ISSUE 22 | NOVEMBER 2017 www.tahawultech.com
Next-gen endpoint protection AI: The new era of cybersecurity Combating DDoS of Things
SECURING THE NEW
MICRO FOCUS TAKES AN OPEN AND INTELLIGENT APPROACH TO SECURITY WITH A NEWLY EXPANDED PORTFOLIO
Everybody.
Everywhere.
Every day.
Ordinary days require extraordinary protection. genetec.com
Find out more about the software behind the everyday at genetec.com/protectingeveryday
Š 2017 Genetec Inc. GENETEC and the GENETEC LOGO are trademarks of Genetec Inc., and may be registered or pending registration in several jurisdictions.
STRATEGIC INNOVATION PARTNER
STRATEGIC PARTNER
CONTENTS
FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) PUBLISHING DIRECTOR Natasha Pendleton natasha.pendleton@cpimediagroup.com +971 4 440 9139 EDITORIAL Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 440 9129 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135 Contributing Editors James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153 Janees Reghelini janees.reghelini@cpimediagroup.com +971 4 440 9167 Glesni Holland glesni.holland@cpimediagroup.com +971 4 440 9134 DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9140 Designer Mhar Delaben marlou.delaben@cpimediagroup.com +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130 Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 440 9147 Business Development Manager Youssef Hariz youssef.hariz@cpimediagroup.com +971 4 440 9111
10
CIRCULATION Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 440 9119
HEIGHTENED FOCUS
PRODUCTION Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 440 9159
Micro Focus’ Gonzalo Usandizaga and Neeti Rodrigues, explain why the company’s open and intelligent approach to ‘securing the new’ resonates well with the regional security buyers.
Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin webmaster@cpimediagroup.com +971 4 440 9100 Published by
Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Printwell Printing Press Regional partner of
© Copyright 2017 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.
06
END OF THE LINE Can next-gen endpoint security platforms keep enterprises safe and sound?
16
26
RISE OF THE MACHINES We look into how AI and machine learning are transforming the cybersecurity domain. WEATHERING THE STORM Jon Ramsey, CTO, Secureworks, shares top tips for crisis management during a ransomware attack.
28
COURSE OF ACTION
BeyondTrust’s Haber on building security awareness training programmes.
34
COMBATING DDOS OF
38
THINGS Top tips in fending off DDoS threats in the IoT era.
THREAT HUNTING - ART OR SCIENCE? McAfee’s Raj Samani on why threat hunting will be a crucial part of enterprise cybersecurity.
NEWS
NORTH KOREA BEHIND WANNACRY ATTACK: UK MINISTER The British government has admitted that it is “as sure as possible” that North Korea carried out the “WannaCry” malware attack which devastated NHS IT systems in May. A report released by the National Audit Office (NAO) found that hospital trusts were left vulnerable to the attack because basic recommendations on cybersecurity were not followed. Speaking on the BBC’s Today programme, British security minister Ben Wallace said the government now believes a North Korean hacking group was responsible, but stopped short of suggesting the UK could carry out retaliatory attacks. “This attack, we believe quite strongly that this came from a foreign state,” said Wallace. Adding that the state involved was “North Korea”, he said. “We can be as sure as possible. I obviously can’t go into the detail of intelligence, but it is widely believed in the community and across a number of countries that North Korea had taken this role.” He then called on the West to develop a “doctrine of deterrent” similar to that used to prevent the use of nuclear weapons. “We do have a counter attack capability,” he said. “But let’s remember we are an open liberal democracy with a large reliance on IT systems.” North Korea has already been widely accused of being responsible—a charge the country has denied. Wallace’s remarks also echo statements made this month by Microsoft President Brad Smith, who said, “I think at this point that all observers in the know have concluded that WannaCry was caused by North Korea using cyber tools or weapons that were stolen from the National Security Agency in the United States.” In total, more than 300,000 computers in 150 countries were infected with the WannaCry ransomware.
4
11.2017
ATTIVO NETWORKS SECURES $21 MILLION IN LATEST FUNDING ROUND Cybersecurity firm Attivo Networks has announced that it has raised $21 million in Series C venture capital funding. The funding round was led by Trident Capital Cybersecurity with participation from existing investors Bain Capital Ventures and Omidyar Technology Ventures. The round of funding follows a $15 million Series B financing in May, representing $36 million raised in the last five months and a collective total of $45.7 million overall. This new funding will be used to support further development of the Attivo ThreatDefend Deception and Response Platform to address the evolving landscape of threats and attack surfaces and to add counterintelligence functionality. The company will also use the funds to expand global sales initiatives. Attivo Networks announced that Trident Capital Cybersecurity’s Alberto Yépez, managing director and a pioneer of the cybersecurity industry, will join its board. Yépez has played significant roles as an entrepreneurial and public company CEO, board member, large company senior executive, serial entrepreneur, and an angel and venture capital investor.
Ray Kafity, Vice President, Middle East, Turkey and Africa, at Attivo Networks, said “Deception changes the asymmetry in today’s cyberwarfare. Attivo engineering has applied its deep expertise to deliver accurate and scalable solution for detecting threats within today’s evolving attack surface and enable defenders to win game.”
Ray Kafity, Attivo Networks
SAUDI ARABIA SETS UP NEW AUTHORITY FOR CYBERSECURITY Saudi Arabia has reportedly set up a new authority for cybersecurity, and named the Minister of State, Musaed al-Aiban, its Chairman. The National Authority for Cyber Security will be linked to the Saudi King Salman bin Abdulaziz Al Saud, and was created to “boost the cybersecurity of the state, and protect its vital interests, national security and sensitive infrastructure,” the Royal Decree stated. It will also improve protection of networks, information technology systems and data. The Authority will be made up of the head of state security, the
head of intelligence, the deputy interior minister and assistant to the minister of defence, said the SPA. Saudi Arabia has been the target of frequent cyber-attacks. Earlier this year, it put out an alert about the “Shamoon” virus, which cripples computers by wiping their disks, after the Labour Ministry had been attacked and a chemical company reported a network disruption. The worst cyber-attack to date was when Saudi Aramco, the world’s largest oil company, was hit by the virus in 2012, added Reuters. www.tahawultech.com
47%
of IT decision-makers believe that IT security is still not a top priority discussion for the board
NEW RANSOMWARE STRAIN HITS EUROPEAN FIRMS A new strain of ransomware has recently hit organisations in Russia and Ukraine known as ‘Bad Rabbit.’ Bad Rabbit, differs from other recent ransomware attacks in that the exploit targets the user rather than the computer. The ransomware prompts users to download an Adobe Flash update when visiting an infected website instead of attacking a weakness in the computer’s security. Once the virus settles on a single computer in a network it will then attempt to ‘hack’ other computers within the network. The malware has infected Russian companies as well as an airport in Ukraine and a metro system in Kiev. It also impacted a small number in Germany and Turkey. Researchers at
Avast said they’ve also detected the malware in Poland and South Korea. Bad Rabbit has initially spread via fake Flash update packages, but the ransomware also appears to come with tools that help it move laterally inside a network, which may explain why it spread so quickly across several organisations in such a small time. The ransomware demands the payment of 0.05 Bitcoins, or about $275, to unlock the encrypted files. Industry experts highlight that the Bad Rabbit is an improved variant of the Petya virus that hit multiple organisations in June this year. The virus used in the June cyber-attack turned out to be a wiper, whereas Bad Rabbit functions as a data-encrypting ransomware.
EHDF EXPANDS MSS PORTFOLIO eHosting DataFort (eHDF) has expanded its Managed Security Services (MSS) portfolio with advanced services that include SIEM, Real Time Threat Monitoring (RTTM), Remote Managed Yasser Zeineldin, eHDF Security Services, Advanced Threat Protection (ATP), PCI Security Services, and Incident Response (IR) among others. According to the eHDF, its RTTM services takes a comprehensive www.tahawultech.com
approach to log collection and analysis, incident classification and notification and provides a better visibility to threat posture. For customers that need PCI compliance, the firm’s latest PCI Security Services can assist customers in their assessments and ongoing monitoring needs. The company also offers Vulnerability Management (VM) to their clients. This fully managed service includes the provision of licenses, scanners and skilled resources to manage the Vulnerability Management lifecycle and integrate it into the SIEM solution. eHDF’s enhanced portfolio also includes a more flexible IR solution and DDoS mitigation services.
GAZA CYBERGANG TARGETS UAE AND SAUDI ARABIA Kaspersky Lab experts are registering important changes in the operations of the infamous Gaza Team Cybergang, which is actively targeting multiple commercial and government organizations in the UAE, KSA, Palestine, Egypt and other countries in the MENA region. While the group has been active in the threat landscape for several years, it has upgraded its arsenal in 2017 with new malicious tools. The actor has been spotted seeking out any type of intelligence across the MENA region, which was not previously the case. What is more important: the attack tools have become more sophisticated – with the group developing topical, geopolitical spearphishing documents that are used to deliver malware to targets, and using exploits to a relatively recent vulnerability, CVE 2017-0199 in Microsoft Access, and potentially even Android spyware. The intruders perform their malicious activities by sending emails containing various RATs (Remote Access Trojans) in fake office documents, or URLs to a malicious page. When these are executed, the victim is infected with malware that subsequently enables the attackers to collect files, keystrokes and screenshots from the victim’s devices. If the victim detects the initially downloaded malware, the downloader tries to install other files on the victim’s device in an attempt to bypass detection. In order to prevent falling victim to such an attack, Kaspersky Lab researchers recommend that organisations to train staff to be able to distinguish spearphishing emails or a phishing link from legitimate emails and links; use a proven corporate-grade endpoint security solution along with combination with specialised protection against advanced threats; and provide security staff with access to the latest threat intelligence data.
11.2017
5
FEATURE
END OF THE LINE Can next-gen endpoint security platforms keep enterprises safe and sound?
I
n the wake of recent malware exploits, enterprises are now looking for new endpoint security tools. Security professionals want tools that can detect and block known and unknown exploits and malware. At the same time, they prefer endpoint security technologies that are easy to deploy, configure and operate on a day-to-day basis.
6
11.2017
What makes endpoint protection platforms different from traditional anti-virus software, which relies on signatures of known threats, is its ability to analyse processes, changes and connection to spot foul play and catch zero-day exploits. The value of endpoint protection platforms is that they can identify specific attacks and speed the response to them once they are detected. They
do this by gathering information about communications that go on among endpoints and other devices on the network, as well as changes made to the endpoint itself that may indicate compromise. The database of this endpoint telemetry then becomes a forensic tool for investigating attacks, mapping how they unfolded, discovering what devices need remediation and perhaps predicting what threat might arise next.
www.tahawultech.com
FEATURE
“Trends such as the Internet of Things (IoT), BYOD, mobility, social media and cloud computing have redefined enterprise security with the industry experiencing more data breaches, cyberattacks, hacking and other malicious activities.” Scott Manson, Cisco
WHAT TO ASK ENDPOINT SECURITY VENDORS When buying endpoint security products, customers should consider the following: can the analysis engine handle the amount of data generated by the endpoint? •
“The endpoint remains the most attractive and soft target for cyber criminals and cyber espionage actors to get inside the door of their targets. Trends such as the Internet of Things (IoT), BYOD, mobility, social media and cloud computing have redefined enterprise security with the industry experiencing more data breaches, cyberattacks, hacking and other malicious activities,” says Scott Manson, Cybersecurity Lead - Middle East and Africa, Cisco Harish Chib, VP of MEA at Sophos says the best defence against the threat of APTs is a strong next-gen endpoint that makes use of a range of different prevention techniques to ensure that nothing slips through
the net. “Increasingly this is being supplemented by a coordinated security setup, where multiple solutions communicate to share contextual information meaning faster detection and an automated response.” Does the push towards comprehensive endpoint security suits means the end of traditional AV solutions? Ahmed Ali, senior systems engineer at Fidelis Cybersecurity, says next-gen endpoint security was not originally designed to replace anti-virus solutions. “The core functionality of next-gen endpoint security is to provide advanced prevention and detection mechanisms which act as a second layer of defence. Nevertheless, adding the capability of performing known bad file hashes and
•
•
•
•
•
Organisations expect nextgeneration endpoint security to protect against known and unknown threats in an automated fashion that can seamlessly integrate with other elements in the security architecture as part of a cohesive security strategy.
•
Tony Zabaneh, Fortinet
•
www.tahawultech.com
•
•
Can access rights be tiered so an admin incidentresponse manager? Can vendors offer products for testing? “The downside of emerging technologies is there’s very little on the testing side,” he says. Is the data gathered actionable or just noise? How well does it sort incidents from relevant incidents? Is the output readily presentable to incident responders, analysts and others to respond quickly? How well do they share and accept threat intelligence that can sharpen their detection abilities? Do endpoint agents “play nicely’ with other endpoint software? What is the rate of false positives for the EPP platform? Does the EPP agent slow down endpoint applications more than is acceptable for productivity? Check whether the agents try to block legitimate acitivity. Does the vendor support Macs? Older versions of Windows that are still in use? Mobile devices?
11.2017
7
FEATURE
signature based checks to the next-gen endpoint protection platforms is not that big of a challenge, in which case nextgen endpoint security solutions would have the ability to replace traditional anti-virus solutions.” Morey Harbour, VP of technology at BeyondTrust, offers a different spin and says next generation endpoint security is merely a compensating control for poor security design, hygiene, and an inability for vendors and end users to adopt security best practices from the start or retrofit them into existing installations. “If you consider security best practices for vulnerability, patch, privilege, logging, auditing, application control, and identity, the need for a next generation endpoint solution is muted. That is, if vulnerabilities are patched timely, privileges controlled and monitored, only trusted applications are executed, and network communications restricted (lateral movement), then the need for a machine learning or artificial intelligence solution is mitigated. I would encourage all end users not to rely on the next best endpoint solution but rather clean up the security basics first. The ability to stop a threat is higher if the basics are done well versus buying another layer branded as next generation anti-virus,” he adds. Manson from Cisco believes endpoint security will consolidate in the near future. Endpoint security software is going through massive changes in order to best address new threats and new requirements. What’s needed is a truly
The best defence against the threat of APTs is a strong next-gen endpoint that makes use of a range of different prevention techniques to ensure that nothing slips through the net. Harish Chib, Sophos
transformational change in how we approach detecting advanced threats and breach activity. We need continuous protection and visibility from the point of entry through propagation and post infection remediation, he adds. While there is no single endpoint product that can suit all situations, there are a few key things to consider in your purchase: Going agent or agentless. The upside of the agentless approach is that the product can track endpoints that might be used to compromise your network, such as IP cameras and other embedded devices that aren’t running traditional endpoint operating systems. Another upside is because there is no code installed on an endpoint nothing is exposed to a potential attacker. A third advantage to going agentless is that some products with agents only have them for particular Windows versions and are still working on their
The core functionality of next-gen endpoint security is to provide advanced prevention and detection mechanisms which act as a second layer of defence. Ahmed Ali, Fidelis Cybersecurity
8
11.2017
Mac and Linux agents. Other products have begun to recognise the mobile universe and either integrate with mobile device management tools or have specific iOS and Android agents. What does the endpoint user see on their desktop? Products that install endpoint agents vary widely in terms of what an end user can observe and how stealthy they operate: some obscure any listing in the Windows Control Panel Programmes list or taskbar icons, others operate more like ordinary applications. And those that operate without agents are completely invisible, of course. How is the product configured and managed? Each product has a combination of web and native management consoles, and some (even the SaaS-based tools) have fairly complex installation routines. Many of them will require consulting contracts to get setup properly. “Organisations expect next-generation endpoint security to protect against known and unknown threats in an automated fashion that can seamlessly integrate with other elements in the security architecture as part of a cohesive security strategy. This allows organizations to reduce management complexity yet respond to sophisticated threats effectively with a leaner security team,” sums up Tony Zabaneh, Senior Systems Engineer – Channel, at Fortinet.
www.tahawultech.com
REDEFINING technology transformation
+971 4 440 9100
@TahawulTech
info@cpimediagroup.com
www.tahawultech.com
facebook.com/tahawultech
Media City, Building 4 Office G-08, Dubai, UAE, PO Box 13700
twitter.com/tahawultech
linkedin.com/in/tahawultech
COVER INTERVIEW
Gonzalo Usandizaga, VP and GM of emerging markets
Neeti Rodrigues, regional director of enterprise security products
10
11.2017
www.tahawultech.com
COVER INTERVIEW
HEIGHTENED FOCUS Post its spin-merger with HPE software, Micro Focus is now a $4.5 billion company, with an enhanced security portfolio. Gonzalo Usandizaga, VP and GM of emerging markets and Neeti Rodrigues, regional director of enterprise security products, explain why the company’s open and intelligent approach to ‘securing the new’ resonates well with the regional security buyers.
G
iven that Micro Focus is a relatively new brand in this region, are you not going to face brand challenges? Gonzalo: We are in the process of creating brand awareness. We have done roadshows since September this year to make customers aware of the scale and volume of the new company. Of course, there are questions from customers and partners about our innovations and portfolio, and they want to know about our future roadmap. The good news is that the product portfolios of both companies are complimentary in nature, with very little overlap. www.tahawultech.com
How about the areas where you do have an overlap? Gonzalo: We are taking a best-of-bothworlds approach, and we will continue to support what our existing customers have, and offer them a migration path. In the 40-year history of Micro Focus, we have never discontinued a product after acquisition. If the customers want to continue using a product or solution, we will support it forever. You have announced an expanded security portfolio as a result of this union. Is your strategy going to be around analytics-driven security? Gonzalo: Security is of strategic
importance to us and it is going to be one of our growth engines. We see a big opportunity in this region particularly. From legacy Micro Focus we have IAM and single sign-on solutions, and when you combine these with legacy HPE security solutions such as ArcSight and Fortify, it gives us a breadth and depth that can address the security challenges our customer face. The fact that Micro Focus didn’t have a direct presence in the Middle East meant we don’t have a big installed base for IAM solutions, and we are going to cash in on that opportunity now. Neeti: Security and information governance will be key pillars for us. If 11.2017
11
COVER INTERVIEW
you look at the fastest growing areas within security it is around application security, data security, security operations management, and identity and access management solutions. And these are the areas where we are investing in heavily. Do we need to rethink our approach to security in this age of dynamic threat landscape? Gonzalo: Yes, and it should start with a change in employee mindset. Security is not a technology problem but a business one. So far, we have been focused on protection; what we need to realise is that breaches pose a serious risk to business, not just IT systems. Your company’s success depends on how good your security architecture is. This is why security has now become a boardroom-level discussion. Neeti: If you start off with security as a tech problem, you have already got it wrong. Security affects your bottomline and that is why you can now see CIOs reporting to boards. The new breed of CIOs don’t talk about technology, they speak the language of business. They are C-level execs, not security managers, who speak of risk from a business perspective. Should we plan to fail, if we can’t keep the bad guys out? Gonzalo: Yes, and we are starting to see a lot of momentum around secure data and encryption. No matter how many firewalls or monitoring tools you have, hackers will find a way to get into your networks. How do you make sure they can’t access sensitive business data is what really matters. Encryption is going to be a hot spot in the next 12-18 months and we have Voltage line of data encryption and tokenisation solutions in our portfolio to address this. 12
11.2017
Security is all about three things – people, process and technology, and we are woefully inadequate on the first two.
Is compliance a big driver for security? Gonzalo: Not yet, but it will be. There are lot of regional brands that have global ambitions and following regulations would be important for them. Will analytics and machine learning shape the future of cybersecurity? Gonzalo: Yes, and our strategy is to have analytics as the cornerstone of everything we do – be it DevOps, security or information governance and management. We believe security is a key component of digital transformation, and Big Data analytics will have a huge role to play, providing actionable insights to customers about their environments. What differentiates you from other security vendors? Gonzalo: The fact that we are taking an open and intelligent approach to security. You don’t have to limit yourself to one set of products or solutions; we believe no vendor can offer you end-to-end solutions to address the security challenges. Being open and collaborative to help our customers to respond immediately to threats is our mantra. ArcSight is an ageing platform and users have been complaining about not being able to extract data to use it elsewhere. Have you addressed this
issue with the newer version? Neeti: The new ArcSight platform offers better visibility and insights with dashboards and built-in analytics. Most people don’t realise that we have aged out old ArcSight platform five years ago and it has now become more user-friendly, with actionable intelligence and threat hunting capabilities Do you think sticking to basic security hygiene could help us avoid most of the breaches? Neeti: Hygiene is of course important, but the biggest gap is in skillsets. Security is all about three things – people, process and technology, and we are woefully inadequate on the first two. Assuming technology can do wonders is wrong; tech by itself is just a tool and we need a full circle of people, process and technology. Is Secure DevOps a big focus area for you? Neeti: We have automated Secure DevOps with our Fortify portfolio. It is ten times cheaper to bake in security during the application development process itself rather than putting in compensating controls after it goes into production. In fact, the biggest growth we have seen in this region is from Fortify, and we have had double-digit growth in Fortify SaaS business. www.tahawultech.com
Internal Threat Report 2017 Types of internal threats
Privileged users
Consultants
Vendors
Business users
Invisible Threats
69% 75%
of all cyber breaches originate from an internal user. of all insider threats go unnoticed.
94% of organisations reported not having full transparency in regards to insider threats.
Insider detection
53% of organisations know of
breaches caused by insiders.
It’s in the data
35% of organisations cannot detect
if a breach was from an insider.
Insider threats are some of the most difficult to detect. This is because internal users have been granted access and authorisation to sensitive data by the company.
Over 70% of organisations have difficulty detecting a security breach.
When disaster strikes After a breach occurs,
many organisations have trouble detecting and tracing back to the origin of the breach. Even if they can find the cause of the breach, it is oftentimes a challenge to prove it without a reasonable doubt.
55% of organisations
have difficulty investigating a cyber breach in a timeeffective manner.
Prevention Employee education
Nearly 1 in 4 data breaches occur due to inadvertent user error.
is one of the most important steps to mitigating the risk of a breach. Most breaches occur due to some element of human error so training employees is the best foundation for your cybersecurity line of defense.
95%
of all breaches involved some form of human error. Source: securable.io
FEATURE
RISE OF THE MACHINES Artificial intelligence and machine learning are reshaping many, if not most, industries today. As these technologies transform modern IT systems, how can organisations leverage them to build better defences and stay on top of cybersecurity incidents?
16
11.2017
www.tahawultech.com
FEATURE
A
rtificial intelligence (AI) and machine learning are rapidly gaining the mindshare of security professionals across the region. What were once just science fiction concepts these two technology trends are increasingly being applied into real life innovations. For years, the cybersecurity space has always been focused on being reactive and defensive when it comes to dealing with attacks. With an ever-connected world that’s seeing widespread adoption of cloud and mobile technologies cybersecurity is becoming infinitely more complex. The expanding number of access points and the seeming relentlessness of today’s sophisticated hackers mean the need for innovative security measures has never been more important. Keeping up with the evolving threat landscape is challenging, to say the least. AI and machine learning promise CISOs and their security teams with an ideal and more efficient approach. “With digital transformation, cybersecurity experts have a lot on their plate,” says Ahmad Mubarak, senior systems engineer, Middle East, Infoblox.
“More connected devices equate to more traffic, more attack vectors, more attempts at security breaches, and a lot more data that needs to be analysed.” In addition, Mubarak also points out that today’s enterprises generate tremendous amounts of data by simply doing business. “Human element alone won’t be enough to capture, analyse and mitigate threats surrounding this data,” he adds. “Thus, CISOs will need all the help they can get to prevent security incidents and respond to threats and machine learning can be one step in coping with its sheer complexity.” AI and machine learning can help open new perspectives for cyber defence by addressing the gaps and issues faced by security teams. “Organisations looking to deploy a proactive approach to security instead of a reactionary one need to have realtime, intelligence-driven monitoring across all aspects of their networks,” says Gopan Sivasankaran, security architect, Secureworks. “As CISOs are on the frontlines of any technological innovations, it is vital that they are prepared to quickly respond to market dynamics when it comes to new security vulnerabilities to which AI and machine learning can be instrumental.”
As CISOs are on the frontlines of any technological innovations, it is vital that they are prepared to quickly respond to market dynamics when it comes to new security vulnerabilities to which AI and machine learning can be instrumental. - Gopan Sivasankaran, Secureworks
It is undeniable that global threat landscape is advancing quite quickly. In the first half of 2017 alone, we have seen big ransomware attacks such as WannaCry and NotPetya breakout across the globe. With this in mind, security leaders should look into tools that will enable them to get ahead of the impending threats. “The cybersecurity mission has always been the same: Protect. Detect. Respond,” says Piero DePaoli, senior director, Product Marketing and Security, ServiceNow. “However, even though the market has already seen major advancements in data protection and threat detection, the innovation in security response seems to be lagging behind,” he says. “AI and machine learning will become critical to innovating around security response. We will soon leverage machines to complete in seconds what used to take days.” While there is no “silver bullet” when it comes to protecting your company’s systems, it is important to have a robust and efficient security strategy. “The automation of tasks, such as how to respond to security alerts, allows cybersecurity teams to respond faster and more efficiently to threats,” says DePaoli. More than automation, DePaoli says that the growing vulnerability response backlog is a major opportunity for security teams to leverage AI and machine learning. “Enterprises increasingly rely on technology and those systems need patching,” he explains. “Over time, organisations develop extensive vulnerability backlogs and oftentimes they have little insight as to which vulnerabilities should be prioritised.” According to DePaoli, the reality is that vulnerabilities leave critical systems open to potential attackers. “61 percent of vulnerabilities are remediated within a month, the rest are
FEATURE
likely never to be remediated,” he says. “AI can help us prioritise which systems and threats deserve our attention.” Meanwhile, Sivanasankaran sees an opportunity in improving the security operations centres (SOCs) of today’s enterprises using AI and machine learning. “SOCs play a vital role in optimising security and improving incident response,” he says. “However, traditional SOCs are struggling when it comes to manual and time-consuming analysis of security events. “AI can condense weeks or months of work into minutes, reducing the time spent on threat investigations and enabling teams to focus on data loss prevention and mitigation.” It takes security teams an average of 191 days to identify a breach and another 66 days to contain it. AI and machine learning can significantly expand the scope and scale of security professionals and allow them to build smarter systems that can detect threats even before an attack occurs. “Today, security automation is about simplifying and speeding up tasks associated with cybersecurity policy definition and enforcement,” says Ercan Aydin, vice president, Emerging Markets Palo Alto Networks. “Soon, AI and machine learning may be leveraged to implement predictive security postures across public, private and SaaS
With digital transformation, cybersecurity experts have a lot on their plate. More connected devices equate to more traffic, more attack vectors, more attempts at security breaches, and a lot more data that needs to be analysed. - Ahmad Mubarak, Infoblox
cloud infrastructures. Using artificial intelligence in cybersecurity allows intelligent IT systems to not only react instantly in real time to cyberthreats, but to constantly discover and respond to new threats.” In the Middle East region, organisations are adopting AI and machine learning technologies at a fast pace. IDC has predicted that spending on cognitive and AI systems will total to $37.49 million in 2017 and is poised to reach $114.22 million in 2021. “Governments and enterprises are taking cybersecurity seriously from the first moment focusing on developing a serious and cohesive regulatory framework around
AI and machine learning will become critical to innovating around security response. We will soon leverage machines to complete in seconds what used to take days. - Piero DePaoli, ServiceNow
18
11.2017
information security and data protection including the deployment of AI and machine learning to optimise security operations and achieve early detection of threats,” says Mubarak. A report by Cybersecurity Ventures estimates that by 2021 there will be over 3.5 million unfilled cybersecurity jobs. While AI can help fill in this skills gap by taking over manual and mundane tasks, it will also create specialised roles that will require the attention of a specialist. “The human element is still very essential to the development of viable AI and machine solutions for cybersecurity,” says Mubarak. “Machines and systems will always need human interaction to ‘learn’ and improve. In addition, security talents are required in correcting false positives and detecting cybercriminal innovations, as well as in tailoring learning security algorithms.” The advancements in AI and machine learning will continue to improve the cybersecurity domain. However, it is important to understand that getting the best talents is still key in succeeding against threat actors. At the end of the day, machines can only be as clever as the information it is given to learn from. We will never replace the need for top talent, therefore, Al is just one piece of the puzzle. www.tahawultech.com
VOTE NOW! 29th January 2018 Safinah Ballroom, Jumeirah Beach Hotel, Dubai, UAE
#MastersOfTech
For the first time, CPI Media Group and Tahawul Tech present the Masters of Tech Awards 2018. The Masters of Tech Awards will honour one of the most important parts of our global technology ecosystem - that of vendors and providers. CPI Media Group and Tahawul Tech have nominated the companies that they believe comprise the top 10 vendors for each category. The final decision will come down to the results of an online public vote, which is open now.
www.tahawultech.com/mastersoftech/2018/ For sponsorship enquires, please contact OFFICIAL PUBLICATION
Kausar Syed, Group Sales Direcror Mobile: +971 50 758 6672 HOSTED BY
OPINION
TOP TIPS FOR EFFECTIVE MULTI-FACTOR AUTHENTICATION Kamel Heus, regional manager, MEA, Centrify, shares insights on how organisations can implement a multi-layered approach to protect corporate data against unauthorised users.
T
hese days, it’s pretty clear that to protect systems and data, organisations need to go beyond traditional perimeter defenses. Because most modern cybercriminals exploit user credentials to get a foot in the door, user identities have become the new perimeter. And leading organisations are turning to Multi-factor Authentication (MFA) to secure their complex, heterogeneous environments. MFA mitigates password risk by requiring additional factors of authentication: something the user knows, has and is. It’s not difficult to implement, but some up-front planning can further enhance security and save a lot of time and effort. MFA is one of the best ways to prevent unauthorised users from accessing corporate data. It is an integral part of Centrify Identity Services, and we recommend the following best practices for MFA: 20
11.2017
Implement MFA across the enterprise Deploying MFA in silos is the same as locking your front door and leaving your back door wide open. To minimise exposure to attack, you need to consider all access points within the organisation, including the cloud. Too many companies are moving data and workloads to the cloud without implementing consistent security across cloud components. Don’t be one of them. Server login and privilege elevation are common links in the cyber-attack chain, so MFA should be deployed for remote network access for distributed employees and business partners across all servers. And ensure you require MFA for users that want to execute privileged commands. This will significantly minimise the damage that can be done if hackers do gain access to your network. Implementing MFA across all end and privileged users, cloud and on-premises
applications, VPN, sever login and privilege elevation helps protect against unauthorised access, data breaches and password-based cyber-attacks. Leverage Context for Adaptive MFA The main benefit of adaptive MFA is the improved user experience. Rather than an “always on” approach that constantly asks the user for secondary credentials, use context to create an adaptive, step-up approach that only requires additional factors when necessary. Contextual information might include location, network, device settings or time of day to help determine whether the user is who they claim to be. For example, a user logging in via the corporate network on a managed device can be granted access with their password. A user logging in from an unknown network on an unmanaged device should be asked for additional authentication. www.tahawultech.com
OPINION
By implementing least privilege– providing users with the lowest level of privilege to perform their daily duties while enabling them to elevate their privilege when needed–businesses can reduce the risk associated with shared accounts as well as the risks associated with compromised credentials.
Provide a variety of authentication factors User experience is critical for a successful MFA rollout, so you must balance user convenience with security. An inflexible, ‘one-size fits all’ approach doesn’t suit the needs of different users. A range of authentication methods have emerged to provide organisations with an MFA solution that balances risk, usability and cost. The latest is biometrics, which include fingerprint, retina scans and facial recognition. Other options include: • Hardware tokens • Soft tokens • SMS/Text message • Phone call • Email • Security questions Opt for a standards-based approach Standards help ensure that your MFA solution can operate within your existing IT infrastructure. For www.tahawultech.com
example, an MFA solution should comply with standards such as Remote Authentication Dial-in User Service (RADIUS) and Open Authentication (OATH). RADIUS is a networking protocol that provides centralised authentication, authorisation and accounting management for users who connect and use a network service. OATH is an open technology standard that enables solutions to deliver strong authentication of all users on all devices, across all networks. Implement MFA in combination with complementary identity security tools Mitigate password risk by combining MFA with other solutions such as single sign-on (SSO) and least privilege access. SSO eliminates the need for multiple passwords by authenticating users to all the apps and cloud services they’ve been given rights to. This eliminates the
use of weak, re-used and improperly stored passwords. By implementing least privilege– providing users with the lowest level of privilege to perform their daily duties while enabling them to elevate their privilege when needed–businesses can reduce the risk associated with shared accounts as well as the risks associated with compromised credentials. Regularly re-evaluate MFA Security vulnerabilities and the threat landscape are constantly changing, as are IT infrastructures, authentication mechanisms and the applications available to users. Because of this dynamic environment, companies need to conduct regular assessments to ensure their MFA technology is continuing to meet the needs of users and the organisation as a whole, and that it’s being applied appropriately. 11.2017
21
FEATURE
THE 10 BEST ANTIVIRUS TOOLS FOR ANDROID
Do Android phones get malware? Unfortunately, yes, but there are plenty of Android malware protection tools to save the day. 22
11.2017
www.tahawultech.com
FEATURE
A
Android security is improving, and the diversity of security applications available for the platform is strong. Nick FitzGerald, ESET
10 best Android malware protection tools The following are the 10 best antivirus software tools for Android, according to AV-TEST’s September 2017 evaluations of 21 Android security apps. Each Android antivirus software app listed below received perfect protection and usability scores of 6.0. The apps are in alphabetical order.
The 10 best antivirus tools for Android
ndroid viruses (and other malware) are on the rise, but how much of a threat are they to enterprises? And what are the best tools for combating them? AV-TEST’s Research from the AV-TEST Institute, a Germany-based independent service provider of IT security and antivirus research, shows that Android malware samples collected have increased sizably every year. In 2014, the total was more than 326 million. The next year, the malware tally reached more than 470 million. In 2016, AV-TEST recorded nearly 597.5 million samples—nearly double the amount from two years earlier. By 2019, mobile malware will comprise about 33 percent of all malware reported in standard tests, up from 7.5 percent today, according to Gartner’s August 2017 “Market Guide for Mobile Threat Defense Solutions.” Though iOS devices aren’t immune from malware, “The mobile malware threat is primarily coming from Android,” said Dionisio Zumerle, research director, Gartner. The threat should be a concern for all companies with Android users, he said—especially those with large fleets of Android devices or that are in high-security verticals such as finance, healthcare, and government. Android malware is getting more sophisticated, too. Consider DoubleLocker—Android ransomware that IT security firm ESET recently detected. DoubleLocker is capable of changing a device’s PIN, preventing users from accessing their devices. It can encrypt the data on the device. That’s a double whammy, the likes of which haven’t been seen before in the Android ecosystem, according to ESET. The good news? “Android security is improving, and the diversity of security applications available for the platform is strong,” said Nick FitzGerald, senior research fellow , ESET. “That means there’s more than one set of hurdles the bad guys must clear to have a highly successful malware campaign.” www.tahawultech.com
AhnLab V3 Mobile Security Version 3.1 AhnLab’s V3 Mobile Security managed Android malware detection in real-time 99.8 percent of the time, compared to an industry average of 95.7 percent. It found the latest Android malware discovered during the previous four weeks 100 percent of the time, versus the industry average of 98.4 percent. The app doesn’t negatively affect battery life or cause the device to get sluggish during normal use. It registered zero false warnings during installation and use of legitimate apps from Google Play or third-party app stores. V3 Mobile Security’s safe browsing features help protect against phishing attacks and malicious websites, but the app doesn’t include antitheft features such as remote wipe. Additional features not evaluated by AV-TEST include an app lock and a privacy advisor.
Antiy AVL Version 2.5 The AVL malware protection app did a flawless job of Android malware detection in real-time as well as the threats discovered in the previous four
weeks—100 percent detection in both cases. AVL also earned high marks for not impacting battery life, slowing the device during normal use, or generating too much traffic on the device. It issued zero false warnings during installation and use of apps from Google Play or third-party app stores. AVL offers safe browsing and protection from phishing as well as the ability to block calls from specific or unknown numbers, but it doesn’t offer anti-theft features such as remote locking, wiping, or locating, according to AV-TEST. Bitdefender Mobile Security Version 3.2 Bitdefender’s Android malware detection in real-time is 100 percent, and it discovered the newest Android threats discovered in the last four weeks 100 percent of the time as well. For usability, the app gets big check marks for not dragging down battery life or device speeds. AV-TEST found zero false warnings during installation/usage of legitimate apps from Google Play and third-party app stores. Unlike some Android malware protection apps, Bitdefender’s Mobile Security offers anti-theft features, including remote lock, wipe, and locate, as well as safe web browsing and phishing protection. Like many other Android security tools, it doesn’t include message filtering or call blocking and doesn’t support all types of encryption. Additional features not evaluated include app lock, a privacy advisor, and account privacy. 11.2017
23
FEATURE
Cheetah Mobile Security Master Version 4.2 When it comes to Android malware detection, Cheetah Mobile’s Security Master app gets the job done 100 percent of the time. The app’s perfect usability score comes from having a light touch in impacting battery life, not slowing down the device, and not generating excess traffic on the device. Zero false warnings were detected when installing and using apps from Google Play or third-party app stores. Security Master includes the trio of anti-theft features AV-TEST looked for: remote lock, wipe, and locate. Other features include call blocking (of specific and unknown numbers) and protection from phishing attacks and malicious websites. Additional features not tested include a privacy cleaner, power boost, and additional Wi-Fi security. G Data Internet Security Version 26.0 G Data’s Internet Security has more features than many of its other toprated competitors. AV-TEST checked the boxes for remote lock, wipe, and locate; call blocking; message filtering; safe browsing; parental control; and support for all encryption. The only ‘x’ the app received was for not enabling personal data to be saved to an SD card or cloud storage. Otherwise, Internet Security’s real-time Android malware detection rate was 99.8 percent, while it detected threats discovered in the past four weeks 100 percent. The excellent usability score resulted from not negatively affecting battery life, dragging down device performance, or generating too much traffic. The app issued zero false warnings during installation and use of legitimate apps from Google Play and third-party app stores. Kaspersky Lab Internet Security Version 11.14 Kaspersky Lab’s Android malware 24
11.2017
scanner caught the latest Android malware in real-time 99.8 percent of the time and the latest threats discovered over the prior month 100 percent of the time. The app’s perfect usability score results from not impacting battery life or slowing performance. The feature set is more robust than most, with remote locking, wiping and location; call blocking; message filtering; and safe browsing/ anti-phishing protection—though G Data’s Internet Security product offers a few more features. Additional features not tested include privacy protection, anti-phishing protection for texts, and app lock.
Tencent WeSecure With Tencent’s WeSecure, you won’t get anti-theft features (remote lock, wipe, and locate). AV-TEST didn’t list any additional noteworthy features that weren’t tested, but you’ll get call blocking, safe browsing/anti-phishing protection, and the ability to backup personal data to SD cards or the cloud. The app nearly aced real-time detection of new malware, catching it 99.9 percent of the time, but it detected new malware reported in the previous four weeks 100 percent of the time. Usability was excellent, with no downsides for battery life or performance and no false warnings.
McAfee Mobile Security Version 4.9 McAfee Mobile Security Android malware scanner detected bugs in real-time 99.9 percent of the time, but caught bugs discovered in the last four weeks 100 percent. As with all other apps in this roundup, usability was stellar. The app’s feature set is strong, including a full set of anti-theft tools, call blocking, safe browsing and phishing protection, and the ability to save personal data to an SD card or the cloud. Mobile Security doesn’t support all types of encryption, however, or text message filtering. Other features not tested include a battery optimizer, privacy, and app lock.
Trend Micro Mobile Security Trend Micro’s Mobile Security checks most of the feature boxes: anti-theft, call blocking, text message filtering, safe browsing and anti-phishing protection, and parental control. Plus, there are a privacy scanner, messenger protection, and network protection. The app achieved a 100 percent detection rate for new malware in real-time as well as for threats discovered in the past four months. Usability was excellent, too, with no drag on battery life or performance and zero false warnings.
Norton MobileSecurity Version 3.21 Norton MobileSecurity is among the most full-featured Android malware detection suites in this top 10 round-up. Along with all three anti-theft features, it offers call blocking, safe browsing/ phishing protection, and personal data back up to SD cards and the cloud. Additional features not tested include an app advisor and privacy controls. MobileSecurity detected new malware in real-time as well as those discovered in the past month 100 percent of the time. Performance was top-notch, with no impact on battery life and device performance. www.tahawultech.com
THE REGION’S NUMBER ONE PROVIDER OF IT SOLUTIONS
DRIVE REAL BUSINESS RESULTS WITH OUR LATEST IT TECHNOLOGIES COGNITIVE SOLUTIONS
IOT
CLOUD
SECURITY
ANALYTICS
www.gbmme.com
INSIGHT
WEATHERING THE STORM Jon Ramsey, CTO, Secureworks, shares top tips for crisis management during a ransomware attack.
J
ust as things started to cool off around the WannaCry attack and businesses started to operate normally again, IT professionals were thrown back into disarray with the NotPetya malware attack. NotPetya was responsible for knocking companies like Maersk, AP Moller-Maersm, Reckitt Benckiser, Fed Ex, and WPP into critical damage control mode. For the organisations 26
11.2017
that were lucky enough to avoid falling victim to these attacks, it is a moment to quickly breathe a sigh of relief and ask yourself, “Are you as prepared as you can be for the next WannaCry or NotPetya attack that will inevitably take place in the near future?� Having an up-to-date security programme, a detailed process to manage any vulnerabilities, and a completed incidence response plan, are all necessary and acceptable ways to build up confidence in a cybersecurity plan.
It is important to remember, being prepared is one thing, but how an IT professional actually handles themselves while in the middle of a cybersecurity crisis is completely different. It is safe to assume that cybersecurity professionals cannot be fully prepared for an attack, unless they have already dealt with managing emotions in the middle of a serious crisis. Handling a high level breach like NotPetya, can be very chaotic and seem like a blur to even the best cybersecurity professional. Even the best prepared incident response plans can run off www.tahawultech.com
INSIGHT
track when emotions come in to play, causing people to deviate from the initial plan. Often stakeholders outside the immediate circle who are needing to deflect cyber threats, can cause more damage. They try to take control of a situation outside of their corporate jurisdiction and oppose important operational down time. These quick actions and assumptions can result in public misstatement. Remaining level headed during early stages of a cyber-attack is far easier said than done. Here are five quick tips for boosting cross-functional business communication prior to an attack so you can keep your cool when everyone around you has lost theirs. Define your stakeholders On a normal day you might have a great relationship built up with your supervisor and the people you directly report with. However, when a security breach is on the cards, the company is depending on you. Security leaders become risk professionals and your job is simply not just a security programme manager. You will be in a much better position if you build a strong relationship across the board with compliance, legal, operational risk and line functions now, rather than when everything is hitting the fan. It would probably be worth your time to touch base with marketing, HR, finance and procurement as well. Transparency can be a huge asset down the line in times of crisis. The last thing you will want during a crisis is a bunch of people you do not know, bombarding you while you are under the pump.
1
Level set with each stakeholder When preparing for how to handle stakeholders, before landing in a breach situation it could be beneficial to ask, “What are the top
2
www.tahawultech.com
Having an up-to-date security programme, a detailed process to manage any vulnerabilities, and a completed incidence response plan, are all necessary and acceptable ways to build up confidence in a cybersecurity plan. Jon Ramsey, Secureworks
three questions you’ll want to ask in the heat of a crisis?” This helps in determining the stakeholders’ priorities and can manage them effectively. Be honest There is no doubt, eventually there will be some bad news to share during a cyber breach. Hence, honesty and transparency throughout the entire process is critical to maintaining trust with stakeholders. Another way to avoid unnecessary issues is to proactively prepare each of those stakeholders for what may happen in the speed and chaos of response, even if they seem far removed from your day to day security operation.
3
Define rules if you want to get buy-in When communicating about cyber prevention, awareness and hygiene, try to position policies and processes in a way that is “against the bad guy” as opposed to one that shows distrust in employees. The latter may raise privacy concerns amongst employees or make them feel as if they’re not trusted. Instead of instilling worry, encourage employees to follow guidelines in order to prevent a major attack.
4
Be a straight-shooter Be upfront with your third-party responder about what the real objective is. The objective is the most important piece of information you can relate to the third party responder. Some companies will have an objective of getting back up and running as soon as possible, another will want their customers put first. Depending on the end objective third party vendors will tackle the incident differently. In the end, it is important to not let what you know get mixed up with what you think. Don’t doubt yourself and when managing the emotional response to a breach, separate the facts and what you think. Define both and steer clear from acting on the latter. Once the facts are secured then it’s time to make choices about which of the alternative possibilities to select and how you’ll act on it. Hopefully these tips will never have to be used, but as cybersecurity season is well and truly amongst us. These should help you weather the storm.
5
11.2017
27
INSIGHT
O
ne of my favorite spam emails are the ones from cyber security companies soliciting security awareness training for your employees. Think about it. You are receiving spam email, potentially a phishing attack, from a company offering services on how not to fall for a fraudulent email scam! Security awareness is much more than training, knowledge, and attentiveness. It needs to be part of the culture in your business, a part of your everyday lives, and is much more than identifying the latest phishing email. Security awareness is not a paranoia, but can be looked at in the extremes if misunderstood. This was certainly the case when Yahoo labeled their security professionals the “Paranoids�. Security awareness does require education, but it also requires intelligence, when to respond and when to correctly ignore a situation. If every event, alarm, and situation becomes a problem, security awareness is no different than extreme
COURSE OF ACTION Morey Haber, vice president of technology, BeyondTrust, lays out a set of critical factors that Middle East organisations should consider when building security awareness training programmes.
28
11.2017
www.tahawultech.com
INSIGHT paranoia. This can take on many forms from cyber security, to physical access. It can be overly dramatised by requiring all visitors to register their laptops upon security check in to a building as a visitor but then denying them even guest access to the Internet or corporate network in any form. Security awareness needs a causal relationship of action, threat, and outcome not just a blanket statement of denial, or a ‘do not do’. This is how we take basic education and training past guidelines to intelligence and attentiveness—knowing why it is a problem verses just following the mandate. Therefore, when we consider security awareness education, we need to consider the following factors in our corporate training: • All businesses have crown jewels. Whether it is sensitive data, physical assets, personally identifiable information (PII), classified government material or just private information in general. Team members should be trained on what this information looks like, how to handle sensitive information, and what could happen to them, and the business, if the information is stolen; physically or electronically.
•
•
•
•
•
www.tahawultech.com
Security awareness also has a legal component. All employees, contractors, and applicable third parties handling sensitive information should be trained, and when appropriate, sign a nondisclosure agreement. The labeling and handling of sensitive information is key in any form used to communicate the contents. This could include labeling emails as confidential, appropriate levels of encryption for storage and transmission, and even include the destruction of material from shredders to wiping disks securely. The concepts of authorisation and authentication are key to security awareness. This includes everything from biometrics, to passwords and multi-factor authentication. Context aware access from geolocation to concurrent login information is a major part of this and ensures proper methods for protecting access to sensitive information and applications as appropriate. Traditional security awareness training covers cyber security threats and modern attack vectors like malware, phishing (in all forms), and social engineering. This is more than just “do not click on a link”. It needs to cover why you should not click on a link to raise the bar of attentiveness and ultimately intelligence. Physical access is just as much a part of security awareness training as cyber. This includes building access, door access, security badges, and reporting of incidents. If a stranger is present, how would you notify the appropriate people? This also includes possessions that should never be permitted in the workplace, even personal computers.
•
And finally, for all the grandeur of security awareness, all team members should be aware of the consequences in the event of a violation. This could be personnel discipline but also should establish ground rules for what can happen to their employment or company if a violation occurs. If people understand the risk, and why, they are more likely to show attentiveness to the problem than if it is “just policy”.
In the end, security awareness means you comprehend that there is the risk for individuals to deliberately or accidentally steal, damage, or misuse the information or assets prized by an organisation. Raising awareness can come in many forms from education to cultural changes but in the end, it must be a part of daily business in order to be effective. Just by stating “we have done our annual security awareness training” is simply not enough but unfortunately this seems to be the case in several businesses in the Middle East. According to a 2016 PwC report , only 37 percent of businesses surveyed have a comprehensive security and training awareness programme, against a global average of 53 percent. Furthermore, only 32 percent of Middle East organisations require their employees to complete training on privacy policies and practices (compared with 55 percent globally). Any good executive understands the importance of measuring the business. I would encourage all teams to measure the effectiveness of security awareness training, policies, and procedures via penetration tests and role playing. This could even include basics like online based situational tests that are required for all users to participate to confirm basic knowledge transfer. Therefore, security awareness should be viewed as a key enabler, not just a policy and rules restricting the business. If anything, it could end up saving your business.
11.2017
29
INSIGHT
THE CAT AND MOUSE GAME As the world swoons over the promise and practice of AI and machine learning, the world of cybersecurity sees both the hero and the villain take part in the game.
F
or years now, artificial intelligence (AI) has peaked the curiosity of many in the world of science and technology. From Hollywood to academia, the concepts of AI and machine learning have generated both hype and intrigue, resulting in a world that stands divided over the potential implications and benefits of the true power of selflearning machines and technology. 30
11.2017
In the world of cybersecurity, vendors are making a significant push towards AI and machine learning as the newest and most effective way to detect the latest threats and stay ahead of an everevolving cyberthreat landscape. The question is, is this all new? The practice of building algorithms to differentiate bad computer behaviour from good has essentially been the foundation of good cybersecurity software. From email spam filters to anti-virus solutions, AI and machine
learning in cybersecurity has been around for well over a decade. But we have just scratched the surface. Initial applications of AI have been systems that use machine learning or deep learning and analytics to recognise patterns, and classify threats and malware. It’s been used effectively to profile attack vectors that can be used to breach an organisation, baseline what ‘normal’ within an organisation looks like, and use advanced capabilities to enable rapid anomaly detection. www.tahawultech.com
INSIGHT
Security is not a one-size-fits-all solution: what is normal behaviour for a retail bank would not be normal behavior for an insurance organisation. - Rashmi Knowles, RSA
On the other hand, AI has led to a world where cybercrime is gaining new momentum. Hackers can use AI tools to find new vulnerabilities in an organisation’s network and create a new exploit, and attack in a fraction of time that wasn’t possible before. We have seen AI integration in many of the hacking tools that are sold widely on the black market, offering what is essentially a criminal franchise in a box. These toolkits allow people to easily deploy any kind of attack, www.tahawultech.com
because they are pre-engineered with all the analytics and information. So not only do AI and machine learning make it easier to launch an attack, but they are also making it easy to outline new opportunities and vulnerabilities— almost creating new Additionally, if your current tools and tactics are reaping rewards, why should you invest in AI? It all boils down to return on investment. If a cybercriminal spends months building a malware toolkit, he wants to know how long he will be able to use it and how effective it will be. This means that on the attacker’s front, a significant portion of AI investments will go into driving targeted attacks. With cybercriminals having access to the same technologies the vendors do, the real game changer for organisations lies in their ability to effectively investigate and qualify threats so they can enable a targeted response to an attack or breach. This is a stage of fuzzy logic and where the probabilistic nature of AI can really help. One might ask, how do you anticipate new attacks that you have never seen before? This stage requires the application of knowledge, a role that
was typically filled by specialists who read or talked to their peers to build up profiles based on association. Today, because AI is still in its infancy, the recognition capabilities that we get do tend to have significant amounts of false positives. To overcome this, AI solutions of the future will have to cultivate the ability to learn the context in which it is operating to assess its confidence in the results it generates. For cybersecurity professionals, the scenario goes beyond the evolution of the cyberthreat landscape. This means the attack surface will only continue to rise as enterprises across the world embrace new technologies like cloud computing and mobility to enable an era of digital transformation. For instance, if you look at the economics of cybersecurity today, it’s shifting significantly towards the cyberoffensive. There is a whole lot more sharing of tactics and toolkits. If you look at attacks and malicious actors, the amount of technical knowledge and capabilities they require is dropping, and the barrier to entry for malicious actors is dropping significantly. If you look at the defensive side, the surface area is 11.2017
31
INSIGHT
rapidly expanding. To facilitate business, we have to constantly find new ways of working and collaborating, enabling new data movement while protecting legacy assets. So, the skills required from a security analyst are increasing. In fact, according to the latest forecasts from Gartner, Inc., there will be 3.5 million unfilled cybersecurity jobs globally by 2021, indicating an immediate need for organisations to address an increasingly evident skills challenge to stay ahead of cybercriminals. AI can only be as clever as the information it is given to learn from. Today, the data we use for threat detection and investigation is largely siloed, and qualification is built by association. Security is not a onesize-fits-all solution: what is normal behaviour for a retail bank would not be normal behaviour for an insurance organisation. If you understand what’s normal for your environment and what the baseline looks like, only then can you identify the anomaly and react to it in a timely manner. All that intelligence needs to be collated from various sources and fed into the system, so it can do the job effectively. While it may be impossible for a human being to sift through all the data and manually monitor and respond to tens of thousands of daily threats, AI or machine learning cannot take away from the power of the human mind. For AI and machine learning to succeed in cybersecurity, there is a need for rapid adaptability and constant learning to build and maintain an army of skillsets and specialists to remediate and react to those threats. 32
11.2017
In the next 10 years, we will get significantly better at using AI to tap into data more effectively and learn better, which will lead to a world where the equilibrium between offensive and defensive will get better. - Vijay Dheap, IBM
With enterprises facing a doubleedged sword driven by an increasingly sophisticated adversary and a rapidly expanding attack surface, the ability to harness the true potential of AI and machine learning couldn’t come sooner. AI can help enterprises do more with less, allowing security specialists to focus their efforts and actions on proactive response and remediation to threats, instead of spending time on monitoring new signatures and threat activities. In this sense organisations
need to scale their operations across all three stages of the security lifecycle. AI can help them respond quickly, make more accurate decisions, and have greater contextual knowledge of what the risk is, understand the scope of the risk, respond to it effectively, and act quickly. Knowing this, in the next 10 years, we will get significantly better at using AI to tap into data more effectively and learn better, which will lead to a world where the equilibrium between offensive and defensive will get better. www.tahawultech.com
PRESENTS
NOMINATE NOW
Monday, 29th January 2018 Jumeirah Beach Hotel, Dubai
#CIO100ME www.tahawultech.com/cio100/2018/
CELEBRATING TECH INNOVATION CNME is now accepting nominations for its 2018 CIO 100 Awards. As IT becomes the driver of digital change in the Middle East, the region’s chief information officers have the opportunity to put themselves at the core of business decision-making. The CIO 100 Awards 2018 celebrates leaders who are grabbing this opportunity with both hands, and constantly striving for innovative practices. CIO 100 winners will receive their awards at our annual CIO 100 Symposium & Awards Ceremony, and will also be featured in the February 2018 issue of CNME magazine. For sponsorship enquires, please contact STRATEGIC VAD PARTNER
Kausar Syed, Group Sales Direcror Mobile: +971 50 758 6672
QUALITY TESTING INNOVATION PARTNER
OFFICIAL PUBLICATION
HOSTED BY
GOLD PARTNERS
OPINION
5 WAYS TO COMBAT DDOS OF THINGS By Henk Jan Spanjaard, vice president, EMEA Sales at A10 Networks
T
hreat actors have weaponised the Internet of Things (IoT) and connected devices. They’re using unsecured IoT devices and creating botnets to launch catastrophic distributed denial of service (DDoS) attacks. This has given rise to the DDoS of Things (DoT). Fuelled by headline-making malware like Mirai and Leet, these DDoS attacks have reached unprecedented levels with DDoS of Things attacks exceeded the 1 Tbps threshold. And it’s only expected to get worse. What can you do to protect your networks, your data and your applications from the DDoS of Things? How can you ensure that a massive IoTfueled attack doesn’t take you down? Here, we offer five tactics you can use today to combat the DDoS of Things:
you from any angle and in any style. And you have to be prepared for attacks on any solution sets and for any volumes of traffic. It doesn’t matter where it’s coming from, you have to be prepared. Having a plan in place to battle volumetric, multi-vector attacks can make the difference between success and failure. For example, a step as simple as setting up upstream DNS services can protect you from an attack,
such as the DDoS attack against DNS provider Dyn, which took out a number of the web’s biggest consumer application services, including Spotify, Reddit, GitHub and Twitter. Having an upstream DNS service could’ve helped those services avoid damaging downtime. What’s your response to huge volumes of traffic being thrown your way? In the cybersecurity world, there’s a simple adage that will always ring
If you’re not at least using opensource solutions and freely available threat intelligence to make your solutions stronger, you’re going to have big issues in the future.
1. Be ready for multi-vector attacks Like a well-trained solider, you have to be ready for DDoS attacks to come at 34
11.2017
www.tahawultech.com
OPINION
true: If you’re not ready, you’re already too late. You have to be prepared. 2. Rate limiting is not enough Slowing traffic down simply does not work. Threat actors have tools and capabilities that they use and resell that can launch attacks reaching Terabyte and potentially larger traffic levels. Driving traffic down to trying to rate limit it will have no impact. Everyone, everywhere is connected. Even if you’re doing the right thing by rate limiting and driving traffic where it wants to go, someone connected to your network or service with upstream and downstream connections that can affect your infrastructure may not have those capabilities in place. That means you’re going to topple and fall over one way or another. Rate limiting us not enough to fight DDoS of Things threats. 3. Leverage threat intelligence If your organisation is not using threat intelligence, you are automatically five years behind. Threat actors use it. They gather the latest intel from underground sites, forums, and social networks such as Facebook, Twitter and GitHub, and they use it to go after their targets. They also share information among each other to discuss best practices of how to put plans and procedures in place so they know what or whom to go after. If you’re not at least using opensource solutions and freely available threat intelligence to make your solutions stronger, you’re going to have big issues in the future. Think about a military combat situation – if you have good intelligence, and you using it, you have a leg up on those who are not, and you will survive longer.
Here’s where they’re coming from. This is what it’s going to do. Here are the mitigations in place and the technology we’re using. What do we put in now so we know how to go up?” If threat actors throw targeted multivector attacks with more traffic and they know where your fail points are, if you don’t have a strategy in place to auto-escalate extremely quickly and effectively, bad things will happen. The moment you start losing traffic, money is going out the door. If you can’t auto-escalate and auto-mitigate and move it into place to thwart threats in an ongoing fashion it’ll get worse. The capabilities and technologies are there. The strategy and the process to move forward is critical to success.
should ask yourself include: How can I scale everything across all of my disparate environment? How can I implement my mitigation strategy? How can I scale every asset, every tool and every capability? When it does scale, how? Six months from now, the scalability you have in place today isn’t going to be sufficient, especially in the face of today’s more sophisticated DDoS of Things attacks. You need to plan for scale today and in the future.
5. Get ready for scale IoT devices are scaling. Everything is sending more data. Traffic levels continue to grow exponentially. Scale is the new 10,000-pound gorilla. If you’re not thinking about scale now, you’re well behind the curve. Questions you
4. Build auto-escalation into your strategy (Not just into the technology) You have to be able to say, “Here’s the threat. www.tahawultech.com
11.2017
35
INSIGHT
IN THE LION’S DEN By Steve Ragan, CSO Online
R
esearchers at Carbon Black examined the ransomware market and discovered some interesting facts about the booming criminal economy. Mirroring some of the legal technology markets, such as those for software development, the market for Ransomware is dominated by unique custom solutions and turnkey offerings. For two months researchers at Carbon Black studied how ransomware and developed and sold to criminals on the darknet. As one would expect, there are thousands of products (45,000) on offer from hundreds of sellers. If you consider the prices of the ransomware products being pitched, the overall ransomware economy has 36
11.2017
grown more than 2,500-percent, from about $250,000 to $6.24 million from 2016 to 2017. However, while those figures come from the base price for ransomware offerings themselves. It’s hard to account for customisation and tailored services, and it doesn’t take into consideration that some ransomware products simply don’t sell. So, what happens after the ransom is paid? Does the person running the ransomware campaign just collect funds and move on? It’s easy to assume that’s the case, but the reality is completely different. While some sellers are making more than $100,000 a year off ransomware, others are barely breaking even. Usually those not making a tidy profit are bottom feeders who have way too much
overhead, or those who haphazardly throw together a list of potental targets in the hopes of getting payments made. Developers of ransomware are making a killing too, because they can create customised solutions – where the real money is – and functional kits that require little to no experience, training, or infrastructure (turnkey solutions). Ransomware a thriving market Ransomware offerings range from basic $10 offerings to targeted offerings on Android ($250) and even customised offerings for $1400. The more customisation that’s required, the higher the price. The most expensive ransomware offering observed by Carbon Black was $3,000, but the entire kit was completely customised and used for targeted campaigns. www.tahawultech.com
INSIGHT
When it comes to customisation, ransomware authors offer a number of options including encryption level, file targeting or copying, the ability to delete files if the system is rebooted, malware persistence, or even a forced timer that will delete files every 24 hours if the ransom demand isn’t met. A wide selection of options is just one of the reasons the economy tied to ransomware has flourished. Another reason is availability. With very little investment and overhead, anyone has the opportunity to run a decently sized campaign. “Not only have the dark web marketplaces evolved to better support high-risk, low-trust transactions through escrow systems, but the requirement for ransoms to be paid over the Tor network has ensured there’s no centralised endpoint to investigate with traditional geo-based law enforcement approaches,” Carbon Black’s researchers explained. Finally, the victims themselves are a key reason for such maturity in the ransomware market. They keep paying to recover their files. In 2016, the FBI estimated that more than $1 billion in ransom payments were made. If such payments didn’t happen, criminals would move on to other lucrative targets. Instead, ransomware is where the money is. Organisations that lack backups or a sound recovery plan are often faced with a tough challenge once ransomware strikes – lose the files or give in and pay off the attacker. When Carbon Black asked participants in a recent study if they’d pay to recover files during a Ransomware incident, 52 percent said they would. How the ransomware supply chains work The ransomware market isn’t too complex. It’s like any other when you get down to its core. Ransomware developers create the product and then offer add-ons and support, so there is a need for strong code skills. The authors can sell direct exclusively, earning a higher payout as a result, but that limits www.tahawultech.com
The key to this is to stop making payments. That is one of the biggest keys to the ransomware market, and those operating campaigns focus their efforts on geographic locations and organisation types that are likely to pay.
their market reach. Instead, they often develop a base kit and sell that while pushing customisation. Another option is to develop the ransomware and the hosted environment needed to run campaigns and sell access that way, or ransomware as a service (RaaS). With RaaS, the barrier to entry is cheap and few, if any, skills are required to operate a ransomware campaign. In fact, for a cut of the ransom payment (pre-determined before the campaign starts), most ransomware developers will provide some level of custom work and support. There are two levels in RaaS, trusted or verified clients (those who have other confirmed criminals vouch for them) and general (bottom feeder) clients. Reputation matters. The better your reputation among fellow criminals, the more money you get to keep as the split on ransoms is smaller. In addition, most RaaS offerings have extensive metrics so that campaigns can be graded of effectiveness and profit. In this setting, the ransomware author has the most protection, as the distributor assumes most of the risk. Stopping ransomware and killing the market “The silver lining when it comes to breaking the ransomware supply chain is that defenders have an inherent advantage. If defenders can break or
interrupt even one link of the chain, the entire attack falls apart,” Carbon Black’s report explained. “Taking down distributors and operators is chasing the tail of the problem. To begin to put a dent in the underground ransomware economy, efforts should be enacted to disrupt the supply chain upstream and change the incentive for malware authors. By decreasing the ROI for attackers, defenders can decrease the financial incentive for the crime.” The key to this is to stop making payments. That is one of the biggest keys to the ransomware market, and those operating campaigns focus their efforts on geographic locations and organisation types that are likely to pay. Salted Hash highlighted one administrator who overcame the problem of ransomware simply by having properly tested and managed backups. “As an industry, we are often getting the fundamentals of security wrong. In too many instances, we are failing to do the basic blocking and tackling of security such as backing up files and systems, testing restorations, patching, having adequate, enterprise-wide visibility, and [updating] outdated prevention measures, such as legacy antivirus,” wrote Carbon Black’s Rick McElroy, one of the report’s authors. 11.2017
37
OPINION
THREAT HUNTING - ART OR SCIENCE?
By Raj Samani, Head of Strategic Intelligence, McAfee
S
ecurity professionals are in a fight every day to track down criminals who would disrupt their organisation. Attackers nearly always have the element of surprise in their favour, but threat hunting can throw the attackers off their footing. So, what are the characteristics of good threat hunters? We recently surveyed more than 700 IT and security professionals, to identify insights and lessons for organisations looking to understand and enhance their threat 38
11.2017
hunting capabilities. One of the key questions was the level of maturity of the organisation’s threat hunting activity. Ranging from Level 0, where the organisations rely primarily on automated alerting (i.e. little or no routine data collection) and typical tools include IDS, SIEM and anti-virus, to Level 4, where organisations automate the majority of successful data analysis procedures and use high or very high levels of routine data collection, these self-reported assessments provide useful insight into the current nature of the threat hunt and reveal some
surprises about how organisations are investing for future improvement. Some of the key findings include: • The most mature threat hunting organisations are twice as likely to automate parts of the investigation process, spend 50 percent more of their time actually hunting, and as a result 70 percent of them are closing investigations in a week or less, compared to only 50 percent of the less-mature organisations. • Mature organisations are three times more likely to consider www.tahawultech.com
OPINION
•
•
•
every level of the identification and investigation processes as viable for automation, especially sandboxing, endpoint detection and response, and user behavior analysis. Tool emphasis changes with experience. Sandboxing was the number one tool for Tier 1 and 2 analysts of all sizes and maturity levels, but Tier 3 and 4 analysts use sandboxing as part of a broader mix of tools. Immature companies are trying to use the same tools as the most mature companies, but without the same results. Adopting new tools without changing the processes for hunting and incident response is rarely successful, as success requires an upfront investment in architecture and optimised processes. Threat hunters in mature SOCs spend 70 percent more time on customisation of tools and techniques. Custom scripts and Security Information and Event Management (SIEM) are heavily used to automate manual and ad hoc processes.
Observe, Orient, Decide, and Act Human decision-making can be the critical advantage in many security scenarios, tilting the playing field in your favour. US Air Force Colonel John Boyd first documented the four fundamental parts of this process, which are Observe, Orient, Decide, and Act (OODA). Effective security operations teams are leveraging this process to exploit their adversaries’ weaknesses, supported by automated processes, machine-driven analytics, and curated threat intelligence. Threat hunters often begin with the assumption of a breach or compromise, following clues and personal intuition, and later turning successful hunts into automated www.tahawultech.com
As they mature in the role, their effectiveness increases as they are augmented by human-machine teaming, combining human judgment and intuition with machine speed and pattern recognition. - Raj Samani, McAfee
rules. Hunting is a human-centric activity, using a wide range of tools and information to seek out hidden threats to the organisation. Based on the survey results, threat hunting begins as an ad hoc process in the least-mature organisations, then swings strongly towards process development before eventually finding an appropriate balance between process and ad hoc in the most mature hunters. Immature organisations tend to aggressively give their hunters sophisticated tools and data, with limited success. By Level 4, hunters have significantly increased their effectiveness as they selectively use tools and data appropriate to their environment and likely attack vectors. As a case in point, our survey revealed that at Level 1, only 40 percent of processes are automated, compared with more than 70 percent by Level 4. This embrace of automation, combined with effective and skilled identification of patterns of anomalous behaviour, results in a synergy between hunting and incident response that delivers faster triage, shorter case closure times, and a much higher percentage of root-cause determination. Conclusion Threat hunters are using a wide range of tools and techniques to find, contain,
and remediate cyberattacks. As they mature in the role, their effectiveness increases as they are augmented by human-machine teaming, combining human judgment and intuition with machine speed and pattern recognition. One of the key characteristics of mature hunters is the way they leverage automation to improve manual steps in the process, customise scripts for their environment, and quickly test new ideas. In mature environments, leading hunters make use of a wide variety of tools and data sources, continuously updating and improving them and generating a positive OODA loop. For less mature organisations, copying the tools and techniques of the leading hunters is not sufficient. Adding new tools without changing the OODA cycle is unlikely to produce positive results. Sandboxing, automation, and analytics can empower these less-experienced hunters, but organisations that have not invested in architecture and defined processes that support that automation will experience diminished results. Threat hunting is here to stay, and is no longer an esoteric practice limited to a few of the edgier practitioners. Over the next few years, expect to see threat hunting as part of most organisations’ analytics driven security operations, backed by extensive automation and machine analytics. 11.2017
39
PRODUCTS
Brand: Axis Communications Product: AXIS D2050-VE Network Radar Detector
Brand: Ring Product: Ring Video Doorbell 2 Ring has launched the Ring Video Doorbell 2 with 1080p HD video, adjustable motion sensors and a removable, rechargeable battery pack. According to the firm, it adds next-level security and convenience to any home, so monitoring your property is even easier than before. Ring’s second-generation video doorbell also features customisable, interchangeable silver and brown faceplates, and improved infrared night vision with a 160° field of view and 180° horizontal motion detection angle. It also has a two-way audio with noise cancellation, and so-called bank-grade encryption. The device has 1080p HD video and built-in night vision, allowing users to get crisp video details at any time of the day. What you should know: Ring Video Doorbell 2 is equipped with other features such as removable, rechargeable battery pack; two-way audio; it also allows connectivity to existing doorbell (8-24VAC); 180-degree horizontal motion detection angle; 160-degree field of view; and it is compatible with 802.11 b/g/n (2.4GHz) among others. The device will be available from mid-November across the UAE at AED799.
40
11.2017
The device uses a radar technology for accurate and reliable area detection of moving objects in a variety of light and weather conditions. It is a good complement to cameras with video motion detection and can be used to track moving objects with PTZ cameras. It also allows for a wide area to be covered whilst thermal cameras are more suitable for long perimeter protection. Developed primarily for medium-sized industrial installations, the product is designed to integrate with Axis cameras and video management systems. What you should know: The device is vandal-proof and suitable for outdoor use. AXIS D2050-VE, according to the firm, can deliver real-time information about the
position, speed, angle, and size of a moving object. The radar motion detector can be set to trigger camera recording, activate a horn speaker, or switch on a light for deterrence and improved visibility on camera. Axis’ network radar detector can be used as a standalone product or as part of a surveillance system. It is compatible with Axis cameras and can be easily integrated with Axis Camera Station and Axis Camera Management software – as well as other video management systems – for straightforward management and maintenance.
Brand: Honeywell Product: DVM R620 Honeywell has enhanced its Digital Video Manager (DVM) that offers smarter security and surveillance capabilities. DVM R620, according to Honeywell, enables organiations in the region to more easily secure large-scale security operations with features that improve operator efficiency and situational awareness for faster incident identification and resolution, and power more accurate and reliable security operations. DVM R620 is well suited for a range of facilities, including complex security installations with stringent requirements— such as airports, correctional facilities, hospitals, higher education campuses and smart cities. It features an enhanced user interface and includes major updates to how operators can capture, access and manage live and recorded video, reliably and efficiently. Based on a highly available distributed
architecture, the system features edge recording playback and backfill capabilities, capturing video footage on camera memory cards, and then backfilling the footage to the system’s main server. What you should know: DVM R620 includes intuitive user interface and features, which helps improve operator productivity for faster incident response. It also has productivity features such as bookmarking, which lets operators easily annotate and navigate video footage. This enables faster footage identification and retrieval for evidentiary purposes. www.tahawultech.com
Dubai’s BIGGEST Events Are Now Accessible On Your Smart Phone Devices
Access to latest events
Search using the Browse chronologically key name, calendar or map
BLOG
TIME TO RETHINK EMAIL ARCHIVING By Nick Saunders, cyber resilience expert, Mimecast
E
mail is the primary communication tool for the modern business, with over 112 billion emails sent each day by organisations around the world. With the rise in ransomware, phishing and other cyberattacks, email archiving has never been more critical. Protecting legacy data is just as important as newly acquired data. Which is why an email archive can be the most important repository of corporate memory. If implemented effectively, it can be the key to accessing the insight and knowledge contained within enormous volumes of enterprise email. When you think about your archive, an old, on-premises storage box, that is expensive, complicated and painful to manage, probably comes to mind. In fact, according to new research from Mimecast and Vanson Bourne, 88 percent of organisations say they have experienced problems with their existing archiving solution. Nearly 60 percent cite administrative complexity as a top challenge, while 48 percent experience a lack of scalability. And another 56 percent are plagued by slow search performance. So, if you’re still thinking about your archive in the traditional sense, or if you’re not thinking at all about your archive, you’re likely making these costly, complicated – and completely avoidable – mistakes: 42
11.2017
1. Ignoring upgrades. Haven’t upgraded your archiving solution lately? You’re not alone. On average, most organisations last updated their email archive two years ago. And only 38 percent have upgraded it in the last year. Ignoring updates means missing out on critical patches and bug fixes, which can constrain performance and reduce efficiency.
which is a concern for 84 percent of organisations. And come May 2018, all Middle Eastern organisations that do business or have customers in Europe, will need to comply with GDPR or face massive penalties. Perhaps because of the legal, regulatory and financial consequences, 44 percent of organisations are not totally confident in their current e-discovery capabilities.
2. Settling for ‘good enough’ search. When you perform a search, you likely expect fast results – and you probably expect to find what you’re looking for in one attempt. Unfortunately, the magic number when it comes to archive search is ‘five’: on average, users have to run five searches per query, and only five percent actually find what they need. It gets worse. 50 percent say these search queries take longer than five minutes each, with 20 percent reporting search completion times up to ten minutes.
4. Not planning for downtime. Uninterrupted access to email and archives during server downtime is a win-win for everyone: lines of communication stay open, productivity remains high, and disruption after a cyberattack remains low. That is why 91 percent of organisations say that in the event of system downtime or failure, they would want uninterrupted access to their email. Unfortunately, one-third say this isn’t currently possible.
3. Underestimating the importance of e-discovery. Inefficient search is more than just frustrating. It can impact your ability to quickly respond to legal inquiries, and prevent you from meeting regulatory compliance obligations and external requests, like Subject Access Requests (SARs) and Right To Be Forgotten (RTFB) requests under the General Data Protection Regulation (GDPR) –
5. Storing your data in one place. Incidents like technical failure, human error and cyberattacks happen – and without sufficient backup and recovery in place, they can destroy your data. One corrupt email, one mistaken “delete,” or one phishing attack is all it takes to wipe out your entire corporate memory. Yet only 50 percent of organisations can recover all their data after one of these incidents occur, and a further 47 percent say they can recover only some of their data. www.tahawultech.com
.