Security Advisor Middle East | Issue 18 by Security Advisor Middle East

ISSUE 18 | JUNE 2017 www.tahawultech.com

A CLOSER LOOK HOW SECURITY DATA ANALYTICS CAN HELP IDENTIFY AND FIGHT THREATS

Securing DevOps Enterprise Security 360 Summit Swiss International Scientific School

99% of ransomware starts with phishing emails.* No problem, employees don’t click those. Take back control and make email safer for business Stop Malicious targeted email attacks with Mimecast Targeted Threat Protection. A cloud solution that: • • • •

Protects from Malicious URL’s Protects against Social Engineering and impersonation attacks Layered defence from malicious email attachments Protects from internal email threats

Add

.com

STRATEGIC INNOVATION PARTNER

STRATEGIC PARTNER

CONTENTS

FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) PUBLISHING DIRECTOR Natasha Pendleton natasha.pendleton@cpimediagroup.com +971 4 440 9139 EDITORIAL Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 440 9129 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135 Contributing Editors James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153 Janees Reghelini janees.reghelini@cpimediagroup.com +971 4 440 9167 Glesni Holland glesni.holland@cpimediagroup.com +971 4 440 9134 DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9140 Designer Neha Kalvani neha.kalvani@cpimediagroup.com +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130

Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 440 9147

A CLOSER LOOK

CIRCULATION Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 440 9119

Security Advisor ME delves into how deeper insights on data can help organisations improve their cyber defences.

PRODUCTION Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 440 9159 Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin webmaster@cpimediagroup.com +971 4 440 9100 Published by

Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE

DEVEOPS: A SECURITY BOON OR BANE? Proponents say DevOps enhances security, naysayers contend it weakens security.

Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Printwell Printing Press Regional partner of

any errors therein.

RETHINKING SECURITY LEADERSHIP Enterprise Security 360 summit gathered regional security leaders to discuss some of the burning security issues today. FIGHTING TALK SentinelOne discusses how businesses can combat ransomware attacks in the current climate.

HIGH GRADE PROTECTION

Swiss International Scientific School in Dubai deploys MDM and network security solutions to secure students’ and employees’ data.

SECURITY ON-DEMAND

Qualys’ Sumedh Thakar discusses how cloud helps organisations transform their security strategies. HAPPY HUNTING Digital Guardian’s Tim Bandos shares common indicators that say a threat is underway.

NEWS

LINGUISTIC ANALYSIS SHOWS WANNACRY’S POSSIBLE LINKS TO CHINA

SHEIKH MOHAMMED LAUNCHES DUBAI CYBER SECURITY STRATEGY His Highness Sheikh Mohammed bin Rashid Al Maktoum, Vice President and Prime Minister of the UAE and Ruler of Dubai, has launched the ‘Dubai Cyber Security Strategy’ that aims to strengthen the emirate’s position as a world leader in innovation, safety and security. On the launch of the strategy, HH Sheikh Mohammed highlighted the UAE’s high ranking at both regional and international levels in providing security for individuals and organisations in the country. He said that cybersecurity has become an essential requirement in the digital era as the world has become more connected with the spread of smart technologies, and stressed the importance of developing strategies that ensure Dubai’s readiness to face any challenges it may be presented with. “We want to harness technology to create a new reality in Dubai and a different life, a new model of development,” he added. The strategy involves the implementation of five main domains: cyber smart nation, innovation, cybersecurity, cyber resilience, and national and international collaboration.

06.2017

A recent report published by BBC news stated that an analysis by research firm Flashpoint suggests Chinese-speaking criminals may have been behind the WannaCry ransomware. According to the firm, the use of proper grammar and punctuation in only the Chinese versions of the ransom notice indicated that the writer was “native or at least fluent” in Chinese. The translated versions of the ransom notice appeared to be mostly

“machine translated”. Flaspoint’s report showed that out of the the 28 different notes, only the English version and the two Chinese character versions (simplified and traditional) appear to have been written by a human. All 25 other notes appear to have been translated from the English note using Google Translate. The WannaCry cyber-attack infected more than 200,000 computers in various countries including UK, US, China, Russia, Spain, Italy and Taiwan. Some earlier analysis of the software had suggested that the ransomware is linked to North Korea. However, the Flashpoint researchers noted the Korean-language ransom note was a poorly translated version of the English text.

US CONSIDERS LAPTOP BAN ON ALL INTERNATIONAL FLIGHTS The US government is considering banning laptops from the passenger cabins on all international flights to and from the country, according to homeland security secretary John Kelly. Speaking at Fox News, Kelly said the US administration plans to “raise the bar” on airline security. In the interview Kelly said that there is a real threat to aviation. “We’re still following intelligence,” he said. He noted that terrorists are “obsessed” with the idea of “knocking down an airplane in flight.” Kelly said the move would be part of a broader airline security effort to combat what he called “a real sophisticated threat.” In March, the government imposed restrictions on large electronic devices in aircraft cabins that applies to nonstop US-bound flights from 10 international airports in Amman, Jordan; Kuwait City, Kuwait; Cairo; Istanbul; Jeddah and Riyadh, Saudi Arabia; Casablanca, Morocco; Doha, Qatar; and Dubai and Abu Dhabi in the UAE. About 50 flights

a day, all on foreign airlines, have been affected by the ban. Earlier this month, reports said the Trump administration would broaden the ban to include planes from the European Union, affecting transAtlantic routes that carry as many as 65 million people a year. Among the enhanced security measures that the Department of Homeland Security will likely implement include tighter screening of carry-on items to allow Transport Security Administration agents to detect precarious items in tightly packed suitcases. Kelly said no final decision had been made as to the timing of any ban. www.tahawultech.com

CREDENTIAL REUSE POSES MAJOR THREATS TO ENTERPRISE SECURITY Rick Holland, Digital Shadows

Digital Shadows has unveiled research into some of the main techniques cybercriminals are using to target organisations using stolen credentials which have been reused across a variety of sites and online forums. The research revealed that cybercriminals are increasingly turning to credential stuffing tools to automate attempts at account takeover. This is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found. Based on configurations, the most common targets for these attacks are the gaming, technology, broadcasting and retail sectors. “Many organisations are suffering breach fatigue due to the huge numbers of credentials exposed via

not only high profile incidents like those suffered by Myspace, LinkedIn and Dropbox, but also from tens of thousands of smaller breaches,” said Rick Holland, VP Strategy, Digital Shadows. “But it is critical that businesses arm themselves with the necessary intelligence and insight to manage their digital risk and prevent this problem credential exposure from escalating into an even more severe problem.” The report also suggests that while multi-factor authentication (MFA) can help to protect organisations and their customers from account takeovers, it cannot be seen as a silver bullet to solve the problem of account take overs. “Enterprises – and the companies that work for and with them – need to be better prepared for this sort of brute force attack,” added Holland.

UAE INTERNET USERS MAKE PERSONAL INFO PUBLIC ONLINE Research from Kaspersky Lab has revealed that almost half of Internet users in the UAE make their personal information public, including scans of their passports, payment details and driving licenses. The research showed that the majority of people in the UAE share personal information digitally, with 83 percent of the respondents sharing photos and videos of their children and 56 percent sharing private and sensitive videos and photos of others. These habits are worse among younger generations, who are making large amounts of their personal information accessible to strangers. Worryingly, once data has gone into the public domain, it can travel far beyond the control of its owners. Onewww.tahawultech.com

in-five people admit that they share sensitive data with people they don’t know well, and with strangers, limiting their ability to control how their sensitive information will be used. “In today’s online world, sharing information with others has never been easier and, in many ways, that’s what the Internet was created for,” said Andrei Mochola, head of Consumer Business, Kaspersky Lab. “But by disclosing important and sensitive information with other people at the push of a button, you relinquish control over it, because you can’t be sure where that data is going, and how it will be used. Users are literally putting their precious data, and even the devices that store it, in the hands of others.”

FACEBOOK AND GOOGLE HIT BY HUGE PHISHING SCAM In March, it was reported that a Lithuanian individual had been charged over an email phishing attack against ‘two US-based internet companies.’ The victims have not been named at the time, however, recently Facebook and Google have confirmed that they were the ones victimised by the attack. According to reports, the tech giants fell victims to an email phishing attack that allegedly costs $100 million perpetrated by Lithuanian Evaldas Rimasauskas. The emails were posed to look like they are from employees of the Asia-based firm, the US Department of Justice (DOJ) alleged, and were sent from email accounts designed to appear as if they had come from the company. A statement released by a Google spokesperson revealed that upon detecting the fraud against its vendor management team they have promptly alerted the authorities. “We recouped the funds and we’re pleased this matter is resolved.” A representative from Facebook also said that: “Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation.” The tech companies did not give any details regarding the amount of money that was stolen from them.

97%

of businesses in the ‘Forbes 1000’ list had their valuable credentials exposed

Source: Digital Shadows 06.2017

FEATURE

A CLOSER

LOOK The old adage ‘what you don’t know can’t hurt you’ could not be further from the truth when it comes to IT security. Optimising data to address IT security threats is far from new. However, the growing number of endpoints and increasing sophistication of cyber threats make this task more daunting than ever.

06.2017

www.tahawultech.com

FEATURE

big portion of information security efforts within an organisation are focused on monitoring and analysing data from servers, networks and numerous devices. However, the data deluge and sheer volume of cyber-attacks are making it challenging for security teams to get a complete and accurate view of the risks that their organisations are facing. Typically, organisations employ security information and event management (SIEM) tools to help them get a better handle on aggregating and analysing logs and events within enterprise networks. As businesses seek to gain more insight into network traffic and user activity they are pushed to look for tools that can bring them deeper analytics they can use to enhance their security strategies. The reality is that there’s just simply too much information to collect, organise and analyse. And, traditional SIEM tools have limited capabilities to capture these data and figure out what may be relevant to enterprise security. “SIEM solutions absorb machine data generated from your security devices, infrastructure, servers and clients and based on these, run a set of rules or instructions on what is recognised as a security incident,” explains Nicolai Solling, CTO, Help AG “This could be anything from an alert saying that a client was not able to update its Anti-Virus engine to a more serious alert indicating attack. However, the issue with SIEM is that many of its capabilities are based on events received from the deployed platforms. And, if the configuration is not done properly, security teams may miss out on very important events.” Lushen Padayachi, head, BT Security, Middle East and Africa, says SIEM provides a holistic view of the organisation’s overall cybersecurity. www.tahawultech.com

Security analytics should be treated as three integrated sections. Firstly, the capture of critical information from the large number of events generated by security devices such as firewalls like IPS; feeding this information to security controls; and finally learning from shortcomings to mitigate future threats. - Nicolai Solling, Help AG

“The main principle is to produce security information across platforms, making it easier to spot trends and prevent future cyber-attacks.” He then explains that security data analytics, on the other hand, takes the approach one step further. “Security data analytics provide in-depth analysis to improve detection through collecting, storing and analysing huge amounts of security data from across the whole organisation and the wider security landscape in real-time,” he says. Security data analytics solutions help enterprises detect and prioritise threats, formulate responses and iterate against potential attacks. While the solution seems an easy one, it is not a one-size-fits-all approach. Security teams should consider the type of monitoring that would be most appropriate and then select tools to match. “There are many elements security teams need to consider,” says Solling. “You need to consider your platform and architecture in your network. Most data analytics platforms are based on receiving raw packet-captures from within the infrastructure and then

applying some form of algorithm or even artificial intelligence to identify threats. This means the placement of the devices becomes extremely important.” He adds that other solutions tend to base the learning on the flow of information, which can be created in multiple devices in the network such as firewalls, routers and even user switches and wireless access points. “Security analytics should be treated in three integrated sections,” he adds, “the capture of critical information from a large number of events generated by security devices such as firewalls like IPS; feeding this information to security controls; and finally learning from shortcomings to mitigate future threats. A comprehensive security analytics solution must, therefore, incorporate each of these segments to be of value to the organisation.” More and more organisations are finding that since data security analytics is a maturing domain, they don’t have the significant workforce to perform the relevant processes it requires. Moreover, the complexity of the attacks is increasing much faster than they can 06.2017

FEATURE

train and hire the talent and resources to respond to them. A key challenge faced by security teams is the bottleneck caused by too much work being loaded onto too few people. In many IT departments, a large portion of the security team’s time is spent on day-to-day activities rather than longer term strategies. This challenge is becoming even more acute due to a widespread shortage of people with the required security skills. Much of the problem stems from the fact that, in many instances, security analysis is still a manual activity. Security teams gather information from a wide variety of sources and then use a series of manual tools to look for problems. For some teams, there are simply too many security alerts coming in to allow efficient and effective analysis of them all. “One of the main concerns that organisations are facing is the talent shortage in the region,” says Padayachi. “Emerging technologies such like IoT, hybrid cloud, blockchain, security data analytics and more, require specialised training of individuals to ensure the effectiveness of these technologies. There are multiple solutions to this issue, among which, is educating and

When such benefits are communicated to senior executives clearly, the case for prioritising security technology becomes difficult for them to ignore, which in turn could lead to investment towards analytics for the sake of their company’s cyber hygiene. - Arthur Dell, Citrix

training individuals in cybersecurity. Secondly, organisations should also consider automating a few of their security tools, as it eliminates the need for human intervention and provides fast reaction.” In addition, Solling raises the issue that few, if any, end-user organisations have in-house IT teams that can deploy and managing security analytics. “This is why at Help AG, we have a dedicated Cyber Security Analysis division offering essential security services, which

Security data analytics provide in-depth analysis to improve detection through collecting, storing and analysing huge amounts of security data from across the whole organisation and the wider security landscape in real-time. - Lushen Padayachi, BT Security

06.2017

can be instrumental for uncovering security vulnerabilities that would otherwise go unnoticed,” he says. Security analytics also plays a crucial role in helping business leaders understand the importance of investing in security, according to Arthur Dell, director, Technology Sales and Services, Citrix. “This is especially the case in an era where enterprises, looking to improve productivity, are rapidly adopting a variety of new paradigms such as bring your own device (BYOD), SaaS applications, and public clouds. The advent of such technology has brought with it a host of challenges. Tools like Citrix Analytics can be instrumental for organisations to access and analyse behaviour, application, data usage behaviour and network traffic behaviour including the ability to tap into encrypted traffic. If risky user activities are identified, granular policy controls can be employed to mitigate the threat or stop it entirely. When such benefits are communicated to senior executives clearly, the case for prioritising security technology becomes difficult for them to ignore, which in turn could lead to investment towards analytics for the sake of their company’s cyber hygiene.”

www.tahawultech.com

FACTS Ransomware Jumped 6000% in 2016 — Costing Businesses $1B 200,000+ New Malware Samples — Every Day 91% of Hacks Started With a Phishing Email Cybercrime costs to rise $6 trillion by 2021

Are you prepared for a CYBER BREACH? Recent Cyber Attacks have caused massive business disruption, wreak tangible property damage, disrupted supply chains and aﬀected power and water supplies. By examining your organization’s security posture with a thorough risk management assessment and framework, Enterprises can begin to mitigate and reduce cyber threats. IT SEC provides 360° Cybersecurity Services to Secure Your Network and Protect Your Data.

CCTV BREACH

BREACH

RANSOMWARE

DATA LEAK

SECURING NETWORKS | PROTECTING DATA

800 ITSEC (48732)

info@itsec.ae | www.itsec.ae +971.4.242.3608

ATTACK

FEATURE

A SECURITY BOON OR BANE? Proponents say DevOps enhances security, naysayers contend it weakens security.

evOps, which enables agile software development, is becoming an enterprise strategy that stands front and centre in organisations today. As the move to DevOps picks up the pace, information security executives often feel they are being pulled along reluctantly for the ride. As more companies embrace DevOps principles to help developers and operations teams work together to improve software development and maintenance, those organisations also increasingly seek to embed security into their processes. Continuous automated testing improves application security. Increased visibility in operations improves network security. Research firm Gartner estimates that DevOps is currently in place at about 10

06.2017

25 percent of Global 2000 enterprises. The benefits they hope to reap from the move to DevOps include more agile and responsive development teams and faster time to market. This is because DevOps helps enterprises to clear app clutter through this increased use of automation, standardisation, and collaboration. DevOps makes it easier for everyone involved to be transparent about what’s happening, why it’s happening, and what will happen next. That visibility is important for security teams, too, since security people don’t necessarily control network operations or the various systems. The challenge for information security teams is ensuring that all of the best security practices and controls that they’ve been able to instill into their development methods follow along in the transformation.

Does DevOps help or hurt security? “DevOps is an environment that is run by developers, who focus on app deployment and delivery, not security. The speed of rapid releases, automation, and continuous integration and deployment all make for less time to find security problems and vulnerabilities,” says William Udovich, regional director, CyberArk. Specifically, the dynamic nature of the DevOps environment means new opportunities for privileged accounts proliferation, resulting in an extensive attack surface. Attackers recognise this and target the container ecosystem as part of the critical path to a successful cyber attack. In order to counter this, security needs to be built-in to existing DevOps processes, he adds. Adrian Pickering, MENA regional head of Red Hat, believes there are four key principles to ensuring secure DevOps. “Configure the development, test and deployment environments identically. Perform all vital connectivity security reviews during the development process and make proactive changes to all www.tahawultech.com

three environments as needed. It is also important to make sure that only the IT security team can adjust network connectivity, VLAN and firewall,” he says. There is a firmly held concern in security circles that the automation associated with DevOps moves too swiftly, that security teams and their tests can’t keep up, that too many of the metrics measured focus on production, availability, and compliance checkboxes, and as a result, security falls to the wayside. Early proponents of DevOps have always argued that when done right, DevOps can actually improve security. “Security expertise can be included in the development process to increase the chance of releasing a more robust product. Security and regulatory compliance should be a central component of any organisation’s DevOps process/ methodology to ensure potentially disastrous security breaches are mitigated from the outset. Companies do have the capability to integrate security expertise into their DevOps team without impacting overall speed of development. Doing so might just save them from major issues at a later stage,” says Pickering. DevOps naysayers contend, however, that DevOps also risks automating the wrong processes, or poor metrics move the organisation away from measuring actual security and compliance risks to only measuring those risks and threats that they can easily measure, thereby

DevOps is all about speed and computing efficiency, but most things come with a price and that price is new security challenges and new attack vectors for cyber attackers and rogue insiders. - William Udovich, CyberArk

creating a false sense of security that itself can be dangerous. “DevOps is all about speed and computing efficiency, but most things come with a price and that price is new security challenges and new attack vectors for cyber-attackers and rogue insiders. Security must not get in the way of DevOps processes, as to do so would defeat the object, so any added-in security must be optimised for the lighter technology stack of containers and for the elasticity and scale needed to support modern DevOps environments,” says Udovich. Do deepening adoption and broader deployment of container technologies (from the likes of Docker, CoreOS and others) threaten to escalate into the latest skirmish between operations, developers and information security?

Security expertise can be included in the development process to increase the chance of releasing a more robust product. - Adrian Pickering, Red Hat

www.tahawultech.com

“Unfortunately, many security teams do not know enough about containers and the related security implications. Security teams do need to be proactively educated so they can effectively support the adoption of new container technologies and devise strategies to mitigate their risks. Many IT security teams today are flying blind when it comes to understanding when, where, and how containerised apps are created and deployed within their organisation and consequently, the most current security practices need to evolve to keep up with an increasingly containerised, DevOps-centric world,” says Pickering. Aqua CTO Amir Jerbi says nothing would make everyone involved happier than if security could be baked into containers as part of the way they are built, shipped and run. “This is also the best way of minimising friction between the motivations of DevOps and those of IT security. Since security teams are often unaware of the processes that culminate in containers running in production, it is important to involve them in the definition of workflows and facilitate a knowledge transfer, so as to ensure that they are in a position to provide guidelines as to appropriate controls and practices they require to meet security standards and pass compliance audits.”

06.2017

f y

b v

Always be suspicious of any unsolicited communication from businesses or individuals, regardless of the message medium

Donâ&#x20AC;&#x2122;t click on links or attachments in suspect emails, texts, or social media messages

Directly contact the purported sender via their oďŹ&#x192;cial website, phone number, or email address if you are not sure about the legitimacy of a message you have received Report suspected phishing scams

to your IT and security teams

File a complaint with the FBI Crime Complaint Center (IC3) to help shut down cybercriminals

SOURCE: Digital Guardian

EVENT

RETHINKING SECURITY LEADERSHIP

Security Advisor ME organised its annual Enterprise Security 360 Summit in Dubai last month, rallying around thought leaders from the industry to discuss some of the burning security issues today.

he event was kicked off by Ramy Ahmad, Senior Systems Engineering Consultant, LogRhytm, who spoke about modern cyber threat pandemic. “The security industry is facing serious talent and technology shortages. Threats are evolving, and modern threats take their time and leverage the holistic attack surface. This calls for a new approach to cybersecurity.” He added that there is a need for end to end threat lifecycle management. “The ability to detect and respond to the threat early in the cyber-attack lifecycle is the key to protecting your company from large-scale impact because the earlier an attack is detected and mitigated, the less the ultimate cost to your business.” This was followed by a presentation by Mirza Asrar Baig, CEO of CTM 360, who spelled out the building blocks of a successful cyber resilience strategy 14

06.2017

for the audience. “We don’t need to do more but rather do things differently. We will have to redefine security management, adopt offensive defense and have a cyber asset register,” he said. The burning issue of security in a mobile-first, cloud-first world was addressed by Mina Nagy, Enterprise mobility and cybersecurity business lead from Microsoft. “Identity is the new control plane, and attacks happen fast and are hard to stop. In fact, the

root cause of more than 75 percent of intrusions are compromised identities. Protect, detect and respond. That is how we look at security.” Nimesh Upadhaya, Senior Director of Regional Sales, CA Technologies, echoed a similar opinion in his presentation about enabling business growth with trusted digital relationships. “Identity is everything. You need to consolidate personas across systems into a single digital

Identity is the new control plane, and attacks happen fast and are hard to stop. In fact, the root cause of more than 75 percent of intrusions are compromised identities. - Mina Nagy, Microsoft

www.tahawultech.com

Mirza Asrar Baig, CTM 360

Mina Nagy, Microsoft

Nimesh Upadhaya, CA Technologies

identity, build a comprehensive picture of the individual and make better decisions across legacy, cloud and services.” With the average time taken to detect breaches pegged at months, rather than days or weeks, real-time breach prevention is a hot topic in the industry, which was tackled by Rajesh Agnihotri, Solutions Architect with Sonicwall. He shared key findings from 2017 SonicWALL annual threat report with the audience, and said 2016 was a year of advances for the cybersecurity industry. “We believe there are three critical components necessary for real time threat protection: high-speed inspection of SSL-encrypted traffic, multi-engine cloud sandboxing and the ability to block potential threats until a verdict is reached.” This was followed by a presentation from Niraj Mathur, security practice manager from GBM, who shed light on the latest trends in cybersecurity. “There are www.tahawultech.com

There are new challenges for security. Physical and cyber are blending, and data is aggregated and is available. - Niraj Mathur, GBM

new challenges for security. Physical and cyber are blending, and data is aggregated and is available. Our annual survey found that 49 percent of gulf executives do not believe their organisation can prevent cyberattacks.” Jude Pereira, MD of Nanjgel Solutions, made the case for security automation and explained its key attributes. “A security automation solution must be able to determine the status of a potential threat in

second by comparing with its ow threat intelligence, in addition to the one supplied by the customer, and use its own codified logic to understand that beheaviour of the entity along with what to do next.” The event concluded with a panel discussion on aligning business objectives with security objectives featuring Husni Hammoud, GM of Barracuda, Miguel Velasco, CEO of Aiuken Solutions and Yasser Zeineldi, CEO of eHosting DataSystems. 06.2017

EVENT

FIGHTING TALK On the sidelines of the Enterprise Security Summit 360, Security Advisor Middle East teamed up with SentinelOne and gathered a range of the regionâ&#x20AC;&#x2122;s top CISOs to discuss, debate and evaluate how businesses can combat ransomware attacks in the current climate.

06.2017

Binoy Balakrishnan

Ahmad Al Emadi

V Suresh

Madhusuthan, Suresh Kumar

www.tahawultech.com

ay 12th 2017 saw the world’s largest ever cyber-attack to date, serving as a surefire reminder to us all that ransomware is here to stay. In general, the current security conditions within enterprises as a whole tend to enable ransomware as the easiest and most viable source of money for any malicious hacker out there. With attacks such as WannaCry, everything happens in just a few seconds, leaving victims completely dumbstruck as they stare in total disbelief at the ransom note. It’s becoming more and more obvious that it is impossible to make a completely secure software programme. Each and every programme has its weaknesses, and these can be exploited to deliver ransomware, as was the case with WannaCry. Even antivirus vendors are beginning to admit that a different approach is needed by businesses to stop these unknown attacks, but trying to stay just a step ahead is not enough, and this is something that Tony Rowan, director, Solutions Architects, SentinelOne, can relate to. “We recognise that we will not be able to stop everything, and that is an uncomfortable message for everyone,” he said. “But the fact of the matter is that there is no such thing as being 100 percent secure.” The main challenge that companies are facing with regards to combating ransomware seemed to focus around their email vector. “The problem is, that these damaging emails tend to come through genuine email IDs without our

knowledge, and once they have collected all of the data, only then do they start the attack,” said V Suresh, CIO, Jumbo Electronics. “By that time, it is too late and the damage has already happened.” Many of the CISOs in the room could relate to this situation. “Infected links that are sent via email can inject malware directly into the systems memory,” adds Suresh. “They may come in the form of an attached PDF of a fake delivery note on an email, suggesting it’s an internal and genuine request, which can have a similar effect.” Binoy Balakrishnan, information security manager, AW Rostamani, believes that in these types of situations, user training is imperative. “At the end of the day, a big part of this is around user behaviour; you can’t build a physical firewall in front of them,” he said. “If the user wants to click a particular link, they will do so, which is why user training must be carried out to a very high level if they are to be made fully aware of these risks.” However, Rowan disagreed. “Hackers have become so sophisticated,” he said. “If they target someone that works in an accounts receivables department, who – say for example, receives 100 invoices a day – and one day receives an invoice that is infected but looks exactly the same as all of the others and comes from a genuine email address, then no amount of user training is going to help that person. Advanced, technical solutions are the only real way to combat those situations.” Ahmad Al Emadi, CISO, Dubai Municipality, stated that effective

For us, VDI is a new approach for tackling threats and re-wiring the mentality around IT security. - Ahmad Al Emadi, CISO, Dubai Municipality

www.tahawultech.com

awareness programmes and the implementation of strong controls, such as VDI (virtual desktop infrastructure) were primary factors in protecting an organisation against the latest threats. “VDI is a layered approach, as it abstracts operating systems, applications, profiles and user data,” he explained. “It will improve response time in terms of patch management, resilience (disaster recovery), backup and so forth. VDI would also allow businesses to streamline and standardise on operating systems, security patches and applications with deep contextual security controls, regardless of the device used by end-user.” He added that while this technology may involve a high price tag, it also requires cultural change across the organisation. “For us, this a new approach for tackling threats and re-wiring the mentality around IT security.” This concept of changing the attitudes of entire companies around enterprise security seemed to be a common issue among the attendees. Mohammad Shahzad, head of IT, Gulf Precast Concrete Company, and Madhusuthan, IT manager, Bahri and Mazoeui, both discussed the difficulty in approaching and convincing the C-level executives to make these changes. Madhusuthan also said that the user awareness factor needed to apply across the board, and particularly to those at the top level. “The top level often ask ‘what is ransomware? And without them having a good understanding around the topic, how can they be expected to be aware of potential threats?” he said. But where companies need to be particularly careful, according to Suresh Kumar, head of IT, Byrne, is when they do have people with the right skill and knowledge level at the operations level, but they leave the company on bad terms. “This can cause real problems as they could be ‘out to get them’, so to speak,” he said. “They will have access and privileges which will enable them with the ability to cause a lot of damage.” 06.2017

FEATURE

THE

RANSOMWARE EPIDEMIC Are WannaCry attacks only the beginning?

housands of organisations from around the world were caught off guard by the WannaCry ransomware attack launched last month. As this rapidly spreading threat evolves, more cybercriminals are likely to attempt to profit from this and similar vulnerabilities. As a ransomware programme, WannaCry itself is not that special or sophisticated. In fact, an earlier version of the program was distributed in March and April and, judging by its implementation, its creators are not very skilled. The difference between the earlier WannaCry attacks and the latest one is a worm-like component that infects other computers by exploiting a critical 18

06.2017

remote code execution vulnerability in the Windows implementation of the Server Message Block 1.0 (SMBv1) protocol. Microsoft released a patch for this vulnerability in March and, on the heels of the attack on 12th May, even took the unusual step of releasing fixes for older versions of Windows that are no longer supported, such as Windows XP, Windows Server 2013, and Windows 8. The WannaCry attackers didnâ&#x20AC;&#x2122;t put in a lot of work to build the SMB-based infection component either, as they simply adapted an existing exploit leaked in April by a group called the Shadow Brokers. The exploit, codenamed EternalBlue, is alleged to have been part of the arsenal of the Equation, a cyberespionage group widely believed to be a team linked to the US National Security Agency.

The version of WannaCry that spread through EternalBlue had a quirk: It tried to contact an unregistered domain and halted its execution when it could reach it, stopping the infection. A researcher who uses the online alias MalwareTech quickly realised that this could be used as a kill switch and registered the domain himself to slow down the spread of the ransomware. Since then researchers have discovered a couple more versions: one that tries to contact a different domain name, which researchers have also managed to register, and one that has no apparent kill switch. However, the latter version is non-functional and seems to have been a test by someone who manually patched the binary to remove the kill switch, rather than recompiling it from its original source code. This led www.tahawultech.com

FROM THE EXPERTS The rapid spread of “WannaCry” Ransomware proved that absence of basic security hygiene can cripple companies. Strengthening systems by installing patches on a timely basis, email filtering, and network segmentation, etc. are some of the minimum security measures any organisations should be putting in place to protect it from both known and unknown attacks. Sagheer Mufti, COO, ADIB

researchers to conclude that it’s likely not the work of the original authors. Separately, experts from the computer support forum BleepingComputer.com have seen four imitations so far. These other programmes are in various stages of development and try to masquerade as WannaCry, even though some of them are not even capable of encrypting files at this point. This does indicate that attacks, both from the WannaCry authors and other cybercriminals, will likely continue and, despite patches being available, many systems will likely remain vulnerable for some time to come. After all, security vendors are still seeing successful exploitation attempts today for MS08-067, the Windows vulnerability that allowed the Conficker computer worm to spread nine years ago. www.tahawultech.com

One of the reasons WannaCry happened to spread so quickly was that it depended less on phishing techniques but more on the Server Message Block (SMB) protocol vulnerability. So essentially, the delivery method was more akin to a worm infection. While patient-zero might have got the virus from a phishing mail, if (s)he was on a network with a widespread SMB vulnerability across systems, the worm took over the distribution of the ransomware. It was brilliant in its sophistication and integration of an exploit, a worm and finally the ransomware. Yasser Zeineldin, CEO, eHosting DataFort. Organisations should never conclude that the absence of a major cyber-attack means that they have effective cyber defences. WannaCry and Adylkuzz show how important security patches are in building and maintaining those effective defenses, and why regular patching plans to mitigate environment vulnerabilities need to become a higher priority. Steve Grobman, CTO, McAfee Even though the UAE is extremely well-prepared and equipped to deal with large scale attacks, we constantly observe that users are inadequately trained in cybersecurity awareness, which is the only way to protect the organisations against such cyber-attacks Amir Kolahzadeh, CEO, ITSEC

06.2017

INTERVIEW

SECURITY IN SYNC Harish Chib, vice president, Sophos, Middle East and Africa, talks about the evolving threat landscape and explains the benefits of having a ‘synchronised security’ strategy.

ow do you see the threat landscape evolving this year? When we review today’s threat environment, we see four basic intents for cyber-attack: nation or state-sponsored disruption, industrial espionage, hacktivism and commercial gain. The first three usually target large organisations or high-profile individuals and get the most attention in the media, but the motivator for the majority of cybercrime is financial gain. The biggest threat today comes from groups of professional, highly organised commercial cybercriminals. Phishing is a key threat as cybercriminals see success in reaching users and coaxing them into running malware or sharing their personal details. Shock, awe, pretending to be law enforcement or leveraging the familiarity of trusted brands are common and effective tactics in getting users to click on malicious links. Ransomware also remains a key, evolving threat. As more users are able to recognise the risks of a ransomware attack via email, criminals are exploring other vectors such as deleting or corrupting file headers, and experimenting with malware that reinfects later, long after a ransom is paid. A research by SophosLabs has also indicated a growing trend among cybercriminals to target and even filter 20

06.2017

out specific countries when designing ransomware and other malicious cyberattacks, which means cyber threats contain vernacular languages, local brands, logos and payment methods, making ransomware highly believable and effective. What kind of fundamental strategies would you recommend for CISOs to keep pace with rapidly evolving attacks? The growth in complex and coordinated attacks is outpacing most organisations’ ability to protect themselves. Overstretched IT departments struggle to respond fast enough to threats entering their everexpanding IT infrastructure. Continuing to manage disparate security products increases risk to businesses. Unless there is a distinct change in approach to IT security this will only get worse. Synchronised security provides a best-ofbreed security system where integrated products dynamically share threat, health, and security information to deliver faster, better protection against advanced threats. It gives unparalleled protection and easeof-use, making life easier for today’s IT security professionals. Do you think cybersecurity is now a boardroom agenda for enterprises in the region? Awareness has definitely increased and it is evident from the investment companies are making into security solutions.

The Sophos-sponsored InfoBrief Synchronised Security Market Analysis – Middle East and Africa, developed by IDC revealed that MEA countries represented a total security solutions market potential of nearly $1.89 billion in 2015, which is expected to increase at a CAGR of 9.3 percent to a total of $2.94billion in 2020 as per the IDC Worldwide Security Spending Guide, H12016. Close to 42 percent of organisations in the MEA felt ‘highly confident’ of their security posture. IT security is a top priority for companies in this region as it can impact uptime and overall service levels. In terms of plans to deploy, there is a major focus on end-toend coverage with advanced security systems, making it apparent that respondents want to simplify and improve control over securing their organisation’s assets. This is followed by plans to deploy mobile device security and cloud-specific security solutions. MEA’s mobile device proliferation is among the highest in the world, making it important to secure devices and content on devices. Increased deployment of private and public cloud services makes it critical for organisations to integrate security as a part of their cloud strategy. With the increase in sophisticated attacks across the region, companies are now looking for smarter and simpler IT security solutions. www.tahawultech.com

PRESENTS

ALIGNING INFORMATION SECURITY WITH BUSINESS Monday, 28th August 2017

Habtoor Grand, Dubai, UAE

WHY ATTEND: • Get direct access to information security knowledge and expertise from some of the industry’s security practitioners and thought leaders. • Gain new ideas, insights and actionable intelligence • Meet select exhibitors under one roof • Network with your peers and discuss the issues WHO SHOULD ATTEND: • C-level (CEO, CISO, CTO, CIO) • Board and director level • IT managers and GRC specialists

OFFICIAL CYBER SECURITY INNOVATION PARTNER

CATEGORY SPONSOR

For sponsorship enquiries Natasha Pendleton Publishing Director natasha.pendleton@cpimediagroup.com +971 4 440 9139 / +971 56 787 4778 Kausar Syed Group Sales Director kausar.syed@cpimediagroup.com +971 4 440 9130 / +971 50 758 6672

Merle Carrasco Sales Manager merle.carrasco@cpimediagroup.com +971 4 440 9147 / +971 55 118 1730

For agenda-related enquiries Jeevan Thankappan Group Editor jeevan.thankappan@cpimediagroup.com +971 4 440 9129 / +971 56 415 6425 James Dartnell Editor james.dartnell@cpimediagroup.com +971 4 440 9153 / +971 56 934 4776

MEDIA PARTNER

Adelle Geronimo Online Editor adelle.geronimo@cpimediagroup.com +971 4 440 9135 / +971 56 484 7564

ORGANISER

INTERVIEW

SAFE HAVEN During the recently held GISEC 2017, Clifford Kelaita, partner, iStorage, sat down with Security Advisor ME to discuss the importance of using secured storage devices within the organisation and what the company can offer in this space.

an you please give me a brief background of iStorage? iStorage was established in 2009. We produce and develop PIN authenticated, hardware encrypted data storage devices including USB flash drives, hard disk drives, and solid state drive formats. Our flash drives range from 4GB to 64GB, while our hard drives are available from 500GB to 2TB. We also have a desktop version for our portable drives that has a capacity of up to 8TB. All our devices integrate easy to use, PIN authentication technology with hardware data encryption to guarantee the highest level of protection available,

giving users peace of mind against theft, or loss of personal or corporate data. iStorage products do not require users to install a software, making it easier and quicker for them to use the device. You can plug our drives onto any device that has a USB port whether it’s a computer, X-ray machine or police radar. Just drag and drop a file onto iStorage device and it will be automatically encrypted. You can set up one admin and one user for a particular device, which means that if a user forgets the password he can notify the admin to issue him a new one and he can access the drive again. If a device is lost or stolen, after 10 failed attempts in accessing it the device will be restored and all files will be deleted.

iStorage products do not require users to install a software, making it easier and quicker for them to use the device. - Clifford Kelaita, partner, iStorage

06.2017

Our customer base is primarily comprised of government and multinational corporations but we cater to multiple industry verticals. Users are often deemed as the weakest links within an organisation. In that aspect, how important do you think is using secured and encrypted storage devices? In Europe, 4GB devices are our bestsellers. Here in the Middle East, people always want the biggest storage capacity. But what they need to understand is the more data you save in a device then the more data will be at risk of being lost or stolen especially if they are using unencrypted devices. What we’re seeing today is that organisations are buying our devices for members of the top management and slowly bringing it to other employees as well. The employees may always be the weakest link but introducing these kinds of products makes it easier for them to understand the importance of securing data. In terms of user awareness, what programmes do you have in terms of helping customers understand how your devices are used? First and foremost, our devices are very easy to use. It’s a simple ‘plug and play’ model. The process requires only a simple demo in terms of setting up the PIN and designating an admin. User awareness, I believe, is the pre-text of using this technology. Because as data increases people within the organisation should realise how crucial it is to keep their information secured. What can the region expect from iStorage in the coming months? We have recently launched a new line of hard drives called diskAshur 2. We will be announcing more products in the coming months. So, going forward, we will constantly update our offerings to make them even more secure.

www.tahawultech.com

PRESENTS

29th August 2016

18:00 - 23:00

Habtoor Grand, Dubai, UAE

NOMINATE NOW www.securityadvisorme.com/awards/2017

For sponsorship enquiries Natasha Pendleton Publishing Director natasha.pendleton@cpimediagroup.com +971 4 440 9139 / +971 56 787 4778

Kausar Syed Group Sales Director kausar.syed@cpimediagroup.com +971 4 440 9130 / +971 50 758 6672

Merle Carrasco Sales Manager merle.carrasco@cpimediagroup.com +971 4 440 9147 / +971 55 118 1730

For agenda-related enquiries Jeevan Thankappan Group Editor jeevan.thankappan@cpimediagroup.com +971 4 440 9129 / +971 56 415 6425

OFFICIAL SECURITY SOLUTIONS PARTNER

SILVER PARTNER

James Dartnell Editor james.dartnell@cpimediagroup.com +971 4 440 9153 / +971 56 934 4776

OFFICIAL CYBER SECURITY INNOVATION PARTNER

MEDIA PARTNER

Adelle Geronimo Online Editor adelle.geronimo@cpimediagroup.com +971 4 440 9135 / +971 56 484 7564

STRATEGIC THREAT DETECTION PARTNER

ORGANISER

CASE STUDY

HIGH GRADE PROTECTION Recognising the need to manage increasing critical security risks and monitor growing number of devices in the organisation, the Swiss International Scientific School in Dubai opted to deploy network and endpoint security solutions to protect its students and employees from cyber threats.

stablished in 2015, the Swiss International Scientific School in Dubai (SISD) is the only international school located in Dubai Healthcare City. As an IB (International Baccalaureate) school, SISD is committed to providing an inclusive and challenging learning environment that will enable learners to take advantage of future opportunities. Technology plays a key role in SISD’s curriculum, in fact, the school prides itself on having the latest tools and solutions that will enable advanced learning and

06.2017

intelligent classrooms to students, a paperless school administration and seamless parent-teacher communication. Moreover, with over 700 students from Grades 1 to 12 and 180 staff members under its wing, SISD makes sure that they optimise the best technologies in ensuring that their students and employees are safe physically and digitally. “We have implemented the latest security technologies and facilities to ensure the safety of learners and staff members,” says Samir Alsulahat, head of ICT, Swiss International Scientific School in Dubai. “We use top security tools within

our perimeters such as IP CCTVs and access control management devices.” More than the physical security risks, the school was also concerned about the different critical ICT security challenges. Being a technologicallyenabled educational institution, the use of various compute and mobile devices within classrooms has become very common within the school. “Our students and teachers can utilise devices like laptops and tablets within the classroom,” says Alsulahat. “All classrooms are also WiFi enabled. We live in a fast-growing digital world and we want our students to have access to the resources and information

www.tahawultech.com

needed whether it be for a school project, homework or their hobbies.” With over 600 devices across classrooms and its management offices, and an open BYOD policy, the school was faced with ICT security concerns like unmanaged mobile devices, the threat of malware attacks, spam issues and students vulnerable to harmful online content. “The increasing number of devices coupled with continuous reliance on the Internet make us more vulnerable to cyber risks,” explains Alsulahat. “We thought that in order to keep our students, staff, and critical data assets safe from these risks, we have to make sure that the different clients are monitored and managed properly. SISD required a safer surfing experience, which would not hamper the school’s teaching process and keep both students and staff productive. “While the Internet is a very instrumental educational tool, it does tend to expose students to a lot of malicious online content. That’s why we wanted to have the ability to have control over device users’ web access with userbased policy setting,” says Alsulahat. Alsulahat and his team also wanted to have an in-depth view of students’ online activities with comprehensive reporting, to be more informed about any potential threat activities about malware and find out effective ways to combat them. To address this need, the IT team started looking for a solution that was easy to deploy and user-friendly. After a rigorous evaluation process, Alsulahat chose Sophos’ Central Endpoint Protection Advanced. “We considered other vendors as well, however, we found that the Sophos solution meets all our requirements, plus it is very user-friendly,” he says. “They also give good SLAs, customer support and have a good reputation in the market. Moreover, I believe that Sophos excels in providing security solutions for the education sector.” This security solution pre-filters all HTTP traffic and tracks suspicious traffic as well as the file path of the process sending malicious traffic. www.tahawultech.com

According to Alsulahat, the Central Endpoint Protection Advanced solution also makes policy setting a breeze and allows his team to enforce the school’s web, application, device and data policies easily as a result of integrating seamlessly within the endpoint agents and management console. Alsulahat, having decided to opt for the Sophos solution in July 2015, says the whole implementation process only took less than a month. “It was a very straightforward process,” he says. “We had to customise the solution to be able to integrate it with varying devices such as our servers, and different client and mobile devices. But that had been a very seamless process because we had good support from the Sophos team.” He adds that the solution enables them to perform category based web filtering, category/name based application blocking, stricter management of removable media and mobile device and DLP using prebuilt or custom rules ensuring safe online searches for students. In addition to Sophos Endpoint Protection Advanced, SISD also implemented the Sophos Mobile Device Management (MDM) solution. “This allows us to manage and control both BYOD and school-owned mobile devices,” he explains. “At the same time, if we lose any device we’ll be able to locate it through the MDM solution.” Today, Alsulahat says that the school is realising the benefits of having a stronger IT infrastructure. “The Sophos solutions have enabled us to implement more stringent surfing and usage restrictions and enhanced students’ safety on the web.” “It has also given us better visibility on how students and staff members are using their mobile devices,” he adds. Finally, Alsulahat believes that security solutions are just one side

of the coin when it comes to ensuring that their students’ and employees’ devices and data are protected. He explains that user awareness is a very important aspect of it and that is why they make sure that the students, staff and even parents have a good understanding of security. “We want to ensure that our students and staff are educated about the necessary device security measures,” he explains. “So, we teach them how and when to change their passwords. We also teach students about the concept of confidentiality, we want them to be aware of the risks of sharing their personal information online. We have also organised several cybersecurity workshops for both parents and students.”

06.2017

INTERVIEW

SECURITY ON-DEMAND Sumedh Thakar, Chief Product Officer, Qualys, discusses how cloud technologies can help organisations transform their security strategies.

ow has cloud adoption evolved over the last couple of years? Digital transformation has pushed organisations and IT leaders to focus more on cloud. They are increasingly seeing its numerous advantages in helping them innovate faster. Players like AWS and Microsoft Azure have also made cloud solutions easy to access and deploy. In addition, they have simplified solutions making them easier to maintain and manage. The regulations, like the EU General Data Protection Regulation (GDPR), are making it more expensive for organisations to retrofit their existing IT infrastructure. Due to this, they find that it will be better to invest their budgets on building a new cloud infrastructure thatâ&#x20AC;&#x2122;s at par with industry standards. 26

06.2017

Organisations are also realising the security benefits of cloud. It helps businesses simplify IT security operations and lower the cost of compliance by delivering critical security intelligence on demand and automate and an array of security applications. There are still a few organisations who are not comfortable with their data being out of their control. However, in that aspect, we can see that the idea of private cloud is increasingly becoming popular. When it comes to the maturity of cloud adoption where does the Middle East region stand? We see that US companies are more adoptive of cloud solutions than those in Europe and this region. I believe thatâ&#x20AC;&#x2122;s because of the stricter

regulations that are in place in that part of the world. Organisations in this region tend to be hesitant when it comes to their data being outside their perimeter and potentially being out of their control. Do you see that changing anytime soon? Yes, we are increasingly seeing some changes. Most of our customers in this region, over the last year, have become more open to the idea of cloud. They have discussed that even the board have now mandated that they set up a cloud strategy. At the same time look at tools and solutions that will keep their data secure on the cloud. How do you think have cloud technologies transformed the security space? www.tahawultech.com

Cloud technologies have changed the way IT is consumed. It has also changed the way the infrastructure is built.

Cloud technologies have changed the way IT is consumed. It has also changed the way the infrastructure is built. In the past, if somebody needed a new technology to be integrated into their applications they had to hire another person to build a product. For example, if you need to build a cluster elasticsearch you have to hire somebody who can physically build the VMs, configure it and keep on updating it as new patches come out. With cloud, you can now just make API requests, in say Amazon, then you can have everything you need like an elasticsearch cluster, caching and storage. So, the traditional role of IT where IT teams have to keep on updating patches is slowly transforming and becoming more automated. The old way of doing security, where people need to install big security products and hire multiple agents, is no longer relevant. Furthermore, IT professionals are increasingly leveraging DevOps technologies, things that are built into the infrastructure and things that they can just consume on-demand. And, these are things the can cloud providers can bring them. Is there currently a skills gap in the market for cloud security? What kind of initiatives does Qualys have in addressing this issue? There is certainly a strong demand for www.tahawultech.com

cloud professionals. The initial move to the cloud was just about customers taking their applications to VMs but thatâ&#x20AC;&#x2122;s not necessarily what applications need. They must be built in a way where the apps are cloud-aware. So, there is a growing demand for cloud architects who can build cloud-aware solutions that will enable organisations to harness the benefits of this technology. What Qualys does is make the security aspect of cloud easier for organisations. One good example is our partnership with Microsoft Azure Security Centre, where customers logging into Azure do not need to be experts in deploying a Qualys solutions. If they donâ&#x20AC;&#x2122;t have any vulnerability solution in place, they simply need to enable it with a click of a button, and Azure, on the background with the Qualys integration can directly deploy that solution in their systems. By doing so, we have reduced the need for new talents for deploying cloud security solutions and made the security process simple. What can the industry expect from Qualys over the next couple of years? Our vision has always been focused on simplifying security for cloud. Weâ&#x20AC;&#x2122;ll keep on working on ways to consolidate multiple security and compliance solutions that organisations today need. We want those applications that businesses are deploying individually including vulnerability assessment, configuration assessment, malware detection, SSL auditing and more, to be merged into a single solution making it easier for them to purchase and deploy. We aim to help organisations streamline their security and compliance implementations. 06.2017

INSIGHT

WHERE IS MY DATA? David Zimmerman, CEO and founder, LC Technology, shares insights into how employees and IT are causing companies to lose data, and some best practices for preventing a crippling data loss.

06.2017

www.tahawultech.com

ccording to a 2016 study from IBM regarding the costs of data breaches and loss, the average consolidated cost moved from $3.8 million to $4 million. On a granular level, the study also found the costs for each lost or stolen record containing sensitive and confidential information increased from $154 to $158. The stakes are high for companies to properly manage their data, as loss and data exposure can ruin a firm’s reputation with customers and partners. Here are some top tips to minimise data loss within your organisation: Changing advanced settings The ‘advanced settings’ feature on computers is not there just for show. It’s a serious warning to the user that they better know what they are doing before they start making system changes. A frequent example of such a setting involves the BIOS (Basic Input Output System), which is the chip that instructs the computer on the next steps to take after power-on. Changes to this setting can be made with the best intentions, but they might expose the machine to data loss or theft. Advanced settings adjustments are best handled by IT in controlled environments in order to greatly reduce the chances of local data loss. Exposing the company to ransomware Ransomware is a hacking scheme that involves taking over a person’s computer files, encrypting them so they appear as garbled text/images and then asking for a ransom to pay for the encryption key. Hackers typically gain access through email attachments or by guessing passwords, which further reinforces the need for complex passwords. Data loss comes when the hackers steal valuable information during the ransom period, or if the ransom isn’t paid, the hackers will www.tahawultech.com

typically leave the data encrypted or destroy it beyond repair. Ignoring hardware failures With the cloud offering affordable and secure storage, it’s puzzling that many firms still secure their information only on local machines. Computers and servers can fail, which immediately exposes the company to data loss. Hard drives and SSDs can become corrupted, and they often fail when exposed to a fall or even to changes in temperature or humidity. Power supplies within these devices are a common problem, as the device then can’t draw power and will not be able to boot. Some of these

procedures make the company a less desirable target for hackers. While a devoted team of cybercriminals can hack the most complex passwords, they make money by efficiently targeting easy marks, so they’ll move on when confronted with a challenge. Make hacking difficult by instituting passwords with upper and lower case letters and characters that do not include any actual words. Using improper backup procedures A very common reason for data loss (especially among smaller companies) is to store data locally, experience a failure event, and not have a data

Companies must put in place strict policies on password management and utilising the Internet in order to protect the network.

devices can be fixed, but the modern business can’t be put on hold while a laptop or server is sent in for repairs. Company managers should discuss best practices with employees about securing portable devices and relying on the cloud for data storage. Not following security protocols Many of the hacking incidents we see on the news are caused by simple errors by staff members. Someone in IT might have an admin password of “12345” or an employee might open attachments from unknown senders. Another conduit for hackers is banner ads from disreputable sites. Companies must put in place strict policies on password management and utilising the Internet in order to protect the network. Better

backup. It’s 2017, and data storage is very inexpensive, both for physical drives and cloud storage. Especially when doing a risk/reward analysis where you compare the downside of losing data with the costs of storage. Businesses should instill strict backup procedures for their corporate data, including processes for individual employees and departments. Moving data to the cloud is an ideal choice, as it removes content and potentially confidential files from laptops, thumb drives, or other more exposed storage methods. Companies should also make ‘backups of the backups’ due to cheap storage. Smaller firms can move data to the cloud and also backup to external hard drives and store them at a different secure location. 06.2017

INSIGHT

KEEP IT RUNNING Gary Duan, CTO, NeuVector, shares 12 ways organisations can improve run-time container security.

here still really aren’t many enterprise run-time security tools for containers available, which has skewed the conversation toward establishing defensive barriers prior to run-time during the build, integration, and deployment stage. Of course, with rapidly evolving technology like containers, it can be all too easy to overlook the most basic 30

06.2017

security concerns, so, really, any focus at all is welcome. Efforts pointing out the security advantages of digitally signing container images at build time, and scanning them before they are pushed to the registry, should indeed be heard. The OS should be hardened and attack surfaces should be trimmed where possible. However, the idea of thwarting all hacking attempts by simply putting in place preventive measures prior

to deployment is unrealistic. Truly guarding against all such intrusions requires security with the ability to detect threats and violations at runtime. Considering the number of threats occurring in real-time with working applications, run-time security is arguably the more crucial component of an overall container security strategy. Container deployments can suffer from most of the same threats common to virtualised or single-OS server environments, in addition to a few new ones. General threats to container security include: • Application level DDOS and crosssite scripting attacks on public facing containers • Compromised containers attempting to download additional malware, or scan internal systems for weaknesses or sensitive data • Container breakout, allowing unauthorised access across containers, hosts or data centres • A container being forced to use up system resources in an attempt to slow or crash other containers • Live patching of applications to introduce malicious processes • Use of unsecure applications to www.tahawultech.com

flood the network and affect other container Here are some examples of prominent container attacks to prepare for: • The Dirty Cow exploit on the Linux kernel allowing root privilege escalation on a host or container • MongoDB and ElasticSearch ransomware attacks against vulnerable application containers • OpenSSL heap corruption caused by malformed key header and a crash caused by the presence of a specific extension • Heap corruption and buffer overflow in Ruby and Python libraries allowing execution of malicious code • SQL injection attacks that put hackers in control of a database container in order to steal data • Vulnerabilities like the glibc stackbased buffer overflow, giving hackers control through the use of man-in-themiddle attacks • Any new zero-day attack on a container that represents an on-going threat • To understand why run-time security is so critical, consider the application lifecycle. What’s developed, tested, packaged and deployed in just months will often run for years, and may be shared across millions of instances worldwide. This makes run-time by far the greater window of attack. We know from threats such as SSL Heartbleed just how persistent a runtime security vulnerability can be that arises from a small bug in the code. From the point of putting applications into production, enterprises need to be thinking about run-time security. So, what should an effective strategy for run-time container security include? Here are 12 checkpoints, spanning from simple preparations to more advanced run-time security controls. First, to prepare for production by securing the host environment: 1. Secure the OS and reduce attack surfaces by removing all unneeded www.tahawultech.com

Considering the number of threats occurring in real-time with working applications, run-time security is arguably the more crucial component of an overall container security strategy. - Gary Duan, NeuVector

modules and files. Be diligent in updating to the latest security patches. Or use a system based on the recently announced LinuxKit. 2. Ensure the container platform is secured. If using Docker, follow the advice in Docker’s best practices guide. 3. Use solutions like SELinux or AppArmor to customise specific security profiles and guard against unauthorised access. 4. Scan containers for vulnerabilities in all registries. 5. Run integrity checks on container images and digitally sign them at build time. 6. Protect secrets such as passwords and API keys required for run-time container access by using third party tools or key management services. 7. Reduce your risk by running application containers in read-only/ non-persistent mode. Then, constantly monitor and protect the run-time environment: 8. Understand normal application network behaviour, and enact a security policy to enforce authorised connections. Monitor every container for abnormal behaviour or policy violations. 9. Perform live scans of all running

containers and hosts, recognising vulnerabilities and securing the image in use – even as new containers are created. 10. Use session level or network encryption where needed. Carefully weigh the tradeoffs between performance/manageability versus security for each application to determine if host-to-host or container-to-container level encryption is warranted. 11. Implement container threat detection to recognise real-time attacks, including threats at the application layer (DDoS, XSS, Slowloris, etc.). 12. Store forensic data on all container security events and perform offline analysis to understand the nature of these events. Capture network data if needed to help forensic analysis of attacks. Because containers deliver rapid virtualisation for applications, runtime security solutions need a deep application awareness to keep up the pace and actually have an impact. Look to implement run-time security monitoring that can effectively recognise threats and catch them early on, while also allowing the benefits of containers to proceed unimpeded. 06.2017

OPINION

DID CLOUD KILL BACKUP? Tarun Thakur, co-founder and CEO, Datos IO, discusses why a cloud-first strategy is crucial as organisations undergo digital transformation.

ith enterprises rapidly adopting hybrid and multicloud infrastructure and migrating traditional workloads to the cloud, distributed architectures have become de-facto standard, but traditional backup and recovery strategies have not kept pace. A new cloud-first approach to data protection is required. According to IDC, 70 percent of CIOs have a cloud-first strategy, and it is safe to assume most enterprises have a multi-cloud infrastructure, deploying applications on the best suited cloud whether private, public or managed. 32

06.2017

This evolution to multi-cloud has created two transformative shifts that are disrupting the application tier of the infrastructure world. First, next-generation applications born in the cloud are being deployed on next-generation distributed, nonrelational databases such as Apache Cassandra, MongoDB, Apache HBase, and many others. As non-relational databases, they offer high-availability but compromise consistency. For analytics applications, businesses are now rapidly deploying either on-premises analytical data-stores such as Apache HDFS / Hadoop or cloud-native databases such as Amazon Redshift and Google BigQuery.

To further complicate matters, these next-generation applications are deployed both on public cloud infrastructure and on-premise private clouds. Secondly, traditional data center applications are migrating to the cloud. While these applications are still predominantly deployed on relational databases such as Oracle and Microsoft SQL Server, the balance is shifting towards deployment on next-generation cloud-native databases such as Amazon DynamoDB. The explosive growth of Amazon Web Services database business, growing to more than $2 billion in just three years, is but one example of this shift. www.tahawultech.com

DATA PROTECTION THAT KEEPS PACE WITH YOUR CLOUD MIGRATION Any enterprise that has a multitude of applications and databases is living in a multi-cloud world and the implications are profound. From a CIO’s perspective, there are several strategic takeaways. First, applications dictate the choice of cloud. For example, if you have applications that leverage Oracle’s Exadata platform, you are not going to move the Oracle Exadata platform to AWS, but rather to Oracle Cloud. Similarly, for Microsoft SQL Serverspecific applications, you will likely move these applications either to Microsoft Azure public cloud or Amazon AWS. Not surprisingly, new and modern applications that are deployed on nonrelational and modern databases will be deployed from the get-go on cloud-first infrastructure. Second, use-cases cross cloud boundaries. In addition, the protection of entire applications that have migrated to the cloud, organisations need to move data sets to the cloud for testing, development or analytics, migrating inactive data to the cloud for cost efficiency, and bringing data back onpremises for compliance and governance. The bottom line is CIOs need a new backup and recovery strategy, as part of

an overall data management strategy, to thrive in the multi-cloud world. CIOs need to proactively plan and execute a data protection strategy that not only provides data protection for hyper-scale, distributed applications born in-thecloud, but also provides the freedom to best leverage all their cloud resources as dictated by application requirements. The requirements for data protection in a multi-cloud world require a fundamentally different approach than traditional data protection. There are a number of key capabilities to look for when opting for a backup and recovery strategy that can keep pace with your overall cloud migration: • Cloud-first elastic – To fully harness the power of the cloud, data protection needs to be elastic and compute-based providing completely seamless scalability. • Hyper-scale and distributed –The common theme of the multi-cloud world, of next-generation applications born in the cloud, and of traditional applications migrating to the cloud, is that of hyperscale. Multi-cloud applications are, by definition, hyper-scale and distributed, therefore any data protection strategy must be grounded in addressing protection at hyper-scale. • Application-centric – There is no concept of a LUN or an ESX VM in the

To keep pace with digital transformation, CIOs need to ensure their data is always available, and this means they should take a fresh look at their requirements and the technologies they use to address these challenges. - Tarun Thakur, Datos IO

www.tahawultech.com

cloud. All the underlying infrastructure is exposed as cloud-native services such as elastic block storage (EBS) or elastic compute cloud (EC2). In the cloud, the value is moving up the stack towards applications. Therefore, any data protection strategy should be applicationcentric instead of infrastructure (e.g. LUN, VM) centric, eliminating any dependencies on underlying infrastructure. • Performance at scale – Multi-cloud data protection must eliminate the inherent shortcomings of legacy mediaserver based architectures. Instead, data must move directly and in parallel from the source to the destination. • Efficiency at scale – Deduplication technologies found in traditional data protection solutions don’t work in a multi-cloud environment. Instead, look for next-generation deduplication that is application-centric and can provide the highest order backup storage efficiency in the cloud. • Global data visibility – Due to the distributed nature of multi-cloud, data protection needs to provide global data visibility enabling backup anywhere, recover anywhere, and migrate anywhere capabilities. • Universal data portability – To maintain complete independence from the underlying multi-cloud infrastructure, data protection should provide native format, always consistent data versioning enabling complete data recoverability, portability, and mobility. When done right, adopting a cloudfirst data protection strategy in a multi-cloud environment can unlock benefits previously unattainable within traditional boundaries. So, did cloud kill backup? Most certainly not! But it does necessitate a reinvention of data protection for the new normal of the multi-cloud world. To keep pace with digital transformation, CIOs need to ensure their data is always available, and this means they should take a fresh look at their requirements and the technologies they use to address these challenges. 06.2017

OPINION

HAPPY HUNTING Tim Bandos, director of cybersecurity, Digital Guardian, shares common indicators that say a threat is underway.

hreat actors do everything in their power to blend in and attempt to become a ghost in your network, so it is the job of the security professional to be the ‘ghostbuster.’ Here are 10 things threat hunters watch for: Low and slow connections Proxy logs are a great place to start the hunt, and there are a number of telltale signs to look out for that can clue you in that something is amiss. It’s good practice to source restrict this clear-text protocol, but if it’s not locked down, look for any exfiltration patterns in the data. Same number of bytes in and out Do any network connections exhibit the same pattern of bytes in and bytes out each day? Monitor for the same amount of bytes up and bytes down on a

frequent basis, as this could be a sign of suspicious activity. Suspicious sites Identify a listing of all dynamic DNS sites that are visited by endpoints and look specifically at the outliers across your organisation. If only three machines out of 20,000 visit one specific site, command and control infrastructure may be at fault. Failed logon attempts It might sound obvious, but looking for successive failed access attempts using multiple accounts could indicate a brute force. Focusing on one failed attempt per account may signify a threat actor trying to log in with passwords they’ve previously dumped from the environment in the hope that one may still work.

Identify a listing of all dynamic DNS sites that are visited by endpoints and look specifically at the outliers across your organisation. - Tim Bandos, Digital Guardian

06.2017

Explicit credentials Profile your “A logon was attempted using explicit credentials” event logs and whitelist out normal activity. This log kicks off when a user connects to a system or runs a program locally using alternate creds. Privilege changes Escalation of privileges will often occur once a foothold has been achieved within an environment. It’s good to profile your IT administrator’s legitimate activities as well since they’ll more often than not cause a bit of noise themselves. Signs of password dumping programmes Research what your antivirus provider flags as a password dumping program and go searching. For example, one of McAfee’s password dumping detection tools is called HTool-GSECDump. Common backdoors Know your adversary so that you can begin to profile their tactics, techniques, and procedures. Some common advanced threat backdoors include PlugX, 9002 RAT, Nettraveler, Derusbi, Winnti and Pirpi. If you come across names like these within your antivirus logs, you’ll know something untoward is taking place. Dropper programmes Identify any detections with the name ‘dropper’ in it. A dropper programme is intended to download/install a backdoor or virus, only initiating the download when the ‘coast is clear’. If a dropper has been detected, it’s possible there is still something lurking in the depths of the OS it was detected on. Custom detections Some anti-virus solutions have the ability to create custom detections for ultraeffective threat hunting. Creating an alert to log executions of binaries from a user’s APPDATA directory, for example, will generate a log and send it to your console any time a program launches from that directory. www.tahawultech.com

REDEFINING technology transformation

+971 4 440 9100

@TahawulTech

info@cpimediagroup.com

www.tahawultech.com

Media City, Building 4 Office G-08, Dubai, UAE, PO Box 13700

PRODUCTS

Brand: Axis Product: Q8741-E

Brand: Dell EMC Product: IDPA portfolio Dell EMC has announced new data protection and backup solutions that enable customers to ensure data is secure, backed up and protected against disasters and outages. The new Dell EMC Integrated Data Protection Appliance (IDPA), is a purpose-built, pre-integrated and turnkey appliance that converges protection storage, software, search and analytics in a single device. IDPA will be available in four different models (DP5300, DP5800, DP8300, and DP8800) to fit the needs of midsize and enterprise customers, starting at 34 terabytes usable capacity at entry level and scaling up to 1 petabyte usable capacity at the high-end. What you should know: According to Dell EMC, it also accelerates time to value and high performance – up to 10x faster time to protect than traditional build-your-own-data protection deployment alternatives. It has expansive coverage for physical and virtual workloads, including support for a wide application ecosystem and multiple hypervisors. It is equipped with encryption, fault detection and healing features and bring together an average of 55:1 deduplication rate or data residing both on premise and in the cloud.

06.2017

Axis has launched a new generation of positioning cameras, giving operators faster and more accurate pan and tilt capabilities to monitor large-scale sites, perimeters and borders in real-time and are able to respond instantly to security alerts and incidents. The new range of positioning cameras enables surveillance across vast sites with fewer cameras, with the potential for 360-degree unobstructed field of view and at all times, and 135-degree field of view from ground to sky. The features in the new positioning cameras include high speed and jerk-free PTZ movements with continuous pan; built-in electronic image stabilisation (EIS), helping against vibration caused by an unstable mounting surface or a windsensitive mast; SFP slot for easy cable

management, and quick and effective installation for fibre-optic connection over long distances; and powerful positioning capabilities even at high wind and wide temperature range. What you should know: The Q8741-E is a bispectral PTZ positioning camera that offer a combination of two live video streams, one from a thermal sensor – used for detection and verification – and one from a high-definition visual sensor - for identification of colors and details. The camera also feature 30x zoom, Forensic WDR as well as low-light sensitivity.

Brand: BlackBerry Product: KEYOne TCL Communication, a global smartphone manufacturer, has launched the new BlackBerry KEYone in the UAE. BlackBerry KEYone pairs BlackBerry’s software and security with TCL Communication’s commitment to delivering high-quality, reliable smartphones to customers around the world. According to the company, the BlackBerry KEYone is designed to offer the most secure Android smartphone experience possible. Featuring the largest battery ever found in a BlackBerry smartphone, the BlackBerry KEYone offers roughly 26 hours of mixed use with its 3505mAh battery. The smartphone includes a 12MP rear camera with a camera sensor that captures sharp, crisp photos in any light. It also includes an 8MP front camera with fixed focus and 84-degree wide angle lens for video conference on the go.

The new smartphone is made reliable for the demanding user and combines a sleek aluminium frame and soft grip textured back built to offer the best in durability. What you should know: Running on Android 7.1 Nougat, it gives users access to the entire Google Play store and will also receive Google security patch updates. The BlackBerry KEYone is available exclusively at the BlackBerry store in Dubai Mall at the price of AED 1,999. www.tahawultech.com

Everybody.

Everywhere.

Every day.

Ordinary days require extraordinary protection. genetec.com

Find out more about the software behind the everyday at genetec.com/protectingeveryday

ÂŠ 2017 Genetec Inc. GENETEC and the GENETEC LOGO are trademarks of Genetec Inc., and may be registered or pending registration in several jurisdictions.

BLOG

PREPARE FOR THE INEVITABLE A serious security incident is a question of “when,” not “if”, says Rob McMillan, research director, Gartner.

he 2014 cyber-attack on Sony Pictures Entertainment was a game changer. It was a very public example of an aggressive business disruption attack, which caused Sony to experience significant system disruption. Such an outcome could have happened to many digital businesses and was a wake-up call for this type of attack. Although the frequency of an attack on this scale is low, it showed how an aggressive cybersecurity attack can seriously impact business operations. Targeted attacks like this reach deeply into internal digital business operations, with the express purpose of causing widespread damage. Servers may be taken down completely, data may be wiped and digital intellectual property may be released on the Internet by attackers. Your business must be prepared – an intrusion is inevitable for many organisations and preventative security measures will eventually fail. The question you must accept isn’t whether security incidents will occur, but rather how quickly they can be identified and resolved. This reality of the digital economy makes effective incident response — that is, reducing the risk of incidents and mitigating the damage they cause — a top concern for security and risk professionals. 38

06.2016

WHY YOU MUST PREPARE While incident response is a regulated requirement for organisations in some industries, the costs of preparation for any company can be surpassed by the hundreds of millions in damages and recovery expenses that follow an intrusion. Along with bad press, the aftermath is littered with ransom payouts, fines, lawsuits and often increased operational expenses used to address system failures. Gartner predicts that 60 percent of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, up from less than 10 percent in 2014. As critical as it may be to protect the business from the fallout of an intrusion, effective incident response allows an organisation to continue to pursue its objectives despite a disruption. Resilience is the by-product of mature incident response practices. Incident response is one of the core processes that any security leader must define, develop, implement and prioritise to protect the enterprise and demonstrate security’s value to the business. Following are three integral steps that should be considered: 1. Develop your incident response process Advance preparation is crucial to effective incident response, but it’s also extremely

difficult, especially in complex, distributed enterprises. Adequate preparation will ensure that: • You already know what the most critical assets are • You are able to detect that an incident has occurred or is occurring • A procedure is in place to resolve the incident and manage the consequences • The people involved know what their role will be 2. Prepare your people You must be prepared to manage the totality of the impact, and not just the cause of it. A breach or intrusion reaches across an entire business, with partners, executives, remote business units and customers all affected. The sudden transparency produced by an information leak requires an effective response capability that addresses the totality of the consequences across the organisation, not just the consequences on IT. You must develop the right expertise to lead the organisation’s response to a security incident. 3. Implement operational response Security operations are evolving with greater recognition that traditional approaches of protecting the perimeter and investing in prevention capabilities are inadequate, in light of today’s persistent and advanced attacks. The failure of traditional preventative techniques has had two important impacts: • Organisations are retooling their security architectures to improve their detection, response and, ultimately, their predictive capabilities. • Organisations now recognise that ‘incidents’ are not just a point-in-time issue, but rather a continuous problem for IT to confront. www.tahawultech.com

THREAT INTELLIGENCE SERVICES

MACHINE-READABLE THREAT FEEDS

Infection Records Data Feed Malicious URL Data Feed Malicious C2 Data Feed Phishing URL Data Feed New Domain Data Feed

Brand Abuse Detection Phishing Detection Rogue Application Detection Domain Registration Detection

Threat Intelligence Response & Mitigation Lifecycle Management

THREAT INTELLIGENCE PLATFORMS

THREAT RESPONSE

LG – ScoutShield – Threat Intelligence Gateway LG – NetDefender – threat mitigation appliance LG – DNS Defender – Stops DNS Attacks LG – NetSentry – Deep Packet Processing Platform

ScoutPrime ScoutVision ScoutInterXect Cyber Threat Center Virus Tracker

BEST IT SECURITY SYSTEM INTEGRATOR AWARD 2017 - (5 YEARS CONSECUTIVELY)

HOT LINE : +9714 4428910

sales@nanjgel.com www.nanjgel.com

Our Office Locations in GCC UAE - [ Dubai / Abu Dhabi ] Qatar Saudi Arabia Kuwait Bahrain Oman