Intelligence and monitoring
March 2017, This Week's Editor's Pick, Access Control & Identity Management, Cyber Security, IT infrastructure
Securing your network and the data that travels over it continuously has become something every person needs to consider when using electronic communications, whether at home or in the workplace. There are endless stories about how people and companies have been breached and the consequences resulting.
While many researchers have put a monetary value of a breach – the sale price for Yahoo is supposedly being reduced by $250 million because of its carelessness about a major data breach – there are other issues to consider. If you don’t protect your customers’ sensitive data, will they trust you in future? If something happens to that data once stolen that can be traced back to your company, what legal actions might be faced? And then there is the cost of simply recovering from a breach and placating shareholders, partners and customers.
All too often, the consequences of not protecting your data can be self-destructive. The criminals may end up stealing your future business plans, your customer database and all your competitive secrets. If a competitor gets hold of that, your business could suffer.
To obtain a better idea of what’s happening in the world of network security, which is only one area of a complete security posture, Hi-Tech Security Solutions asked a number of people involved in the industry to provide some insights into this seemingly never-secure world.
Know what you’re up against
Paul Williams, Fortinet.
Paul Williams, country manager for southern Africa at Fortinet, says the network security approaches of recent years are simply not fast or comprehensive enough to deal with a constantly changing threat landscape.
“The threat environment is constantly evolving,” explains Williams. “Attackers are increasingly sophisticated and they are collaborating more, often from various bases around the world. We’re seeing an increased incidence of multi-modal attacks, where the victim is distracted by one form of attack while the attackers simultaneously attack from another point.”
He adds that the frequency and speed of attacks has increased too: you may find sub-hour or even sub-second attacks. Time to response has therefore become crucial, and traditional network security approaches are simply not fast enough.
“Organisations today need to integrate and orchestrate their security network off a single pane of glass. They need full visibility and manageability across the network to allow them to analyse the attack, clamp down and mitigate it as quickly as possible, and afterwards run comprehensive reporting and mitigation exercises.”
John Mc Loughlin, J2 Software.
John Mc Loughlin, MD of J2 Software agrees, noting that the threat landscape is changing “almost daily and the primary threats we see are not around bragging rights anymore. Today’s threats are primarily focused on money.”
The list of reasons for attacks varies from basic attempts to steal money, more sophisticated strategies to extort money, or even to prevent a competitor from making money. “Cyber criminals are spending time innovating by changing attack paths or running multiple pronged and targeted attacks on individuals, while traditional security practitioners are still defending their castles in the same old way. Spending time speaking and consulting – rather than effecting real change by monitoring the items which need to be monitored and reacting to changes,” says Mc Loughlin.
Referring to the Cisco 2017 Annual Cybersecurity Report (http://b2me.cisco.com/en-us-annual-cybersecurity-report-2017), Cisco’s Greg Griessel highlights the top three attacks companies face. “There are multiple threats to networks and companies always face the challenge of staying ahead of the ‘bad apples’ can disrupt operations. Adversaries have more tools at their disposal than ever before, but currently the top-three threats are:
Spam: The volume of ‘digital junk’ rose during 2016 reaching nearly record-high levels seen a decade ago. New anti-spam technologies and high-profile takedowns of spam-related botnets have helped fight spam, but in the past year Cisco has observed a global increase in spam to the Necurs botnet. Adversaries are becoming professionalised to the point that they are able to continually evolve their strategies and tactics, such as experimenting with a wide range of attachment file types. Some of the more dangerous threats to have emerged include Locky ransomware and the Dridex banking Trojan.
Adware: Software that downloads or displays advertising through redirections, popups, and ad injections (without user consent), is considered adware. It can be difficult, or impossible, for users to distinguish legitimate online ads from malvertising. Increasingly, cybercriminals are using adware to help deliver malvertising, which serves as a critical first step for ransomware and other malware campaigns.
OAuth connection risk: As enterprises shift to the cloud, their security perimeter extends into the virtual realm. With each third-party cloud application that employees introduce into this environment there is an increased risk of Open authentication (or OAuth) connections touching corporate infrastructure and Software-as-a-Service (SaaS) platforms.
The numbers don’t lie
Yet, it’s not all about data theft. The proliferation of ransomware has seen a huge industry develop around simply blackmailing people to regain access to their own data. This seems to be evolving into a dual attack of encrypting data for ransom while also stealing information, but the basics of ransomware remain the same.
Fred Mitchell, Drive Control Corporation.
Fred Mitchell, software solutions division manager: Drive Control Corporation, highlights ransomware as “undoubtedly the main threat faced by organisations today. Ransomware is malware that is covertly installed on basically any device connected to the Internet. It can then lock the system or certain files, requesting payment to unlock it.”
According to an Osterman Research survey, e-mails with malicious links and malicious attachments accounted for 59% of ransomware infections in 2016, Mitchell continues. The Osterman Research also shows that just 4% of respondents (from US organisations) were confident that their current security infrastructure will be able to prevent a future ransomware attack.
Gareth James, VMware Southern Africa.
Gareth James, network & security sales specialist at VMware Southern Africa quotes a survey from PwC in collaboration with InfoSecurity which found that 75% of large organisations suffered staff related security breaches in 2015. This figure was up from 58% the year before. The insider threat, which has been overplayed in the past, seems to be becoming more dangerous, whether due to malicious intent on the part of employees or careless behaviours.
James notes that the profile of threats is also changing and that they don’t “seek to disrupt, but rather to create a foothold in a network and slowly, but quietly, steal information from the target.
“In order to adjust to this new trajectory of attack, organisations must increasingly seek to secure the inside of the network. The analogy is that of a modern-day ship. Old ships would sink if the external shell was in any way compromised. Modern ships are made up of multiple compartments, each separated from the next by a watertight door. In the same way, our modern networks must compartmentalise into individual security zones, and this prevents what is known as ‘lateral movement’ within a network.”
The result of all these threats is that, according to Andy Robb, chief technology officer at Duxbury Networking, companies – and individual computer users – are moving away from traditional anti-virus solutions to next-generation advanced malware detection and prevention systems. “These incorporate technologies such as behaviour detection, malicious traffic detection as well as emulation and security heartbeat monitoring.”
What to do?
Identifying the problem is one thing, actually putting the processes in place to deal with it is another. As Williams notes, with the scope of attack vectors growing, it’s safe to assume that any automated or digital system is vulnerable to attack.
“We have even seen attacks on self-contained analogue automated manufacturing systems and CCTV camera recording systems recently; while at the same time the rapid uptake of connected wearables and Internet of Things (IoT) is broadening the risk profile of every organisation,” he adds. “The digital economy is expanding networks to encompass users, devices, data, goods and services. Data and applications are now flowing faster across an increasingly diverse landscape of users, domains, and devices.”
With this knowledge as a starting point, Griessel advises on the ways one can protect your network:
• Adopt integrated defence systems.
• Improve threat defence technologies and processes by separating IT and security functions.
• Increase security awareness through employee training and education.
• Implement risk mitigation techniques.
It is important to remember that security is not simply a matter of installing an application and all’s well. In the past, a firewall that was regularly updated was seen as a good defence. Not anymore. The traditional firewall approach to security is rapidly becoming obsolete as the modern Internet environment has many applications that send/receive traffic over ports that are typically allowed by traditional firewalls, explains Robb.
He adds that newer firewall products have extended their scope with built-in applications to overcome the limitations of yesterday’s firewalls. “The technology is able to monitor, control and block hundreds of applications, such as Skype, Facebook, BitTorrent and Yahoo! Messenger, thus helping to enhance employee productivity and rigorously enforce network usage policies.”
And the edge of the network is an important target. James says it is “virtually impossible to plug all the possible entry points into a network. With low-tech attacks, potential intruders simply give ‘free’ USB sticks to employees and wait for the Trojan horse software on the device to dial home once someone inserts it into their computer. The most practical approach is to assume that one will be compromised at the edges, and that one must control both the objects within the network and how the objects in different parts of the network communicate.”
Visibility is key to this approach, he says. One must be able to record normal network interactions and form a baseline of activity that gives the security team the information to raise a flag when it notices background noise that is different from normal network interactions.
Mc Loughlin echoes this, noting that trying to secure your network with a point solution is almost meaningless unless you provide ongoing and continuous monitoring with behavioural analytics that provide visibility and insight into what is really happening.
“Using actionable threat intelligence, you have the ability to make sure the perimeter security measures are working correctly and have not been breached, you ensure that your users are not making accidental mistakes to jeopardise your network, and you can respond as soon as there is a breach. In short, you need unified security management.”
Of course, it isn’t quite that simple. Companies use their networks for many different communications requirements and you may find your needs are not the same as the company next door. Mitchell notes that your security solution will depend on your network, your current security posture and budget. “Once a thorough assessment is conducted, a security solution must be tailored to safeguard your network against potential threats.”
To end off the article, we asked the interviewees what solutions their companies provide that will assist in securing networks. The following is a brief summary of their responses, there is naturally much more to each of the solutions than we can cover here.
Mc Loughlin says J2 Software provides a selection of solutions, and more importantly, services to help clients. “We push to first provide visibility (we cannot manage what we cannot see), identify risks and take corrective action. The worst thing that security providers do is to drop off a solution, do some training and move to the next sale. We provide tools and we have the artisans to make sure the investment is used to maximum benefit.”
Duxbury Networking provides a range of security solutions incorporating next-generation firewalling, anti-virus, anti-ransomware and wireless security to businesses of all sizes. “Our objective is not only to secure their data, but to give managers the power to maintain complete control over their network environments,” explains Robb. “For example, with intelligent QoS settings and policy based-optimisation, organisations will not only be able to protect their networks and the sensitive data they hold from outsiders, but also from malicious attacks from employees, partners and other insiders.”
“Fortinet offers security solutions across the board, covering every inch of the infrastructure, including wired and wireless networks, end user and IoT devices, access layers, public to hybrid cloud models, software-defined networks, and virtualisation,” states Williams. “We employ advanced technologies like hardware-accelerating FortiASIC processors and security embedded network appliances, including virtual and cloud instances, ensure that a network’s function, performance, and scalability are not compromised by the solutions securing it.
“Our Fortinet Security Fabric brings traditionally autonomous systems together into a single, aware architecture, designed with three critical and interdependent attributes – broad, powerful and automated. Operating as a single entity, the Fabric delivers complete awareness across devices, users, content, and data flowing into and out of the network, as well as insight into traffic patterns.”
Cisco’s first line of defence for customers is knowledge. “One has to ‘know the enemy’ first, understanding their strategies and tactics,” explains Griessel. “Each year – for the past 10 years – we have compiled the Cisco Annual Security Report. It is part of equipping organisations with a necessary understanding of the threats that exist, as well as new developments or trends.
“The next solution is improving responsiveness. Time to Detection (TTD) is an important measure of the window of time between a network being compromised and the detection of a threat. (TTD is determined by using opt-in security telemetry gathered from Cisco customer security products deployed around the globe.) Bringing down TTD, we are able to reduce attackers’ operational space and the risk for our customers.”
VMware has a network visibility tools called vRealize Network Insight that shows all traffic flows within a data centre. James says, “This mapping tool also makes recommendations of security rules that one should apply within the data centre based on the information collected. VMware also has added capability to place firewalls at every virtual machine in the data centre. These firewalls can easily be mapped to your security policies. This combination of visibility and compartmentalisation gives our customers the capability to secure the inside of their networks.”
As noted above, there are many solutions one can choose to secure a network, but it’s not simply a case of selecting the cheapest one or the one with the best reputation. Each organisation needs to conduct its own security audit to determine what it needs, followed by a process of selecting the solutions that deliver what they require.
Minimise your risks
Cisco’s Greg Griessel has some advice for organisations concerned about their network security. Cisco advises organisations to follow these steps to minimise network risks as part of preventing, detecting and mitigating threats:
• Make security a business priority: Executive leadership must own and evangelise security and fund it as a priority.
• Measure operational discipline: Review security practices, patch, and control access points to network systems, applications, functions, and data.
• Test security effectiveness: Establish clear metrics. Use them to validate and improve security practices.
• Adopt an integrated defence approach: Make integration and automation high on the list of assessment criteria to increase visibility, streamline interoperability, and reduce the time to detect and stop attacks. Security teams then can focus on investigating and resolving true threats.
For more information, contact:
• Cisco: www.cisco.com/c/en_za
• Drive Control Corporation: www.drivecon.net
• Duxbury Networking: www.duxbury.co.za
• Fortinet: www.fortinet.com
• J2 Software: www.j2.co.za
• VMware: www.vmware.com/za