An Insight to Security from SITS Group and Pivotal Networks
The challenge of securing your end-to-end infrastructure; securing data; and protecting against data breaches, is continually increasing in terms of complexity. Whilst GDPR, with large financial and reputational penalties; together with high profile data breaches and cybercrime stories in the media have focused people’s minds somewhat, the technical requirements and concerns are being increasingly challenged by more sophisticated threats. Even organisations and companies who ensure security or pride themselves on their levels of protection are not immune. The CIA, Cellebrite and Deloitte to name a few have all fallen foul of large scale cyber-attacks. Not to mention RansomWare and MalWare such as WannaCry and Petya which severely affected the NHS as well as numerous private businesses around the globe in 2017.
According to Gartner there is a 99% chance that the vulnerabilities exploited by the end of 2020 will have been known to security and IT professionals for at least a year prior to the incident, meaning the victim had the knowledge to protect themselves ahead of time. An example of this is the Apache Struts exploit which first surfaced in 2008 and allowed attackers to run code remotely on a compromised device. Even though, this is a very well-known and understood vulnerability with patches available, it is still one of the most common exploits seen during security assessments. The challenge for business is the lack of IT resource, volume of threats and the targeting of budgets promoting protection against “unknown”, or zero-day threats. Although budgets are more commonly being set aside for protection against zero-day attacks, these types of threats only make up 0.4% of vulnerabilities in the last decade. Unfortunately, this focus often has a detrimental effect on the business’s ability to fix critical vulnerability’s. Meaning that known threats are not always defended against in a timely manner.
The challenge of “knowing” that your infrastructure is secure is fundamentally more complex than in previous times. This is due to many factors such as: distributed infrastructure residing in private and public clouds; hosted offerings of PaaS or SaaS services; and an ever-increasing user base wishing to access and consume business services and data from any location at any time. In today’s evolving threat landscape, it is highly unlikely that a single security platform can protect all of the services, data locations and entry points to your infrastructure.
Security as a holistic approach needs to account for human involvement. People are intrinsically the weak link in the chain despite many businesses investing time and money to educate the workforce about social engineering, phishing attacks, unsolicited email and system security. A single person clicking on an embedded web link within an email; using removable storage such as USB sticks which may be unknowingly infected; downloading executables from unverified sources; or accepting an access request within a web-based application could all provide an attacker the access they desire.
The adoption of a layered approach from many best of breed vendors has been widely accepted throughout the industry. Carrying out good due diligence may result in a security vendor being selected because they can cover several of your requirements. However, the likelihood is that a number of security products or services will be needed to provide complete protection. For example: a single vendor may be able to provide perimeter protection, IPS and Web Filtering but cannot provide end point security or cloud access security.
GDPR brings further requirements for some sectors, requiring data type and location analysis. Additionally, GDPR brings focus onto the business processes and operational controls that are wrapped around the personal and business data held by organisations. To comply with GDPR regulations, a business must be able to evidence that all reasonable measures have been taken to secure that data.
As well as having all your security services and platforms up to date, businesses must be confident that they are actually working. Are the relevant services needed by the application running? Are they detecting threats? Are infected files being cleaned or quarantined? Are suspicious files being submitted to a sandbox for investigation? Is suspicious user behaviour being detected and reported? The steps needed to answer these and many more questions are all ongoing management tasks. The more you can centralise and monitor the better, but keeping on top of the security controls will undoubtedly remain a full-time role within the business.
Many of our clients have asked if this type of service can be outsourced and managed for them, and of course the answer is yes. Managed SOC offerings are growing and we can provide them for our clients. However, there is no such thing as a free lunch and this type of service normally comes at a very high financial cost. Ultimately you are only really outsourcing the responsibility of managing the platform day to day. It is vitally important that you are aware that you are still entirely responsible to your organisation for the security of your services and data. Your business, and ultimately, the board of directors also remain responsible for the security of your customer’s data by law and in respect of GDPR regulations.
Ensuring that the products you select can deliver a high level of integrated automation is one key method to adopt when trying to reduce direct administration time. For example, if a service running throughout your network looking for known and unknown (zero-day) security threats finds a suspicious object, that service will investigate the threat further. This investigation should confirm if it is a legitimate threat and where appropriate take a control action. An example of automation would be where a zero-day threat is identified and other security services and platforms within your environment such as server and end protection are automatically updated. These automatic updates may include intelligence regarding the newly identified threat so other scanning engines can identify and remediate against it, or automatic injection of patterns into IPS systems. These systems minimise the need for human intervention to ensure speed and quality of protection. The human action should be to check the alert generated and confirm that the desired action has been taken and completed successfully by checking a NOC or summary report of the incident.
Utopia however comes with risk; incorrectly configured automation can cause a higher risk than the initial exploit. Without prior knowledge or tuning, security products using custom sandboxing to explore, explode and analyse applications can quickly inject patterns and signatures into perimeter and end security to block those applications and where unchecked could bring the organisation it protects to a halt.
There is no single answer to the challenges faced every day, however choosing the right products and engaging with specialists is the first step to mitigating risk to your business. Taking all conceivable actions to secure your data means that robust network perimeter security, human education, encryption of data at rest and in transit, are all now falling into the remit of “all reasonable measures”.