seems to too good to be true
can be mitigated. One of these concerns the changing of authentication or approval processes through the adding of a secondary signature. Another involves the utilisation of simulations as an effective method for detecting weakness as well as raising awareness. What are the pros and cons of cloudbased email service? Mimecast’s cloud-based services allow for protection that is always-on, always up-todate to counter the evolving cyber threat landscape, and without the complexity and cost of traditional offerings. The agility of Mimecast’s email cloud services provide our customers with flexible and granular email security controls which they can easily modify to suit their business requirements.
Is training and education the best way to go about email security? Humans are often the weak link in the cybersecurity chain, so businesses need modify their approach to cybersecurity in order to evolve the corporate mindset towards one of cyber resilience. Implementing advanced security software does help, but Mimecast also advocates the building of a ‘Human Firewall’. This educational layer encourages all users in an organisation to interrogate their inbox and take necessary steps to protect themselves and their organisation from cyber-attacks. There are also other ways that email security attacks www.securityadvisorme.com
OPINION
opinion
The shifting face of power By Harshul Joshi, Senior Vice President of Cyber Governance, Risk and Compliance at DarkMatter.
C
hina’s military, the largest standing army in the world, has committed to a rigorous investment programme aimed at overhauling its defensive capabilities in the five years to 2020. What is most poignant about this undertaking is that significant resources are being dedicated to technologies and capabilities in the cyber realm rather than traditional, physical weaponry. Put simply, China’s focus on cyber as the catalyst to its military transformation offers a bold statement about the world we currently inhabit and the path it is likely to continue along. Power and security is no longer defined by the number of soldiers, tanks, or physical weapons a military establishment has, but rather the access to and utilisation of information, and the ability to protect that information from others who might look to use it to inflict harm. This changing paradigm also holds sway in the civilian and corporate world. We have witnessed technology companies such as Google, Amazon, Facebook, and LinkedIn amass huge valuations in a relatively short period of time. They are considered to be more valuable than ‘old economy’ stalwarts such as Ford Motor Company that manufacture a great amount of physical output. At the heart of the influence and success of the new corporate ‘super powers’ is www.securityadvisorme.com
their access to and use of information. Digital services are a tradeable currency, and parties that possess it prosper, and those that do not, flounder. Digitisation has a number of prerequisites for continued development, and cybersecurity resilience, particularly for critical infrastructure, is one of the most important. Cybersecurity itself is now one of the most important pieces of the puzzle for national security. Given the criticality of information, information systems, and the interconnectivity of everything; cybersecurity can, thus, no longer be viewed as a ‘nice-to-have’, but rather it must become a central building block of society as we move towards Smart Cities and nations. Ultimately, transactions in the digital world are only sustainable should trust be present and enforced. This is precisely the reason why we believe that more and better security and trust typically improves the entire operation of the information ecosystem. If implemented correctly and consistently, cybersecurity is in fact a business enabler, and a GDP growth driver. The more secure entities and individuals feel in their digital environments, the more they will utilise them, generating more economic activity to all parties’ benefit. The enormous gains that have and are set to be reaped from digital developments are limited only by imagination, and the ability for the system to work as intended. This takes on an even higher order of importance in the case of national infrastructure, where lives are directly at stake, meaning building cybersecurity resiliency into the DNA of the system is essential. It is no exaggeration to state that safeguarding our exploding digital environments is one of the single most important undertakings of our time. An end-to-end, perpetual, pro-active, and informed approach to cyber security is imperative, and in all likelihood will define the cities, nations, and companies that succeed in the future from those that do not. 07.2016
23
opinion
Gartner’s
top 10 security predictions
How to prepare for these new and known threats to enterprise security over the next two to four years.
T
oday’s security professionals battle threats from outside the organisation as well as those from their own employees. But what about threats that they already know exist? The next few years will see a variety of attacks as well as progress in the technologies and processes that prevent them. The top Strategic Planning Assumptions (SPAs) for security in the next two to four years.
1
Through 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year. 24
07.2016
Recommended action: Companies should focus on fixing the vulnerabilities they know exist. While these vulnerabilities are easy to ignore, they’re also easier and more inexpensive to fix than to mitigate.
2
By 2020, a third of successful attacks experienced by enterprises will be on their shadow IT resources. Recommended action: Business units deal with the reality of the enterprise and will engage with any tool that helps them do the job. Companies should find a way to track shadow IT, and create a culture of acceptance and protection versus detection and punishment.
3
By 2018, the need to prevent data breaches from public clouds will drive 20 percent of organisations to develop data security governance programs. Recommended action: Develop an enterprise-wide data security governance (DSG) programme. Identify data security policy gaps, develop a roadmap to address the issues and seek cyberinsurance when appropriate.
4
By 2020, 40 percent of enterprises engaged in DevOps will secure developed applications by adopting application security self-testing, self-diagnosing and self-protection technologies. www.securityadvisorme.com
opinion
opinion
(IDaaS) that companies should start experimenting on small-scale projects. While a clash of regulations could derail the increased implementation, companies should work to recognise the current limitations and benefits.
8 Earl Perkins, Research Vice President, Gartner
Recommended action: Adopt Runtime application self protection (RASP) for DevOps. Evaluate less mature vendors and providers for potential security options.
5
By 2020, 80 percent of new deals for cloud-based CASB will be packaged with network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms. Recommended action: While concerns exist about customer migration to the cloud and bundling purchases, companies should assess the application deployment roadmap and decide whether investment is justified.
6
By 2018, enterprises that leverage native mobile containment rather than thirdparty options will rise from 20 percent to 60 percent. Recommended action: Experiment and become familiar with native containment solutions. Keep in mind that enterprises with average security requirements should plan to move gradually to native containment.
7
By 2019, 40 percent of IDaaS implementations will replace onpremises IAM implementations, up from 10 percent today. Recommended action: Enough limitations have disappeared on Identity as a Service www.securityadvisorme.com
By 2019, use of passwords and tokens in medium-risk use cases will drop 55 percent, due to the introduction of recognition technologies. Recommended action: Passwords are too entrenched in business practices to disappear completely, but companies should look for products that focus on development of an environment of continuous trust with good user experience. Begin by identifying use cases, and press vendors for biometric and analytic capabilities.
9
Through 2018, over 50 percent of IoT device manufacturers will not be able to address threats from weak authentication practices. Recommended action: By changing the enterprise architecture, IoT introduces new threats. Early IoT security failures might force the industry towards authentication standards, but companies should identify authentication risks, establish identity assurance requirements, and employ metrics.
10
By 2020, more than 25 percent of identified enterprise attacks will involve IoT, though IoT will account for only 10 percent of IT security budgets. Recommended action: As IoT continues to grow, vendors will favour usability over security and IT security practitioners remain unsure of the correct amount of acceptable risk. Companies should assign business ownership of IoT security, focus on vulnerable or unpatchable IoT devices, and increase IoT-focused budget. 07.2016
25
OPINION
Putting the eye in IoT By Johan Paulsson, CTO, Axis Communications
26
07.2016
www.securityadvisorme.com
OPINION
I
t’s hard to read any kind of technology newspaper or web site these days without seeing several references to IoT – the Internet of Things. It has become the buzzword of all buzzwords, the next killer app, and the bandwagon that everyone from car makers to home appliance companies hope to ride to success. Despite its hype, IoT does represent a very real and practical step forward in how to connect disparate machines and widely dispersed data. And it has profound ramifications on the security and video surveillance industry. Axis Communications introduced what many consider a pioneering IoT device in 1996 (long before the term existed) when we launched the security industry’s first network camera. Little did we know it would ultimately spawn a tidal wave far beyond security. To be sure, the concept of network cameras has come a long way in 20 years. Yet, if we were to rank the top emerging trends for 2016, connected systems would still have to be at the top. Why? Because the capabilities of IP-based systems are constantly evolving and suppliers of all types are still discovering new ways to leverage the power, flexibility and reach of connectivity. As more IP-based security devices inevitably replace aging analog systems, we will see wider use of security products that integrate the growing wealth of information generated by the IoT into not just information for security purposes, but a range of other applications and uses. IoT will allow network cameras to think independently and make smart decisions on their own. Imagine a mesh of network cameras that correspond between each other to alert the next camera of a person or object entering shortly from the left of a given scene. IoT-enabled cameras may also be able to cover up for one of their peers being damaged or obstructed.
IoT: From cool features to useful solutions As enthralled as we are with the individual www.securityadvisorme.com
capabilities of IoT devices, in the security world the more important aspect of this trend is how all the components work together to solves a tangible challenge. First of all, IoT-based system must be easy to design, install, maintain and use. And one size does not fit all. To maximise the potential of IoT, it requires an in-depth knowledge by suppliers who – 1. Understand how each feature or component work together; 2. Can design a solution that can be used to solve specific challenges; 3. Are able deliver it as an integrated offering whose long-term value has more value than just the sum of its parts. This is especially true as security solutions move well beyond their roots in cameras. Indeed, largely because of IoT, the security sector’s traditional boundaries continue to blur. For example, network cameras can be used for Building Information Management (BIM), Business Intelligence (BI) in retail and even leaping into scientific research with real-time analysis of traffic patterns and crowd movements. The IoT will allow for combined systems integrating previously disparate devices such as video surveillance cameras, smoke detectors, gas sensors, access control panels and loudspeakers into a common management console providing a ‘single pane of glass’ overview across entire buildings and sites. The result is a huge opportunity for security solutions that are purpose-built to share useful data with other connected devices, all of which can be monitored remotely. This connectivity between devices will provide end users with more complete situational awareness across multiple locations. With the increasing amount of data being generated, shared over the network and, in many cases, stored and accessed through cloud computing models, there is a growing need to
focus on the protection of all this data and assets that exist ‘virtually.’ New technologies and methods for enhancing cybersecurity specifically for networked and cloud-based security systems are being developed. This is critical to protect against vulnerabilities such as hacking and will be an important aspect of how physical security and surveillance solutions are designed and implemented.
Security as-a-Service: The Cloud emerges Cloud based computing has touched just about every industry and it will continue to reshape the security and surveillance sector as well. Security can now be offered as a service that is managed remotely, freeing up valuable human and capital resources that no longer require to be on site at every location needing to be observed. Secure remote access to security systems will increase in use, including by end-users who want the convenience and real-time benefits of being able to monitor property and events without having to be physically present. Cloud storage is another important aspect of how systems are becoming more efficient in this model. Much larger volumes of data can be stored, costeffectively and securely, at dedicated server facilities, allowing users to archive video and associated data for longer periods of time and improve its accessibility as well.
07.2016 07.2016
27 27
More cameras mean Big Data According to market researchers, video is now the fastest growing type of data in the world, and video generated by security and surveillance systems is for no small reason. While this vast amount of video data is largely being used for security purposes, as mentioned above, it is increasingly valuable as a source of business intelligence. However, there still remains a significant challenge to effectively manage and use the endless amounts of video data being generated, the so-called Big Data. Big Data is difficult to process through traditional data processing applications. We expect to see more investment in tools and other resources that can effectively mine and derive actionable intelligence from the Big Data that security systems are producing. This technology can put structure around vast amounts of unstructured video data, helping better understand significant patterns and trends. In the coming years, look for improvements in and a greater use of video management systems (VMS) to search Big Data in order to pull up relevant events, people, locations, times, colours and keywords. Such tools will assist business operators to turn Big Data into critical information that aids in loss prevention, marketing, operations, and customer service.
Cutting the cords Wireless technology has transformed our lives in many ways, from mobile phones, to WiFi connectivity. We have already seen the benefit and convenience of remote security monitoring via smartphones and tablets. Video surveillance systems of up to around ten network cameras can be managed entirely via mobile devices, no longer requiring a desktop PC to run video management software. Especially for SMBs, this significantly lowers the technology hurdle as users are more open to using a smartphone app than having to overlook a more comprehensive and detailed video management software on a desktop PC. It also reduces overall system and maintenance costs. 28
07.2016
Expect to see more use of wireless technology in security and video surveillance, particularly as an enhancement to business optimisation and improvement of the customer experience.
The never ending quest for more detail Security operators have an insatiable appetite for more clarity and detail in the images produced by their video surveillance systems. This is especially true as the adoption of intelligent video analytics continues to grow. So continued improvement in megapixel technology is certainly in our future. Enhanced techniques to handle challenging low-lighting conditions in new ways are coming to market, making cameras even more useful in a wider
Big Data is difficult to process through traditional data processing applications. We expect to see more investment in tools and other resources that can effectively mine and derive actionable intelligence from the Big Data that security systems are producing.
array of applications and use models. These improvements, largely focused on expanding the wide dynamic range (WDR) capability of cameras, also provide enhanced information for analytics to help decipher. Look for continued adoption of 4K Ultra HD, which enables network cameras to see more details. With an HDTV or megapixel network camera, the resolution is at least three times better than an analog CCTV camera. And 4K Ultra HD offers four times the resolution of HDTV 1080p. However, higher and higher resolutions also result in increasing storage consumption. Intelligent video compression algorithms such as Axis’ Zipstream technology allow for a reduction in storage needs by an average 50 percent or more. This is achieved by analysing and optimising a network camera’s video stream in real-time. Scenes containing interesting details are recorded in full image quality and resolution while other areas are filtered out to optimally use available storage. Important forensic details like faces, tattoos or license plates are isolated and preserved, while irrelevant areas such as white walls, lawns and vegetation are sacrificed by smoothing in order to achieve better storage savings.
Analytics provides the brain for smarter systems If IoT devices are the eyes and ears for increasingly interconnected systems, then analytics technology is the brain. We expect to see continued growing adoption of sophisticated video and audio analytics in the coming year, helping security systems evolve from passive monitoring to intelligent and adaptive recognition, situational awareness and analysis systems. Analytics go far beyond security uses. Retailers, for example, are increasingly using video analytics to gain business intelligence insights that allow them to optimise shop floor plans, merchandise display or checkout queue management. This opens up entirely new user groups to video surveillance. For example, in-store traffic flow and behavior analysis can help guide advertising and promotion campaigns. www.securityadvisorme.com
GITEX
Startups
1 6 -20 O C TOBER 201 6
450+ INVESTORS | 300+ STARTUPS FROM 35+ COUNTRIES | GLOBAL INCUBATORS | MENTOR CLINICS | PITCH COMPETITION
Organized by
Startup Incubation Partner
Robotics Partner
Official Publication
Supporting Partner
Apply Online gitex.com/startups
HOW TO
How to perform a risk assessment
W
ithout a complete and thorough risk assessment including all its component parts, you might as well open all your data assets to unbridled exfiltration via Port 80 without any security checks at all. In the end, attackers and criminal digital profiteers will get what they came for in either case. Defending risks without knowing what those risks are is like playing a round of paintball with your eyes closed — you’ll keep missing your opponent. A risk assessment gives the enterprise a specific, more finely narrowed field of targets for which to aim. We take a look at some steps you should use on the way to protecting data assets and stores in your enterprise. Outlining risk assessment particulars An IT risk assessment involves progressive steps that ensure a 30
07.2016
proper evaluation of your IT risks and their severity to your organisation. According to M. Scott Koller, counsel at BakerHostetler, these steps include: evaluating data and systems; identifying risks to those systems; evaluating those risks for likelihood, severity, and impact; and identifying controls, safeguards, and corrective measures.
Risk assessments won’t eliminate risk but rather should reduce them acceptably.
Tools for evaluating your data and systems can include network maps, system inventories, and data audits of collected and stored data, explains Koller. These go beyond simple understandings and high-level views of topologies to encompass your core network(s) with all their servers, switches, routers, hardware, software, and services all the way out to our network edge, gateways, and endpoints, with all their incumbent data, accounting for everything that is or resides within your network. You can’t tally all your risks unless you measure them against all your network assets that could be at risk. To pool a current and meaningful list of real potential risks to your systems and data assets, consider including a manual empirical phase in your overall approach for measuring IT project risk: take a census of the risks that concern your stakeholders and team members most, making sure to address each system and all data; validate the list and remove any real duplicates; and identify risk www.securityadvisorme.com
HOW TO
types. In other words, whatever else you do to compile a risk list, make sure to simply talk to your people. Any number of them may have seen something new that has escaped inclusion among previously identified risks. There are also tools that can help the enterprise to identify specific risks. There are tools in the category known as data infrastructure / advanced data analytics that provide a holistic view of real-time situational awareness and a common operating picture of virtually any asset, system, operation or facility to anyone in a vendor-agnostic fashion, operating at near limitless scale, says Steve Sarnecki, Vice President, OSIsoft. IBM and PwC are two more vendors offering products in this category. In this category, there are tools that can cull risk information from enterprise assets to help identify risks. metrics and corrective measures To create a visual metric of the likelihood and severity of the risk, simply rate each risk from one to 10 or one to 100 for its likelihood and then again for its severity. Use the two numbers to plot the risk as a resulting dot on a line graph using X and Y axes. The dots that concentrate in the upper-right corner inside a square that is one-fourth of the whole line graph will comprise the top 25 percent of your risks. These Google Image search results will help to give you an idea of what different sources have developed. To assess potential impact, remember that impact reaches far beyond financial measures. Look to your organisation’s own history of realised impact. Look at news coverage and IT industry www.securityadvisorme.com
An organisation must weigh the risk associated with that event with the probability of occurrence and the potential costs associated with additional safeguards.
analysis of the realised impacts of organisations in a similar position to yours. Ask your stakeholders about the kinds of impacts that leave them restless. To identify more controls, safeguards, and corrective measures to enact to mitigate risks, look to industry best practices with a history of success. NIST offers a resource with ample discussion of controls. SANS offers a list and discussion of controls. “For example, a safeguard that you can implement to reduce the potential risk of a ransomware infection is to update your antivirus software. You then re-evaluate the risk after implementing the safeguard to determine whether you have sufficiently mitigated the impact and probability of the risk. If not, you should repeat the process,” says Koller. Level setting results and expectations Risk assessments won’t eliminate risk but rather should reduce them acceptably. Going back to ransomware as an example,
residual risk remains that the antivirus software won’t prevent the ransomware infection, says Koller. “An organisation must weigh the risk associated with that event with the probability of occurrence and the potential costs associated with additional safeguards,” says Koller. If anti-virus doesn’t do enough, the enterprise may consider adding additional protections. An enterprise should address the greatest risks, those with the highest likelihood, severity, and costs, first. Without the information that a risk assessment provides, the enterprise cannot adequately protect its data. Refresher course For some enterprises, these resources are a reminder of a roadmap, a refresher course on the elements of a risk assessment, and good for sharpening your next gaze into assessing risks. If not, and there’s something completely new here for you, you may want to consider moving up the data on your next evaluation of real risks to your enterprise data. 07.2016
31
insight
SIEM:
14 questions to ask before you buy Today’s SIEM technology boasts more brain power than ever, but many organisations fail to realise its full promise. Here are the key questions you need to ask to ensure the solution you choose will deliver.
D
emand for security information and event management (SIEM) technology is high, but that doesn’t mean businesses are running these products and services smoothly. According to a report from Gartner, large companies are reevaluating SIEM vendors due to partial, marginal or failed deployments. While the core technology has changed little in the last decade, its use cases and the pace at which businesses have adopted it have prompted a transformation, experts say. “SIEM was a complex technology for the most entrenched, smartest companies, but today we see it adopted by less-mature organisations,” says 32
07.2016
Anton Chuvakin, Research VP, Gartner. “That’s caused the evolution in the tech that we’ve witnessed recently. It’s getting more brain power.” That brain power — largely in the form of big data capabilities — has pushed SIEM past its days as a long-term event archival system that businesses deployed to meet basic compliance standards. Now, the need to thwart enterprise threats is driving adoption. “Today it’s used as a compliance tool, for security detection, for security analytics, forensics and as a big data platform,” says Joseph Blankenship, Senior Analyst, Forrester. “We’ve had this promise that SIEMs can now do a lot of things, but companies are experiencing
a lot of pain getting them there — they just haven’t seen its full promise. That’s why we see this failure and the partial deployments.” If your SIEM isn’t meeting your standards, start by examining your environment, needs and capabilities first — then choose the appropriate solution that will deliver. Here’s a look at 14 questions you need to ask both yourself and your vendor before you buy. 1. Is your current SIEM the problem? While some solutions are better than others, bad SIEMs are rare, Gartner’s Chuvakin says. If you’re not getting value from it consider why: Are you dedicating the appropriate resources? Do you have bandwidth to run it? www.securityadvisorme.com
insight
2. Can you afford it? Take a close look at your security operations to determine whether you can actually afford to operate a SIEM, Chuvakin says. Do you need to contract a managed services provider for monitoring? Or are you wellequipped to run it? “This stems from the problem of a ‘bad SIEM’ not actually being bad — it’s just that you just can’t run it,” he says. “If you don’t have anyone who can watch the signals, it won’t achieve its potential.” 3. What do I want to monitor? Before you compare SIEM products, you need to understand the problem you want them to solve, Chuvakin says. “Don’t ask the vendor what you should want, you need to know for yourself,” he says. “Start with what you want to monitor and why.” If you determine that a new SIEM is your best course of action, use the following questions to choose your vendor. 4. What’s your commitment to SIEM? Big SIEM vendors are relatively stable and have good financial backing, Forrester’s Blankenship says, but if you’re considering a smaller vendor — or a vendor whose sole focus isn’t SIEM — you need to know how it fits into the company’s big picture. “How much rigor has been put into the platform? Is SIEM an important or unimportant part of the company? Look for stability,” Blankenship says. 5. How will I be charged? Some SIEM licenses charge users based on the amount of log data they process using the SIEM. Adding devices that produce more logs and alerts can drive up the price, Blankenship says. 6. Where does security analytics fit in your roadmap? Because choosing a new SIEM vendor likely results in a long relationship — since SIEM isn’t something you want to rip and replace every few years — you need to www.securityadvisorme.com
understand where the vendor stands on security analytics today, and where it fits into their future roadmap, Blankenship says. “You want to find out how they are evolving from the very strict rules-based SIEM into the security analytics platform of the future,” he says. 7. How do you support cloud environments? If your business, like most, is moving more data and infrastructure to cloud providers, you want to have visibility into the cloud environment just as you would if it was in your own infrastructure, Blankenship says. 8. How will you enable automation in the future? Though security professionals may not like the disruption to their traditional roles, Blankenship says it’s essential to keep an eye to the future and embrace automation. “Vendors are now looking at how to automate some of the processes. That’s part of the next wave as we get more and more comfortable with it,” he says. “Ask the vendor how you can embrace more automation. How are you setting me up so we can introduce automation into our workflows?” 9. Who are your partners? The vendor’s partners are an indicator of how easy or difficult it will be to integrate, Blankenship says. Ask, too, about the APIs that exist to tie in other technologies and features becoming available. 10. How will you advance the SIEM? Just as important as the vendor’s dedication to SIEM are the boundaries it’s pushing, Chuvakin says. “SIEM vendors are adding in more brain power, more analytics and algorithms to become an actual brain — not just an extension of a well-trained human brain,” he says. 11. I want to control the SIEM onpremise. What help is available?
Security professionals have two mentalities in managing the SIEM, Blankenship says: Either you want to own and control it because you know security better than others, or you want to outsource it. If you’re the former, though, there’s still a case for asking for support, he says. “There’s a use case for outside management to work with SIEMs to write protocol and provide training to make sure everyone is current,” he says. “There are ways to bring in support without the management being quite so significant.” 12. I want to outsource this. How will you support me? “When we talk about the failed and partial deployments, we see folks who say they can no longer support the SIEM on-premise,” Blankenship says. “If this is the case with you, you need to know if you can outsource the management of the SIEM.” This includes asking about consulting services that are available to you and whether you can make it part of your contract, he advises. 13. What training is available for my team? Ask about any in-person or online training resources that are available to get the security team proficient with the SIEM, and to train new employees as they join, Blankenship says. Is there a user community where people can ask questions? 14. Can you solve my specific use case? Whether a vendor can solve a problem like yours and how they solved a problem like yours will elicit different answers. Hone in on the proof the vendor has that problems could be — and have been — solved in environments similar to yours, Chuvakin says. “Ask the vendor for proof that they can serve the needs that you have. Take them up on the opportunity to call other customers to ask them about their experiences,” he says. 07.2016
33
INSIGHT
The importance of cyber hygiene to your security programMe By Hadi Jaafarawi, Managing Director, Qualys Middle East
A
ccording to research conducted by Gartner, in 2015 the MENA region spent up to $1.1 billion on information security, and this figure is expected to increase in the coming years. Organisations today face attacks that have become so large and multifaceted that information security and risk management teams struggle to keep track of their security status. While businesses investing in the protection of their assets is a good thing, it is important that such large investments are being made wisely. In this complex security landscape, it is critical to be proactive, vigilant and protected against cyber threats in order to be as secure as possible. Practicing good cyber hygiene is the cornerstone to achieving this, however doing so is easier said than done. Organisations have valid concerns about how to properly do so, and 34
07.2016
what preventative measures they need to take to combat against vulnerabilities of tomorrow. In order to address these points, it’s important to gain a thorough understanding of what good cyber hygiene is. In an enterprise, proper cyber hygiene would be ensuring that individual data points, devices and your networks are protected against vulnerabilities while also ensuring that all systems are maintained, if not future proofed, by using cybersecurity best practices – and the latest technologies. Good cyber hygiene would also mean that security and monitoring is controlled exclusively from a centrally managed point, pushed out to outlying terminals, and not reliant upon individuals to update their systems. Each organisation will have its own unique structure aligned to their needs, but there are some basic things that
everyone should be doing to ensure proper cyber hygiene is being practiced. Examine Your Network. The first step to good cyber hygiene is being able to identify every inch of your network – you can’t protect what you can’t see. You have to know what type of equipment is on your network and where it is – internal networks, hosted on the Internet or part of a cloud platform. It’s important to have an updated inventory at hand to know which hardware and software is being used at all times. Do Some Housecleaning. Once you know what’s authorised to be on your network, it is equally important to identify and remove those things that don’t belong. This is typically accomplished by running continuous scans, and then comparing the results against the list of authorised hardware www.securityadvisorme.com
INSIGHT
option to scan your network on a semiregular basis. You should try to constantly monitor for threats, and quickly address them within your network. This is likely to be the biggest challenge for security professionals within the next decade – finding the time to carry out the necessary checks, without impacting business operations. Use Secure Configurations. Before deploying any system or device, it is important to ensure that the system is configured to both achieve its purpose and be attack resistant. For example, one of the most effective configurations for preventing the compromise of an endpoint is to remove administrative privileges from end users. Once configured securely, your next step is to control configuration drift or change.
and software. Once you’ve determined what doesn’t belong, take the needed steps to remove them. Sweep and Patch. Once you gain insight into the devices and applications on your network, you should scan them from a central point on a regular basis and have the ability to patch and deactivate remotely. For larger organisations, the scale of this operation is the challenge, especially with limited maintenance windows and architectural complexities. Due to this, the need for flexible and scalable security scanning services are therefore increasingly necessary as web apps and devices proliferate. Constantly Look For Weak Spots. With the increased frequency and complexity of attacks, it is no longer an www.securityadvisorme.com
Continuously Look for and Control Change. In operations, when something breaks, the first question asked is – ‘What changed?’ This question is equally important from a security perspective. Change is necessary but oftentimes introduces new risks and vulnerabilities into a system. Organisations should develop a system in which systems and applications are continuously monitored for changes. As changes are identified, security needs to ask a series of ‘whatif’ questions to identify and respond quickly to risk. For example, if a host firewall is disabled and there is no supporting change ticket, automatically generate a ticket notifying the incident response team.
with every employee as they make hundreds of security-related decisions every work hour – e.g., should I click on this link? Instead, security must equip the organisation with the right tools, typically starting with easy to understand policies and procedures. It is also important to train staff on these policies and procedures. Where possible, you should also provide your IT staff with security tools and make them an extension of your team. For example, provide your C developers with a static code analyser so that they can quickly catch and fix security vulnerabilities, such as buffer overflows, before they get introduced into production. We are moving to a world where continuous security will become critical to keep up with the evolving threat landscape. Cyber hygiene best practices will enable organisations to shift from an ‘event driven’ mindset, to being able to respond to threats in an agile manner and minimise the impact on your overall security posture.
Equip Your Employees and IT Team with the Right Tools. Security professionals can’t be at every meeting or necessarily be involved in every IT project. Nor can security staff sit 07.2016
35
products
Brand: Qualys Product: Private Cloud Platform What it does: Qualys has unveiled Qualys Private Cloud Platform Appliance (PCPA), a new managed on-premise security and compliance solution packaged in a form-factor for mediumsized companies. This newest member of the Qualys Private Cloud Platform (PCP) family offers the same robust private cloud security and compliance services with scanning capacity in a new high-performance, purpose-built 1U appliance. What you should know: Qualys PCPA is designed to help mid-sized organisations keep security and compliance information locally, within their data centres or a partner’s, without sacrificing the value of managed cloud services. Qualys PCPA offers the full benefits of the Qualys Cloud Platform suite as a managed, monitored service, securely maintained by Qualys within an organisation’s data centre. It supports both scanners and cloud agents, and includes a comprehensive, integrated suite of Qualys apps for automating asset discovery, security assessments and compliance management.
36
07.2016
Brand: Symantec Product: Anomaly Detection for Automotive What it does: Symantec has introduced Symantec Anomaly Detection for Automotive to protect against zero-day attacks and never-before-seen issues facing modern connected vehicles. Bringing Symantec’s extensive security and sophisticated analytics expertise across complex networks to the vehicle, Anomaly Detection for Automotive provides the crucial ability to identify issues for early remediation. What you should know: Symantec Anomaly Detection for Automotive uses machine learning to provide passive in-vehicle security analytics that monitor all Controller Area Network (CAN) bus traffic without disrupting vehicle operations, learn what normal behaviour is and flag anomalous activity that may indicate an attack. The solution works with virtually any automotive make and model.
Brand: Axis Product: AXIS Q1615/-E Mk II
What it does: Axis Communications introduces IP cameras featuring i-CS lens. The new intelligent i-CS lens directly exchange information such as its geometrical distortion and the exact position of its zoom, focus and iris opening. What you should know: AXIS Q1615/-E Mk II feature scene profiles enabling the installer to select between traffic overview, forensic or live profile. When choosing one of the preset scene profiles, the cameras automatically adjust exposure time, white balance, aperture, sharpness, contrast and noise in order to obtain the best video quality for the selected video surveillance needs. The new fixed cameras can provide HDTV 1080p video at frame rates of
up to 50/60 fps or HDTV 720p video at frame rates of up to 100/120 fps. This allows for detailed video capture of fast moving objects, which can be of great importance in applications such as industrial applications, when monitoring a production line. Details of parts and packages can be overviewed easily and precisely, enabling full control of the production process. www.securityadvisorme.com
29th August 2016
18:00 - 23:00
Habtoor Grand, Dubai, UAE
NOMINATE NOW www.securityadvisorme.com/awards/2016/
For sponsorship enquiries
For general and agenda-related enquiries
Rajashree Rammohan Publishing Director raj.ram@cpimediagroup.com +971 4 375 5685 +971 50 173 9987 Kausar Syed Group Sales Director kausar.syed@cpimediagroup.com +971 4 375 1647
STRATEGIC ICT PARTNER
STRATEGIC INNOVATION PARTNER
Jeevan Thankappan Group Editor jeevan.thankappan@cpimediagroup.com +971 4 375 5678
Merle Carrasco Sales Manager merle.carrasco@cpimediagroup.com +971 4 375 5676
For registration enquiries CPI Events Team +971 4 440 9100 bitevents@cpimediagroup.com
SILVER PARTNERS
KNOWLEDGE PARTNER
CISOCouncil
™
CISOCouncil
™
www.cisocouncil.com
www.cisocouncil.com
CISOCouncil
™
EVENT PARTNER
blog
Securing the Cloud By Tan-Hoang Nguyen, Security Solutions Expert, Middle East, North Africa and Turkey, Orange Business Services
C
loud computing has firmly entered the enterprise mainstream, delivering numerous benefits in terms of agility by allowing access to computing power from anywhere and on-demand. But does handing enterprise data to cloud providers increase or decrease security risks? It’s clear that cloud computing providers are a target for hackers and malicious attacks. Like banks attract bank robbers, cloud computing providers hold riches that can profit cybercriminals. So it is little surprise that application attacks on clouds have increased alongside a rise of 36 percent in suspicious incidents such as attempts to scan infrastructure. As a consequence of this perhaps, Rightscale’s survey on the State Of Cloud in 2015 found that 41 percent of IT departments rated cloud security as a significant challenge. But of course the cloud isn’t the only area of IT that suffers from security attacks. In fact most of the major breaches in the last 12 months have not involved cloud services at all. Indeed, analyst Ovum suggests that continued security breaches might push further enterprise cloud adoption. The fundamental problem facing enterprises are the growing number of security risks coupled with a shortage of security staff globally. A recent Frost & Sullivan survey found that 62 percent of enterprises had too few information security professionals. So to some enterprises, pushing applications into the cloud allows 38
07.2016
them to take advantage of the security capability of their cloud provider. On the whole they are happy with the result: an IDG survey found that 74 percent of enterprises were confident with the security of the information assets in the cloud. However, using a cloud provider doesn’t mean that enterprises can completely outsource their security responsibilities. According to the same Frost & Sullivan survey, 73 percent of respondents were looking at developing a number of new skills relevant to cloud computing, including: application of security controls to cloud environments (66 percent), knowledge of risks, vulnerabilities and threats (65 percent), enhanced understanding of security guidelines (62 percent) and risk management (59 percent).
Best practices in cloud security So what security threats do enterprises and their cloud service providers face? The Cloud Security Alliance (CSA), a body that focuses on best practices to help organisations enjoy a secure cloud computing environment and experience, defines nine core threats to cloud security. These are data breach, data loss, account or service traffic hijacking, insecure interfaces and APIs, denial of service, malicious insiders, abuse of cloud services, insufficient due diligence and shared technology vulnerabilities. Mitigating these threats requires best security practices at all stakeholders: cloud provider, enterprise and end-user. For example, in addition to the cloud provider’s security controls,
users need to practice good password management for access to cloud applications and enterprises need mobile device management to wipe confidential data from lost devices. This message is perhaps not getting across clearly, because a recent survey of both IT and non-IT enterprise executives found that less than 16 percent consider cloud security a shared responsibility. Some 31 percent said that it is up to the cloud provider to keep apps and data safe and 20 percent place the onus on end-users. Ultimately, ensuring security within the cloud requires that all stakeholders focus on best practices. The nine core threats outlined by the CSA can help enterprises formulate policies that keep data safe, while working with an expert cloud provider to maximise data safekeeping. At policy level, think access management and ensure strong password procedures are in place to mitigate end-user vulnerability. A patch management process to keep an environment secure with the very latest updates is also advisable, while data logging and analysis also helps identify potential weak points and patterns. With this in mind, migrating to the cloud ultimately means having trust in your cloud provider. Any organisation wanting to house sensitive data in the cloud needs to consider private, hybrid and virtual private cloud offerings, and cloud providers are there to know what a company needs most – and have the necessary security processes and staff in place to provide protection. www.securityadvisorme.com
A GARTNER LEADER AGAIN. AGAIN. When you like what you do, it shows. We’re proud to be named a Gartner Magic Quadrant Leader for
Download the report at go.paloaltonetworks.com/Gartner2016
Gartner Magic Quadrant for Enterprise Network Firewalls, Adam Hils, Greg Young, Jeremy D’Hoinne, and Rajpreet Kaur, May 2016. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. © 2016 Palo Alto Networks. All Rights Reserved. 4401 Great America Parkway, Santa Clara, CA 95054