Page 1

ISSUE 14 | FEBRUARY 2017 www.securityadvisorme.com

DDoS Email security

Risk assessment

BACK TO THE ROOTS SONICWALL’S REGIONAL HEAD TALKS OF LIFE AFTER DELL


WE ENSURE YOUR BEST-KEPT CORPORATE SECRETS REMAIN JUST THAT.

Corporate cyber espionage threatens to compromise everything an enterprise stands for. The ability to intercept an attack can make all the difference between success and failure. At DarkMatter, the world’s brightest minds are helping the region’s largest companies stay ahead of evolving cyber threats. Whatever the scope, scale and sensitivity of your work, we offer the full spectrum of solutions to safeguard your crown jewels. Take your first step towards genius: contactus@darkmatter.ae


STRATEGIC INNOVATION PARTNER

STRATEGIC PARTNER

CONTENTS

FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) EDITORIAL Group Editor Jeevan Thankappan jeevan.thankappan@cpimediagroup.com +971 4 440 9129 Online Editor Adelle Geronimo adelle.geronimo@cpimediagroup.com +971 4 440 9135

12

Contributing Editors James Dartnell james.dartnell@cpimediagroup.com +971 4 440 9153

BACK TO THE ROOTS

Janees Reghelini janees.reghelini@cpimediagroup.com +971 4 440 9167 Glesni Holland glesni.holland@cpimediagroup.com +971 4 440 9134

Sonicwall’s Shahnawaz Sheikh, talks of life after Dell.

DESIGN Senior Designer Analou Balbero analou.balbero@cpimediagroup.com +971 4 440 9140 Designer Neha Kalvani neha.kalvani@cpimediagroup.com +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed kausar.syed@cpimediagroup.com +971 4 440 9130 Sales Manager Merle Carrasco merle.carrasco@cpimediagroup.com +971 4 440 9147 CIRCULATION Circulation Manager Rajeesh M rajeesh.nair@cpimediagroup.com +971 4 440 9119 PRODUCTION Production Manager James P Tharian james.tharian@cpimediagroup.com +971 4 440 9159 Operations Manager Shweta Santosh shweta.santosh@cpimediagroup.com +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin webmaster@cpimediagroup.com +971 4 440 9100 Published by

Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Printwell Printing Press Regional partner of

© Copyright 2017 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.

06

UNDER SIEGE DDoS attacks are getting vastly bigger and complex.

08 14

SIGNED AND SEALED What is in store for email security in 2017 and beyond? DEFENSIVE MEASURES Jonathan Blackmore, Senior Partner, EY, on how to build cyber resilient systems.

18 22

28

32

A WATCHFUL EYE Agility Grid CEO spells out trends in surveillance. PROACTIVE CYBERSECURITY IN MANUFACTURING Why this sector is a soft target for cybercriminals. IOT SECURITY Top security nightmares stemming from IOT. CYBERSECURITY INNOVATION Fortinet’s CTO talks about five areas of R&D for his company.


NEWS

KEEPER: 123456 IS STILL THE WORLD’S MOST USED PASSWORD

F5 NETWORKS NAMES NEW CEO F5 Networks has announced the appointment of François LocohDonou as the François Locoh-Donou company’s (incoming CEO) F5 Networks new President and Chief Executive Officer and a member of F5’s Board of Directors, effective 3rd April 2017. Locoh-Donou succeeds current President and CEO, John McAdam, who will remain a Director on F5’s Board upon his retirement on 3rd April 2017. Since McAdam joined in 2000, he has led F5 to $2.0 billion in annual revenue, with 49 of the Fortune 50 as customers, and numerous industry and community awards. “I am honoured to take on the CEO role at F5,” said LocohDonou. “I have admired John’s stewardship of the company’s values and vision and I bring a shared commitment to grow F5’s people, partnerships, product and services portfolio, in response to the increasing cloud and security demands of F5’s customers.” Locoh-Donou currently serves as Senior Vice President and Chief Operating Officer of Ciena, a network strategy and technology company. He previously held successive leadership positions at Ciena, including Senior Vice President, Global Products Group; Vice President and General Manager, EMEA; Vice President, International Sales; and Vice President, Marketing. Prior to Ciena, Locoh-Donou held research and development roles with Photonetics, a French optoelectronics company.

4

02.2017

Keeper Security, a cybersecurity company that develops a password management software, has recently released a list of the most common passwords of 2016. The list was determined by more than 10 million passwords that became public through data breaches last year. Among the companies that fell victim to such incidents include LinkedIn, Yahoo, and Target. In a blog post published by the company, it revealed that the top 25 most popular passwords are series of letters and numbers that have been appearing on lists since 2011. Passwords such as “12345,” “qwerty,” “google” and the extremely obvious “password” all made the list — again. “123456” is being used by in incredible 17 percent of users in the study.

Keeper also mentioned that four of the top 10 passwords on the list – and seven of the top 15 – are six characters or shorter. “This is stunning in light of the fact that, as we’ve reported, today’s bruteforce cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy,” said the company in the blog post. “We can criticise all we want about the chronic failure of users to employ strong passwords. After all, it’s in the user’s best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn’t hard to do, but the list makes it clear that many still don’t bother,” said Keeper.

Kaspersky Lab urges finance firms to strengthen online fraud defences Banks and payment organisations are finding it difficult to manage online fraud in today’s connected and complex technological landscape, according to a survey by Kaspersky Lab in collaboration with B2B International. The study further highlighted that over 38 percent of organisations admit that it is becoming increasingly hard to tell a fraudulent transaction from a genuine one. As the number of online transactions increases, so does the level of online fraud, with 50 percent of financial services organisations surveyed believing online financial fraud is increasing. It is clear that financial institutions need to make every effort to protect their business and customers from cybercriminals. According to these findings, about half of the organisations operating in the electronic payments landscape use non-specialist solutions, which, according to statistics, are unreliable against fraud, and show a high

percentage of false positives. “Considering the aggressive competition in today’s fierce financial services market and the extreme disruption from nontraditional providers, a trusted relationship between customers and their financial institutions is a decisive factor for the long-term prosperity of any company. The interdependence of the digital relationships between all financial services market players also means that if any organisation in the value chain experiences a digital service issue (whether due to fraud, breach or cyber-attack), the damage can quickly spread to the other organisations in that digital financial service value chain,” said Ross Hogan, Head of Fraud Prevention, Kaspersky Lab. Kaspersky Lab’s experts also recommend that banks and payment services use comprehensive online fraud protection methods to protect their clients at several levels.

www.securityadvisorme.com


DIGITAL SHADOWS EXPANDS ADVISORY TEAM Digital Shadows has announced that several “leading cybersecurity luminaries” including Art Coviello, Tim Belcher, Jim Bandanza, Dr. Srinivas Mantripragada and Ian Art Coviello, Member Cook have joined the of Advisory Board, company’s advisory team Digital Shadows as the business heads into its sixth year of operation. “We are excited to welcome such respected security figures to help Digital Shadows as it enters the next phase of its expansion and growth,” said Alastair Paterson, CEO and Co-Founder of Digital Shadows. “The first five years of our company have set the groundwork in place for us to build upon so we can continue to improve what we do securing our customers around the world, and with this strengthened advisory panel, we can face the future with even more confidence.” Art Coviello was former Executive

Chairman of RSA, The Security Division of EMC. During his two-decade career at RSA he has helped the company succeed in the information security space. Meanwhile, Tim Belcher has been a Director of White Ops, Inc. since January 2015. He serves as Member of Advisory Board at Invincea, Inc. and Security Growth Partners. He is also the CTO and co-founder of NetWitness Corp. Jim Bandanza brings over 20 years of enterprise security and software experience to the Digital Shadows Advisory Board as CRO/ Chief Operating Officer at CounterTack. Dr. Srinivas Mantripragada is responsible for the overall product direction, technology and architecture at RedShift Networks. Lastly, Ian Cook joins Digital Shadows in an advisory role helping the business focus its efforts better towards incident responders and analysts. He is the CEO and Founder of Corbels Security Services and has 35 years of experience in advising businesses in their strategic decisions.

RedSeal: CEOs reveal cyber naiveté as security incidents rise RedSeal has released the results of a CEO study, which surveyed perceptions of – and Ray Rothrock, RedSeal confidence in – their cybersecurity posture. The study, based on a survey of 200 chief executive officers from organisations across a host of major industries, including technology, finance, manufacturing, government and retail. It found that more than 80 percent of CEOs are very confident in their firm’s cybersecurity strategies, despite the fact that security incidents have surged 66 percent year-over-year since 2009, according to PwC’s 2017 Global State of Information Security Survey. “CEOs are underestimating their companies’ cyber vulnerabilities,” said Ray Rothrock, Chairman and CEO, RedSeal. “Their confidence does not square with what we observe. Cyber-attacks are up and financial losses associated with these attacks

www.securityadvisorme.com

are increasing dramatically.” The RedSeal study found that half of the CEOs still prioritise keeping hackers out of the network, versus just 24 percent who were concerned with building capabilities to deal with hackers who have successfully breached their network’s perimeter defences. It also revealed that while 87 percent of CEOs agree that they need a better way to measure the effectiveness of their cybersecurity investments, 84 percent still plan to increase their spending in the next year. “We’ve reached an inflection point where cyber-security strategies and investments have underperformed for an extended period of time. Analysts estimate that cyber losses are now growing more than twice as fast as the spend on security,” said Rothrock. “To stem this tide, CEOs and boards need more effective metrics to understand the real-time health and function of their network, and to more clearly manage and measure their cyber strategies and investments.”

FORTINET APPOINTS NEW CISO Fortinet has announced the appointment of Phil Quade as Chief Information Phil Quade, Fortinet Security Officer (CISO). Quade will take responsibility for Fortinet’s information security and ensuring its compliance with the latest global regulations and standards across all systems. As CISO, Quade will lead the strategy and expansion of Fortinet’s federal and critical infrasructure business. In his new role, Quade will leverage his experience in managing cyber strategy solutions with global intelligence and partnerships to ensure that both Fortinet and its global customers have the most effective, broad security postures. “Bringing together the right mix of technology, threat intelligence risk management and partnerships to protect global information and assets is my passion. Fortinet’s Security Fabric vision aligns perfectly to what it takes to deliver an endto-end, intelligent, scalable, and integrated security architecture for today’s digital economy,” said Quade. “I am thrilled to join Fortinet’s leadership team and contribute to its vision, both in leading our internal information security efforts as well as providing strategic guidance and programs to help safeguard our global customers.”

02.2017

5


FEATURE

UNDER SIEGE

DDoS attacks are vastly bigger now. Here is what you need to do to protect yourself and your network.

D

istributed denial-of-service (DDoS) attacks are certainly nothing new. Companies have suffered the scourge since the beginning of the digital age. But DDoS seems to be finding its way back into headlines in the past six months, thanks to some high-profile targets and, experts see, two important changes in the nature of the attacks. The targets are basically the same — private companies and government websites. The motive is typically something like extortion or to disrupt the operations of a competing company or an unpopular government. But the ferocity and depth of the attacks have snowballed, thanks in large part to the proliferation of botnets and a shift from targeting ISP connections to aiming legitimate-looking requests at servers themselves. Half the time DDoS attacks go unnoticed by end-users, but about a quarter of the time they completely shut down services, according to a Kaspersky Labs survey. About one fourth of the attacks result in loss of data, possibly carried

6

02.2017

out by accompanying attacks. The incidence of DDoS attacks lags behind malware, phishing and network intrusions, the survey says. What are the best ways to stop DDoS attacks? “Taking on DDoS attacks requires a new approach that not only detects increasingly complex and deceptive assaults but also mitigates the effects of the attack to ensure business continuity and resource availability,” says Scott Manson, Cyber Security Leader for Middle East and Turkey, Cisco. Partick Grillo, Senior Director, Solutions Marketing at Fortinet,

says the best way is a combination of methodology and technology. “By methodology we mean combining onpremise protection with cloud based services. This allows the organisation to take the best of both options to improve their protection against a DDoS attack. From a technology perspective, it’s absolutely essential that the chosen solution has full visibility of the incoming and outgoing traffic. Due to the sophisticated nature of today’s DDoS attacks, just sampling network traffic is no longer effective in detecting and responding to an attack.”

Identifying whether a crashed server is a result of genuine traffic or DDoS attacks can be tricky. A good indicator lies in the amount of time in which service has been down. - Hadi Jaafarawi, Managing Director, Qualys ME

www.securityadvisorme.com


FEATURE

While organisations always want to find threats as quickly as possible, that ideal is far from being met, and the same holds true in the case of DDoS attacks. “When a DDoS attack hits your network, a long time can pass before the security/network staff fully realises it is actually a DDoS attack that is affecting the services, and not a failing server or application,” says Manson. But is it possible to detect and mitigate DDoS attacks in real-time? And how can you tell the signs of an active attack? “Identifying whether a crashed server is a result of genuine traffic or DDoS attacks can be tricky. A good indicator lies in the amount of time in which service has been down. If the pattern shows that service has been sluggish or denied for a number of days rather than a spike due to a flash sale per say, then it’s time to conduct a thorough investigation into the root cause,” says Hadi Jaafarawi, Managing Director, Qualys ME. Detecting and mitigating a DDoS attack can be difficult but not impossible, says John Shier, Senior Security Advisor, Sophos. He adds that an important factor in detecting a DDoS attack is in knowing what your everyday traffic looks like. If you see a sudden spike in outbound connections from your network or hosts communicating on unexpected protocols, you may have a problem. Mitigation for this involves implementing filtering rules on your firewall to block the traffic in question. The host in question may also become slow if resources are being consumed for the purpose of the attack. Unfortunately this is rare since one of the defining characteristics of a DDoS attack is to spread the attack load across many compromised devices. Candid Wueest, Security Analyst and Researcher at Symantec says a DDoS attack scenario should be part of every incident response plan. “A company’s CERT or IT staff needs to check their exposure before an actual attack www.securityadvisorme.com

Businesses should create a plan with the required contact information for ISPs and Web hosting providers. Most ISPs are interested in keeping their network bandwidth unclogged and will help mitigate the attack where they can. - Candid Wueest, Security Analyst and Researcher at Symantec

happens. Know who to call. Businesses should create a plan with the required contact information for ISPs and Web hosting providers. Most ISPs are interested in keeping their network bandwidth unclogged and will help mitigate the attack where they can.” The cost of recovering from an attack is significant, particularly for small and midsize businesses. In a special report on security risks, Kaspersky Labs noted, “On average, a DDoS attack costs SMBs more than $50K in recovery bills, which is significantly more than the typical costs they face recovering from other types of attack.” For some reason, though, companies still aren’t convinced that investing in security against DDoS attacks is money well spent. The Kaspersky Labs survey found that only around half of respondents (56% of IT professionals) believe that spending money to prevent or mitigate an attack would be worth the investment. There are many factors to consider in evaluating anti-DDoS solutions in the market. Manson from Cisco says defending against DoS attacks occurring at the network layer requires a network architecture that can absorb large blasts of traffic and that filters all traffic so that only web traffic is permitted onto the network. According to Cisco, there are three

questions you should ask when it comes to choosing a DDoS mitigation solution: 1. Does the solution absorb all attack traffic? Not all attacks target web applications or services. Attacks sometimes attempt to sneak in through FTP or non-web ports; look for a solution that can evaluate all of your traffic in order to protect the site more effectively. 2. Does it offer positive protection? Many DDoS attacks at the network level can be stopped by only allowing legitimate HTTP traffic onto the network. The solution should drop all other non-application traffic or UDP packets without application payloads. 3. Is the solution always on? Security controls only protect your website or application if they are up and running. You need to determine the availability level promised by the solution and how it’s delivered. Does the solution provider guarantee availability with a service level agreement? Many enterprises in the region are yet to invest in DDoS prevention systems of any kind. Security experts warn the risks of not investing in DDoS prevention and protection are more than monetary, and could lead to lost business contracts and damaged reputation. 02.2017

7


INSIGHT

SIGNED AND SEALED What is in store for email security in 2017 and beyond?

t’s been more than 45 years since email was invented. Despite its age, however, it remains elusive to secure. Email security is of paramount concern in any organization. A significant percentage of malware is delivered via email, on the premise that an unsuspecting user will open the message, allowing the malware payload onto the user’s machine. From there, malware can worm its way into the network and wreak various kinds of

I

8

02.2017

havoc, often undetected, sometimes for months or even years. For most enterprises it is not enough to make sure their own email platform is secure. If their suppliers are not equally secure, they can be as vulnerable to criminal hackers and data leaks from human error as the weakest link in their supply chain. According to a recent report from the Ponemon Institute, an average large company spends around $3.7 million a year dealing with phishing attacks. Why is email security still a struggle for companies today?

Heino Gevers, Customer Experience Manager, Mimecast Middle East and Africa, says cybercriminals are using email as a primary vehicle to steal credentials, corporate data and other valuable intellectual property, or to deliver threats such as ransomware. “Though there have been incredible advancements in email security technology, businesses often cannot deploy this new technology quick enough to counter the evolving cyber threats that threaten their security. And often, cybercriminals prey on human error and misjudgment; disguising www.securityadvisorme.com


their attacks in ways that seem legitimate to even the savviest of email recipients.” It is estimated that 99 percent of cyberattacks start with email. As more organisations move on-premises technology infrastructure to thirdparty cloud solutions, they are faced with a dramatic shift in operational dependencies, poor visibility into security, and unexpected risk. “Now, more than ever, organizations need a fresh and realistic approach to cyber resilience planning that spans security, data protection, business continuity and end-user empowerment. Unfortunately, there is no silver bullet security solution available and therefore a multi layered approach towards managing risk and encompassing people, processes & technology should be used,” says Geverz. Here are some ways to update your email security best practices. RE-EVALUATE THE ROLE OF EMAIL IN YOUR ORGANISATION “Companies understand that security is important, yet they still do email in an insecure way,” says Seth Robinson, Senior Director of Technology Analysis at CompTIA.

He recommends studying how your organisation uses email and ensuring that it matches your risk tolerance. “What do you need to accomplish with email?” Robinson says to consider and then protect the entire system, including application, server and connection, accordingly. He adds that many organisations built their email infrastructure long ago and have not reviewed their vulnerabilities since. REVISIT GOVERNANCE. Peter Firstbrook, VP at research firm Gartner, says a finely tuned governance body could help broker a tricky situation like when an executive uses rogue resources. A cross-functional body (with representatives from departments such as legal, IT and human resources) could explain the compliance risk of using non-compliant resources to the executive while encouraging IT to help find a secure workaround. Security experts say governance bodies also can help ensure that if an organisation switches to cloud-based email, incident response processes are tested regularly. If a server is onpremises and something bad happens, IT can turn it off quickly.

Though there have been incredible advancements in email security technology, businesses often cannot deploy this new technology quick enough to counter the evolving cyber threats that threaten their security. - Heino Gevers, Customer Experience Manager, Mimecast MEA

www.securityadvisorme.com

MAKE ACCEPTABLE USE POLICIES USABLE. Governance bodies also can ensure that acceptable use policies are updated to address mobility, the cloud, social networking and other essential topics. “We have found that organisations don’t have thorough acceptable use policies and that they don’t train users well enough on them or remind them enough about them,” says Michael Osterman, President of Osterman Research. CONSIDER EDUCATED USERS YOUR BEST WEAPON AGAINST PHISHERS. Hand in hand with acceptable use policies should be education about phishing, according to Osterman. “People are still very gullible and don’t think hard enough about the content they receive,” he says. While technology such as data loss prevention (DLP) can help detect phishing attempts, users need to be the first line of defense, according to Osterman. “The integration of email and social file sharing is opening up possibilities for bad things to happen,” he says. As an understanding of the need to have email security solutions takes hold across sectors, we can also expect to see more cloud-to-cloud emailing in the enterprise. “Cloud adoption continues to rapidly increase and so has the demand for integration between cloud based platforms. Email is the most efficient, simplest and cost-effective integration tool currently available to support this and therefore the reliance on email is increasing not just as a primary form of communication tool for businesses but also as a collaboration and integration tool,” sums up Gevers.

02.2017

9


4 trends to watch in 2017

SECURITY & IDENTITY VERIFICATION

Multi-Factor Authentication (MFA) takes a biometric twist

1

Password

Your verification code is 123

SME Authentication Push-to-accept Biometrics

PASSWORD PROTECTION

TWO-FACTOR AUTHENTICATION

Not enough by itself

A step in the right direction

of organisations use MFA to protect users and networks

93%

of businesses plan to increase MFA adoption through 2017

30%

MFA Multiple data sources - best protection

BUT MANY MFA STRATEGIES FAIL TO BALANCE USER EXPERIENCE AND SECURITY Biometric solutions can close the gap between user experience and network defence

Know Your Customer (KYC) compliance gets digital

2

KYC is the process of a business identifying and verifying the identity of its clients.

THE OLD WAY

THE NEW WAY

Online process interupted by need to physically present ID documents

Tie digital and real-world identities together with greater certainty

RESULTS

RESULTS

Online account opening

Improved identity verification

abandonment

Reduce fraud

Increased overhead

Remove friction from the process

Poor customer experience

Increase account opening conversions


Trust moves to centre stage in the sharing economy

3

48%

of Americans find sharing economy services such as AirBnB, HomeAway, Uber, or Lyft to be trustworthy

“Verified identity helps peel back the first layers of trust between strangers, which is crucial for the success of the sharing economy.”

3 COMPONENTS OF A VERIFIED IDENTITY PROGRAMME:

600 MILLION devices will use some kind of biometric authentication by 2021

?

Trust will be defined by what technology can tell us about that person who they really are, not who they “say” they are online.

1. ID Validation

1. Face Match

Is the person providing a valid/unaltered form of ID?

Does the person’s face match the photo on the ID?

1. Identity Verification Is the person really who they say they are?

Technology expands the meaning of identity verification

4

TRADITIONAL IDENTITY VERIFICATION IS TOO LIMITED. still photo

name

address

67% of compliance officers said improving systems and adopting new technology will be the most important change in the next year

HOW WILL THE DEFINITION OF A VERIFIED IDENTITY EXPAND? still photo

facial recognition

iris scan name

fingerprint

As regulatory requirements tighten globally and the risk of fraud puts greater pressure on security organisations

behaviour geo-location social media Source: Jumio


COVER STORY

BACK TO THE ROOTS What the Dell spin out means for SonicWall’s customers.

S

onicWall was spun off to a private equity firm as part of the massive Dell/ EMC merger last year. In this exclusive interview, Shahnawaz Sheikh, Sales and Channel Director for META, CEE region, talks about the company’s cloud strategy, and how the changing threat landscape is opening up new opportunities for SonicWall, which is better known in the SMB space. What does the spin out from Dell mean for your company and customers? SonicWall, with a history of 25 years of innovation and protecting over a million customer networks worldwide, has now become an independent company and it is business as usual to our partners and customers. Our mission has always been ‘customer first’ and have strived to eliminate complexity at the engineering level, and bring products and solutions that are comprehensive, easy to deploy and manage. Now being independent means we will continue our journey in delivering world-class solutions to our large and dedicated base of customers and help them defend against the explosive growth of cybersecurity threats. 12

02.2017

Where is SonicWall now focusing its development efforts? SonicWall has a strong reputation of being a 100 percent channel friendly company, and we have launched our new partner programme called SecureFirst last November. We will continue to focus on our efforts and plans in areas that demand much more attention than before to strengthen our go-to-market mechanism by investing more in our partners, and a strong and committed product roadmap. Now that we are independent again, we agoing to pick the pace and expedite innovation around our products with a firm focus on engineering and customer experience. The good news is that we are keeping the Dell relationship, and they will resell our products as part of their stack of solutions. This is the best of both worlds for our clients. Can you please tell us about your company’s cloud strategy? The term cloud has been around for quite some time but is increasing in adoption lately and it’s become part of the security strategy for many organisations. We do have cloud capabilities; our traditional solutions

in the areas of firewall, email, Web and mobile security are available as cloud offerings, and in addition we are also offering cloud services around sandboxing, and centralised security management. We give our customers a choice – on-prem hardware, or software or a virtualised cloud offering. As a strategy, we will head in the direction that our customers are heading and prepare ourselves to extend our Cloud-X offering in multiple other areas where time to protect, time to mobilise, time to manage becomes competitive and necessity with the help of cloud strategy. How is the changing landscape opening up new opportunities for SonicWall? SonicWall has always been in the forefront of technology trends. We protect our customer networks with solutions including the Capture Advanced Threat Protection Service that revolutionises advanced threat detection and sandboxing with a multi-engine approach to stop unknown and zero-day attacks, and with automated remediation. Email security with multiple deployment www.securityadvisorme.com


Now, we want to cement our leadership in SMB and midtier markets with a strong play in the large distributed enterprises sector as well.

options - hardware, software, virtual and cloud- is another unique business advantage for customers transitioning from on-prem to cloud or vice-versa or customers consolidating or virtualising their email gateways. The secure mobile access solution for securing BYOD deployments or providing DR planning that ensures business continuity or secure wireless for seamless wireless roaming are some other examples of new opportunities for us. Will you go back to your SMB roots? In the past, SonicWall has been extremely well known for its great market share in the SMB market while we also sketched out a growth plan in the enterprise market. During the Dell era we made inroads into several large enterprise customers who are also Dell customers. Now, we want to cement our leadership in SMB and mid-tier markets with a strong play in the large distributed enterprises sector as well.

www.securityadvisorme.com

02.2017

13


INSIGHT

DEFENSIVE MEASURES Clinton Firth, MENA Cyber Leader, EY Africa, India and Middle East (AIM), on how organisations can build resilient systems to protect themselves against cyber threat actors.

T

hreats of all kinds continue to evolve, and today’s organisations find that the threat landscape changes and presents new challenges every day. In response, organisations have learned over decades to defend themselves and respond better, moving from very basic-level measures and ad hoc responses to sophisticated, robust and formal processes. Over recent years and under the pressure of more regulation, 14

02.2017

organisations have invested in their corporate shield. Significant progress has been made in taking measures to strengthen this shield in the last two to three years, but organisations are lagging behind in preparing their reaction to a breach. They are still ignoring the all-too-familiar statement, “it’s not a matter of ‘if’ you are going to suffer a cyber-attack, it’s a matter of ‘when’ (and most likely you already have been).” According to the annual EY Global Information Security Survey (GISS), Path to cyber resilience: Sense, resist, react, global organisations are more

confident than ever that they can predict and resist a sophisticated cyber-attack, but are falling short of investments and plans to recover from a breach in today’s expanding threat landscape. Between 2013 and 2016 there have been year on year increases in cybersecurity budgets globally. However, 75 percent of MENA respondents say that more funding is needed, and 50 percent of MENA respondents citing budget constraints as a challenge. And it is not just budget that is needed. While additional budget may help alleviate the skills shortage, www.securityadvisorme.com


money cannot buy the executive support that is also needed. Cybersecurity is a shared responsibility across the organisation. Boards need to support the efforts being made, and every employee needs to learn how to stay out of trouble and not open the phishing email, or lose their mobile device. When it comes to immediately dealing with a cyber-attack that has damaged the organisations, there is nowhere today that the board can hide. If any weaknesses or failures in the recovery plans become known, and the longer these problems continue, the worse the situation will get. Some organisations may physically recover from an attack, but their reputation and trust can be destroyed. The key is to communicate and lead the communications before the strength of the traditional news media and social media takes over. Too many organisations are still unprepared. Sense, resist and react Cyber resilience is a subset of business resilience; it is focused on how resilient an organisation is to cyber threats. There are three high-level components of cyber resilience that organisations need to look at to improve their cybersecurity capabilities First, sharpen your senses. Sense is the ability of organisations to predict and detect cyber threats. Organisations need to use cyber threat intelligence and ‘Active Defence’ to predict what threats or attacks are heading in their direction and detect them when they do, before the attack is successful. They need to know what will happen, and they need sophisticated analytics to gain early warning of a risk of disruption. Can you see the cyberattacker approaching your perimeter? Does your perimeter even exist anymore? Would you know if someone is beginning to undermine — or launch an attack over — your defences? Could you spot an attacker hiding in a remote part of your network? www.securityadvisorme.com

Cybersecurity is a shared responsibility across the organisation. Boards need to support the efforts being made, and every employee needs to learn how to stay out of trouble.

Second, upgrade your resistance to attacks. Resist mechanisms are basically the corporate shield. It starts with how much risk an organisations is prepared to take across its ecosystem, followed by establishing the three lines of defence: 1. First line of defence: Executing control measures in the day-to-day operations 2. Second line of defence: Deploying monitoring functions such as internal controls, the legal department, risk management and cybersecurity 3. Third line of defence: Using a strong internal audit department. What if the attack was from a new, more sophisticated technique that you haven’t experienced before? Would your defences be able to resist something new and more powerful? Third, react better. If sense fails (the organisations did not see the threat coming) and there is a breakdown in resist (control measures were not strong enough), organisations need to be ready to deal with the disruption and be ready with incident response capabilities to manage the crisis. They also need to be ready to preserve evidence in a forensically sound way and then investigate the breach in order to satisfy critical stakeholders — customers, regulators, investors, law enforcement and the public, any of

whom might bring claims for loss or noncompliance. Finally, they also need to be prepared to bring their organisations back to business as usual in the fastest possible way, learn from what happened, and adapt and reshape to improve cyber resilience going forward. React is the area where most of the work is still to be done. The more it becomes clear that the corporate shield cannot resist all threats, the more that companies will need to focus on their reactive capabilities. In the event of a cyber-attack, what is the organisations’s plan and what is your role in it? Are you going to focus on quickly repairing the damage or will you be painstakingly collecting evidence for law enforcement? What would be the first thing you would do? Given the likelihood that all businesses will eventually face a cyber breach, it is never too early for companies develop a strong, centralised response framework as part of their overall enterprise risk management strategy. The truth is, everyone needs help. Since companies are all facing the same “common enemy,” the more companies share about their concerns and experiences, successes and failures, and the more they collaborate on finding answers, then the more they will learn and together, be better protected. 02.2017

15


money cannot buy the executive support that is also needed. Cybersecurity is a shared responsibility across the organisation. Boards need to support the efforts being made, and every employee needs to learn how to stay out of trouble and not open the phishing email, or lose their mobile device. When it comes to immediately dealing with a cyber-attack that has damaged the organisations, there is nowhere today that the board can hide. If any weaknesses or failures in the recovery plans become known, and the longer these problems continue, the worse the situation will get. Some organisations may physically recover from an attack, but their reputation and trust can be destroyed. The key is to communicate and lead the communications before the strength of the traditional news media and social media takes over. Too many organisations are still unprepared. Sense, resist and react Cyber resilience is a subset of business resilience; it is focused on how resilient an organisation is to cyber threats. There are three high-level components of cyber resilience that organisations need to look at to improve their cybersecurity capabilities First, sharpen your senses. Sense is the ability of organisations to predict and detect cyber threats. Organisations need to use cyber threat intelligence and ‘Active Defence’ to predict what threats or attacks are heading in their direction and detect them when they do, before the attack is successful. They need to know what will happen, and they need sophisticated analytics to gain early warning of a risk of disruption. Can you see the cyberattacker approaching your perimeter? Does your perimeter even exist anymore? Would you know if someone is beginning to undermine — or launch an attack over — your defences? Could you spot an attacker hiding in a remote part of your network? www.securityadvisorme.com

Cybersecurity is a shared responsibility across the organisation. Boards need to support the efforts being made, and every employee needs to learn how to stay out of trouble.

Second, upgrade your resistance to attacks. Resist mechanisms are basically the corporate shield. It starts with how much risk an organisations is prepared to take across its ecosystem, followed by establishing the three lines of defence: 1. First line of defence: Executing control measures in the day-to-day operations 2. Second line of defence: Deploying monitoring functions such as internal controls, the legal department, risk management and cybersecurity 3. Third line of defence: Using a strong internal audit department. What if the attack was from a new, more sophisticated technique that you haven’t experienced before? Would your defences be able to resist something new and more powerful? Third, react better. If sense fails (the organisations did not see the threat coming) and there is a breakdown in resist (control measures were not strong enough), organisations need to be ready to deal with the disruption and be ready with incident response capabilities to manage the crisis. They also need to be ready to preserve evidence in a forensically sound way and then investigate the breach in order to satisfy critical stakeholders — customers, regulators, investors, law enforcement and the public, any of

whom might bring claims for loss or noncompliance. Finally, they also need to be prepared to bring their organisations back to business as usual in the fastest possible way, learn from what happened, and adapt and reshape to improve cyber resilience going forward. React is the area where most of the work is still to be done. The more it becomes clear that the corporate shield cannot resist all threats, the more that companies will need to focus on their reactive capabilities. In the event of a cyber-attack, what is the organisations’s plan and what is your role in it? Are you going to focus on quickly repairing the damage or will you be painstakingly collecting evidence for law enforcement? What would be the first thing you would do? Given the likelihood that all businesses will eventually face a cyber breach, it is never too early for companies develop a strong, centralised response framework as part of their overall enterprise risk management strategy. The truth is, everyone needs help. Since companies are all facing the same “common enemy,” the more companies share about their concerns and experiences, successes and failures, and the more they collaborate on finding answers, then the more they will learn and together, be better protected. 02.2017

15


INSIGHT

RECYCLING WITHOUT SHREDDING POSES MAJOR DATA LOSS RISK

16

02.2017

www.securityadvisorme.com


T

he focus on digital data protection is putting traditional paper records in the UAE at risk from theft, according to the document shredding company Shred-it. The problem is compounded by new European Union data protection legislation that will have wide-ranging implications for businesses in the UAE and across the GCC. “The cost of a data breach is huge, yet companies here often overlook the risk posed by simple paper records that have been sent for recycling,” said Neil Percy, Vice President, Market Development and Integration EMEA at Shred-it. He said that the average cost of a data breach across the UAE and Saudi Arabia in 2016 was $4.61 million, and the cost of lost business through a data breach was $1.96 million – the second-highest in the world. The figures come from 2016 Cost of a Data Breach Study: Global Analysis by the Ponemon Institute. Percy said that there is general awareness in the UAE of the need for recycling paper and other materials, prompted by strong government-led information and initiatives. “However, the UAE recycling industry processes and recycles very little material within the country borders,” he said. “Consequently, vast quantities of paper for recycling are exported every day to less secure countries throughout Asia and beyond, wherever the best price can be achieved.” The exported paper inevitably contains high levels of readable data that are sensitive, either commercially or to private individuals, he said. “Most organisations are unaware of these unintended breaches of the UAE’s data protection policies and laws, and that situation is about to become more serious with the advent of the EU’s General Data Protection Regulation (GDPR), which is due to come into effect in May 2018,” Percy said. He said the GDPR extends the www.securityadvisorme.com

The cost of a data breach is huge, yet companies here often overlook the risk posed by simple paper records that have been sent for recycling. - Neil Percy, Vice President, Market Development and Integration EMEA ,Shred-it

territorial scope of European data protection law to include any organisation processing data while offering goods or services to people who are in the EU. Violations for noncompliance could result in penalties of up to four percent of the organisation’s worldwide revenue or 20 million euros, whichever is greater. “The impact for companies in this region could be enormous,” Percy said. “It’s time to focus not only on digital data protection but also on paper records. Recycling isn’t enough; companies need to make sure that their waste paper is securely shredded first. It should not be considered as waste until all confidential information is rendered unreadable. Even having shredders isn’t necessarily enough to make you compliant, since almost one fifth of breaches are caused by human error. “Companies and organisations need to consider a full information security strategy that will protect confidential and sensitive information in all formats, whether electronic or printed in hard copy. Breaches from electronic sources continue to capture the headlines, but a breach of regulations is a cause for concern regardless of how it happens.” An effective strategy would also consider the threat of a security breach both externally and internally within an organisation, he said. Internal concerns should include

the adoption of a clean desk policy where confidential information is not left unattended and accessible to unauthorised people within the same organisation. As an example, payroll records would normally not be accessed by unauthorised people; however, leaving them unattended on a desk for anyone to read or remove could have large implications to an individual or organisation and be a breach of regulations, he pointed out. The UAE’s focus on developing healthcare tourism and general tourism puts the healthcare and hospitality sectors on the front line in the battle against data theft, Percy believes. “Healthcare tops the industry table for data losses,” he said. “And the danger is growing: that $4.61 million figure for the average cost of a data breach is up from $3.8 million in 2015 and $3.11 million in 2014.” He said the numbers detailed in breach costs were significant and concerning. The loss of an organisation’s hard-earned reputation in the view of customers and employees can be considerable and often exceeds the penalty costs imposed by legal enforcement. Percy is hopeful that in its position as a global business hub the UAE would work towards benchmark data protection standards by EXPO 2020 and align itself with global best practices, beyond the existing regulations. 02.2017

17


INSIGHT

A WATCHFUL EYE Video surveillance systems are crucial for monitoring, identifying, and analysing people, systems and resources through cameras and the data obtained from them. Agility Grid CEO Costa Boukouvalas shares insights about the trends impacting the growth of the video surveillance market.

T

he video surveillance segment is witnessing a strong growth driven by the increasing need to secure people, assets, resources and critical infrastructure against the backdrop of a continuously evolving security landscape. Previous industry reports highlight that with the convergence of physical security and information technologies and the rise of trends like Big Data and analytics, the CCTV and video surveillance market is expected to reach $71.28 billion by 2022. Costa Boukouvalas, CEO, Agility Grid, says there’s a strong demand in the retail sector for large-scale surveillance solutions, with Big Data playing a key role. “Previously, people never thought of Big Data when it comes to CCTV and video surveillance,” he says. “They have looked at data retrospectively and have only paid attention to it when there’s a security incident for example. However, as the IT landscape and the technologies surrounding it evolved, organisations began seeing data as an asset for their businesses.” Big Data and analytics enable organisations to gain a better understanding of their customers’ needs and people’s behaviours in 18

02.2017

general, according to Boukouvalas. “These technologies are increasingly being applied to video analytics from use of facial recognition and biometric software to analysing unusual behaviours to help enhance a firm’s security posture,” he says. “In addition, this is another arena, where surveillance video can provide enormous value for improving margins through gathering real-time data and business intelligence. This is something that we aim to enable market players with.” Agility Grid is a provider of CCTV and video surveillance technologies that combine hardware and software solutions. “We offer fully integrated solutions from our partners that address the expanding security needs of both public and private sectors across the region,” says Boukouvalas. “We provide customers with solutions such as suspect tracking software, video management and video surveillance storage systems among others.” Boukouvalas highlights that Agility Grid’s video surveillance and management systems can be integrated with plugins and add-ons depending on their specific needs. “Our APIs, number plate detection, abnormal behaviour detection and suspect tracking software can co-exist in one system,” he says. “These are all separate software in their own rights but can work together in a single platform to allow end-users better manage these applications.”

However, Boukouvalas explains that the latest security products and solutions can only do so much. The people implementing and utilising these technologies are of utmost importance as well. “Right now, I think there’s still a lot of education needed in the video surveillance and management space,” he says. “For one, a lot of people think that video data works the same way as the IT data. It’s not, in fact, video and IT applications work very differently. Typically, CCTVs are incessantly recording footages 99 percent of the time, therefore, the stream of data is also continuous. “On the other hand, IT applications do not function the same way. The data transfer begins when a person sends a file and stops as soon as it’s received on the other end. The stream of data won’t start again until the recipient makes amendments to it and sends it back to the sender,” says Boukouvalas. In addition, he points out that video data requires more agile hardware to store and process the information obtained. “It is also important to note that due to the scale of data from video surveillance solutions analysing and optimising these data can be a challenge. It will need more than one person to take charge of this process, thus, require the establishment of a team that will focus on this task. Especially with the lines between physical and cybersecurity blurring,” explains Boukouvalas. www.securityadvisorme.com


INTERVIEW

SAFE PASSAGE Wasim Yaghmour, Regional Sales Director MEA, HID Global, discusses the growing importance of access control management solutions in the region and where this security segment is heading in the coming years.

W

hat have been the biggest highlights at HID Global over the past year? The last year has been a very significant one for HID Global. We have seen successful geographical expansions here in the Middle East. We have also developed and rolled out new products and solutions that address the latest market needs of organisations here in the region. This includes our HID Mobile Access, which supports mobile devices including smartphones and wearables. It’s integrated with our Mobile Access Portal and App software developer kits (SDKs), which allows partners and end-users to create innovative, customised mobile access applications. This single identity solution is powered by our Seos technology that allows the end-user to utilise a single access platform using either an access card or a mobile credential. Most recently, we have completed a project with the Mohammed Bin Rashid Housing Establishment (MRHE) that saw the upgrade of its access control solutions. The project involved the deployment of the HID Mobile Access, which enabled MRHE employees to use smartphones and wearables to access their office and facilities. The new solution supports MRHE’s objectives to provide its employees with a secure access control solution that can significantly improved the end-user experience within the organisation. www.securityadvisorme.com

IAM solutions are often being utilised by enterprise sized businesses. Do you see organisations in the SMB space adopting IAM technologies as well? Yes. With the adoption of mobility technologies on the rise in the Middle East, more and more organisations from both the enterprise and SMB spaces are investing in mobile access control solutions. This is because they are realising that these kinds of solutions provide them with the flexibility to incorporate the latest technologies into their systems while ensuring the security of their end-users. This is where HID Global can add value to regional businesses. We are well-equipped to provide organisations in both public and private sectors with products and solutions that are tailored to their specific requirements. Furthermore, increasing number or end-users are utilising these solutions in both personal and professional activities. We can see that mobile access control solutions are no longer just being utilised for security purposes, it is increasingly becoming an important tool for enhancing end-user experience. What are the biggest concerns organisations have when it comes to access management? A survey we have conducted late last year revealed that 48 percent of organisations do not have an access control system installed because they believed that their premises are ‘secure enough.’ While 47 percent of those who were polled said

that they do not have skilled staff to manage such a system. There’s also the issue of end-users swapping cards and sharing credentials that we need to keep an eye on. More importantly, there’s also increasing cases of access cards getting cloned easily. Our Seos technology is equipped with enhanced capabilities that ensure no traceable identifiers are exchanged during card sessions. This then prevents data associated with a card from being divulged or cloned. How do you see the access control and identity management space in the region? As I have mentioned earlier, mobile penetration in the region is increasing and so is the spending for mobility solutions. This will further accelerate the adoption of access control management among organisations here in the Middle East. Over the last few years, we have seen strong adoption from the government, telecom, private sector and commercial sectors and we can expect this to continue in the next few years. Cloud technologies are also becoming crucial components to the development of access control systems. The efficiencies and cost-effectiveness of cloud-based authentication platforms make it an attractive option for today’s organisations. Security is a continuous process, as threats evolve so must the technology you deploy to protect yourself and your organisations from threat actors. This is the reason why HID Global is constantly advancing its solutions and innovating to come up with new technologies for secure access. 02.2017

19


OPINION

HALFLINGS, DRAGONS, AND DDOS ATTACKS By Lori MacVittie, Principal Technical Evangelist, F5 Networks

A

n all too common constraint on applications today is budget. Security budgets may be growing, yes, but not at a rate commensurate with the strategic approach of making yourself too expensive to hack. This approach is akin to the HalflingDragon Principle which states: If you find yourself in the company of a halfling and an ill-tempered dragon, remember that you do not have to outrun the dragon; you simply have to outrun the halfling. The idea is to make your own environment cost too much to attack, forcing the dragon to turn its hungry eyes toward your competitor, the halfling, instead. Now, without digressing into the ethical debate that should enflame, the notion of making your environment too expensive to hack is not a bad one. The problem is that often means it’s too expensive for you to afford, too. That’s because generally speaking the advice on executing on such a strategy entails purchasing a whole bunch of solutions and throwing them up like some sort of medieval gauntlet, putting up new 20

02.2017

barriers and forcing attackers to run it to get to what they really want, your data. This makes it expensive for the attacker by forcing them to expend time, energy, and ultimately money as they attempt to spread out their attacks to avoid detection. That’s expensive not just for the attacker, but for the enterprise, too. Not just in terms of the solutions (capex) but operationally (opex) as each solution must be managed, updated, monitored, and, ultimately, scaled. It’s also inside out. What attackers want is your data, and yet we tend to build our defenses and protections starting at the point furthest from the data, at the perimeter of the network. So how do you make it too expensive for them to get what they want, without making it too expensive for you to implement? There’s no silver (plated) bullet for this one, but there are some ways you can keep your costs down while increasing the costs to attack. LEVERAGE PLATFORMS Platforms are based on the idea of sharing a common environment. They reduce costs the same way virtualization and containerization increase the efficiency of compute resources. An

ADC, for example, can be extended with modules to support a wide variety of delivery functions, including security. Many organizations already use an ADC to ensure availability with load balancing that may be able to support deployment of WAF and other security-related functions. As an holistic solution, the right ADC can cost far less in total than the sum of its individual functions as point solutions. Also worthy of exploration are capabilities of the load balancer itself. Unlike rudimentary load balancing, an ADC generally offers a number of knobs and levers related to security that can be employed to make attacks more difficult. SYN flood detection, cookie encryption, URL obfuscation, and IP/Port filtering are often available as part of a load balancing service. Increasing the protection closer to the app makes it more difficult for the attacker to access. OPERATIONALISE There is still, to the chagrin of some and delight of others, no known “godbox” that can single-handedly provide everything you need to secure and scale applications. You’re going to need multiple solutions (they key is to minimize how many using platforms, see above) and that means multiple consoles, www.securityadvisorme.com


management paradigms, and probably people. All of which will blow your budget. Operationalisation, enabling automation and orchestration, can keep a lid on the costs of the solutions you must have in place. Even capabilities like autoscaling to take advantage of resources you (likely) already have to scale up and force an attacker to respond in kind can increase the costs to attack while keeping the costs to defend under control. Operationalising (DevOps, SDN, SDDC, SDx, private cloud, et al) also addresses sources of high risk: human error and lack of process. On the latter, you can’t automate a process (that’s orchestration, by the way) that doesn’t exist. And if you don’t have one, you should. It ensures that steps are taken that need to be to secure and scale apps when they move into production. The former, human error, is a huge risk as it can inadvertently open up holes in your security that let bad guys sneak in, either directly or under the wire during the distraction of a volumetric DDoS attack. CLOUD AS SCALE And when you can’t auto-scale anymore, or your bandwidth is overwhelmed, there’s always the cloud. The cloud as scale (cloud bursting, if you prefer) is an www.securityadvisorme.com

excellent option for enabling you to defend efficiently while driving up the costs to attack. Switching DDoS scrubbing and protection to the cloud during an attack (or when it first starts) can immediately reduce the local impact to the business (in productivity and profit measures) which does, in fact, mean less expensive defense. Letting the cloud, with its (nearly) infinite scale and gobs of bandwidth absorb an attack will cost a lot less in the long run for you but not for the attacker. SECURE FROM THE INSIDE OUT As previously noted, attackers generally want your data. That’s because your data = $$ on the open seedy market. So focus as much (if not more) on securing your data as you do on your perimeter. That means employing all the tricks and techniques you can to make it very expensive for an attacker to extricate value from their attacks (by grabbing data). You do that by constant vigilance, by protecting not only what goes into the app but what comes out. That’s request and response protection. The majority (67%) of respondents in our State of Application Delivery 2016 who have a WAF deployed today were confident in their organisation’s ability

to withstand an application layer (requestresponse) attack. Those are things like SQLi and XSS, but also WebSocket security and session hijacking prevention and a wealth of other capabilities that ensure it is very expensive for an attacker to succeed in getting at your data. In fact, more consistent protection across all three attack surfaces (client, request, and response) correlated with a higher confidence in withstanding an application layer attack. That’s not an “edge” function; that’s an app-centric function. One that sits closer to the app than it does the edge of the network, and its goal is not to stop network attacks, but the attacks that actually extricate data. That’s the value attackers are looking for, and it’s the value you have to make so expensive that attackers will give up and go elsewhere. There’s no way to make security cheap. There just isn’t. But there are ways to keep the costs down, to make it more expensive for the attacker than it is for you, without leaving you too broke to secure your apps. And if you do it well, and your defenses force attackers to consume too many of their own resources (and money), the dragon might just be too tired (broke) to go after that halfing. And that will give the halfling a chance to get a head start on their own defenses. 02.2017

21


OPINION

PROACTIVE CYBERSECURITY IN MANUFACTURING By Tim Bandos, Senior Director, Cybersecurity, Digital Guardian

M

anufacturing companies are one of the most popular targets for cybercriminals, based on the sheer amount of classified information they hold. In fact, a recent report from IBM X-Force Research’s 2016 Cyber Security Intelligence Index found that the sector is the second most-attacked industry behind healthcare, with automotive manufacturers and chemical companies scoring as the top targets for attackers. Hackers can vary when targeting the industry, but they are typically financiallymotivated, state-sponsored attacks, 22

02.2017

which occur when government-funded organizations break into a network to steal intellectual property (IP) and trade secrets. These groups are some of the most sophisticated hackers, using a high level of expertise when targeting companies. They seek extremely valuable IP to further the betterment of the people in their country, or perhaps more commonly, for financial gain. PREVENTION METHODS FOR EVERY MANUFACTURER With the continuous increase in cyber threats, and large organizations in

nearly every sector making headlines as a result of data breaches, it can seem overwhelming to evaluate just where to start to protect a manufacturing company’s data. Let’s break it down: First and foremost, manufacturers should have a vulnerability management plan in place, and conduct ongoing vulnerability scans. These regular scans can help find unpatched systems and holes, which is often where hackers find their way in. In fact, most of these attackers are not leveraging zero-day vulnerabilities all the time; instead, they www.securityadvisorme.com


are taking advantage of vulnerabilities that have been out for years. Next, it’s highly critical to prioritise security awareness, and promote this notion to all employees, from the C-suite to temporary hires and third party contractors. From my past experience at a chemical manufacturing plant, I found that 40 to 50 percent of attacks by statesponsored groups were conducted via spearphishing. These attacks are spread through malicious emails that appear to be from an individual or business that you know, though it isn’t. Employees think the email is from a trusted source, click links within the email, and just like that, a hacker has entry into the company’s network. A strong example of proactive security awareness is to conduct regular white hat phishing campaigns, where an organisation sends out phishing emails to employees that are not malicious, but simply used for education and to gain an understanding of threat levels. This white hat phishing technique captures important data on who is likely to fall victim to an attack, and why. It provides users with education on how to recognise and identify a malicious email, and what to do about it. However, while this is important, manufacturers must also understand that they can’t rely entirely on employees doing the right thing – mistakes will happen and links will inadvertently be clicked. As employees get up to speed on cybersecurity, an incident response plan should also be in place. This plan should be ongoing and continuously tested, for maximum effectiveness when an incident does occur and organisations have to respond. The incident response plan should feature a few “must-haves,” including: • Involvement from all levels within an organisation, including the CEO, CFO and more. This is not just a project for the IT team. Involve the right people, and ensure there’s a point person who www.securityadvisorme.com

As employees get up to speed on cybersecurity, an incident response plan should also be in place. This plan should be ongoing and continuously tested, for maximum effectiveness when an incident does occur and organisations have to respond.

can lead during an incident and make proper, fast decisions when needed. • A methodical approach on how to respond to an incident. Each incident is different in nature, but should fall under a certain classification, such as high, medium or low risk, so individuals know how to proceed. • The framework of each type of incident (for example, is it state-sponsored or hacktivism) should also help determine the prescribed approach to take. Lastly, organisations should harden the security configurations of systems and servers, including revoking privileged access to endpoints. Malware, for instance, requires administrative level privileges to execute on machines. If an organisation took these administrative privileges away, nearly 90 percent of infections on machines would stop – all via one fairly simple fix. Don’t forget that security controls do hinder on culture. How hard is it to implement certain protocols in your organisation? IT can make a recommendation for application whitelisting, which is when organisations prevent the usage of unapproved applications that can be launched on end-user / server computers, but it can be extremely

difficult to implement since applications within a manufacturing environment can be so diverse and users may be averse to these restrictions. Evaluate your internal culture to determine which procedures are best to secure the business. METRICS MATTER With all of the aforementioned prevention methods in place, manufacturers must also understand just how their organisation is performing when it comes to cybersecurity. Are the number of threats detected decreasing? Is employee security awareness increasing through the reduction of the number of links or attachments clicked? For this reason, it’s recommended that organisations take a KPI (Key Performance Indicator) perspective to cybersecurity, by setting goals and metrics to improve security stature. Manufacturing companies should have an ongoing, metrics-based intelligence-driven security program in place to evaluate the effectiveness of common programs, like vulnerability management, data loss prevention and antivirus protection. With these metrics in place, organisations can develop a heat map of sorts, to outline where they should be focusing their efforts and/or where they should continue to invest in protecting their most sensitive assets. This security snapshot will assist in keeping every aspect of a business secure & prepared, making it that much more difficult for even the most sophisticated hacker to take off with a manufacturer’s crown jewels. 02.2017

23


INTERVIEW

TRIED AND TESTED Cyril Voisin, Executive Security Advisor, Enterprise Cybersecurity Group, Microsoft MEA and Paula Januszkiewicz, CEO and Security Consultant, CQURE, sat down with Security Advisor ME and discussed how conducting vulnerability scans can help organisations defend against the increasing number of data breaches in today’s digital world.

W

hat is penetration testing and how can organisations benefit from it? Paula Januszkiewicz (PJ): A penetration test or ‘pen test’ is a simulated attack on a system or network to exploit its vulnerabilities and determine ways to reinforce the organisation’s defences. It is typically conducted by a person within the firm’s security team or by an external consultant such as myself. It has two main objectives: first, is to find out which elements within your systems need to be updated; and secondly, identify the misconfigurations that could lead to potential breaches in the future. This process is necessary because in today’s growing digital environment, IT professionals are often expected to innovate in a fast-paced manner and they tend to make mistakes. The most pressing issues that companies face are typically caused by misconfigurations. However, it needs to be very detailed for enterprises to fully realise its benefits. It is important

24

02.2017

to note that any discovery, no matter the size, is helpful. In fact, the more problems a penetration test can detect the better. Because exposing these vulnerabilities will, of course, enable organisations to strengthen the security of their IT infrastructure.

Cyril Voisin (CV): The way I see it, penetration tests give organisations an outsider’s perspective. Our goal is to provide security teams with fresh eyes and give them an idea on what they might be missing and how they can fix that. Security teams are, of course, working towards to ensure the resiliency of their organisation’s network defences. And, when there’s nothing happening and everything is going smoothly that’s usually a good sign that your security systems are doing what you need them to do. However, the thing with security is sometimes you think you’re doing too much until something happens and you realise that you weren’t doing enough. As for Microsoft, this is one way we can www.securityadvisorme.com


support our customers. They can come to us if they need to re-assess their security systems and through the help of Paula and her team we can help them carry out a pen test. Through these tests, we can identify various ways an attacker can potentially infiltrate your network. After doing so, we will come up with suggestions as to which system, process and/activity should be improved or changed. Do you think companies here in the Middle East region are aware of the importance of doing a penetration test? PJ: They definitely are. However, security is a subject that has evolved rapidly over the last few years and it will continue to do so. Now, while a significant number of organisations here in the region are already conducting penetration tests, I believe that we should do more to increase this number. What I have been seeing today is that a lot of companies opt to integrate multiple tools and solutions into their systems as they think that that’s the best approach. While that may be advantageous to some extent, these solutions if not configured properly can do more harm than good. That is why penetration testing is essential – systems and application get updates, which changes the interdependencies of the different solutions and that makes your IT systems vulnerable. Some say that people are the ‘weakest link’ when it comes to security. Do you agree? PJ: No, I believe that this notion has been invented by companies who don’t know how to properly deal with security. In my opinion, businesses should make sure that each and every one within their organisations is not ‘weak.’ That’s the idea that enterprises should keep in mind when designing security.

CV: From our perspective, I believe that we should make it a point that everyone is involved when discussing security. We can teach and show them all they need to know but if they don’t change their bad security www.securityadvisorme.com

habits then it will be useless. So, we should make sure that everyone’s on the same page in implementing our security strategies. What is the impact of cloud and Internet of Things (IoT) technologies on an organisation’s security posture? CV: IoT technologies have been making really big strides here in the region, especially in the UAE where we have Dubai’s Smart City initiative. Soon, everything will be connected everywhere from smartphones to smart cars to smart buildings. These devices will be communicating with each other, exchanging data and learning from endusers and from one another. However, we believe that even with all of the developments that are being done in the market today, the IoT space is still at a nascent stage. It is still not a priority for most security professionals today, and that is quite concerning considering the increasing number of innovations being made in this segment. Now, when it comes to cloud, there’s this long-running notion that when your data is on the cloud it will become more exposed to threats as opposed to hosting it on-premise. To put it into perspective, let’s say you’re travelling from one country to another. Let’s say using on-premise technologies is like travelling in your car. You’ll get to choose which car you want, which route to take, when to leave, and where to make stops. But, it will take a very long time and there are a lot of potential threats along the road. Meanwhile, if you get on a plane not everything is controlled by you, but you know that the pilot is an expert at what he does and he will get you to where you want to go safely. That’s similar to cloud technologies; you get to choose a solutions provider and an integration partner and let them manage your systems for you. And, if you choose the right partners you won’t only save time, storage and money, but you can also be assured that your data is secured. 02.2017

25


HOW TO

HOW TO

PERFORM

RISK ASSESSMENT Only by imagining the worst that could happen can we comfortably hope for the best.

W

ithout a complete and thorough risk assessment including all its component parts, you might as well open all your data assets to unbridled exfiltration via Port 80 without any security checks at all. In the end, attackers and criminal digital profiteers will get what they came for in either case. Defending risks without knowing what those risks are is like playing a round

26

02.2017

of paintball with your eyes closed — you’ll keep missing your opponent. A risk assessment gives the enterprise a specific, more finely narrowed field of targets for which to aim. OUTLINING RISK ASSESSMENT PARTICULARS An IT risk assessment involves progressive steps that ensure a proper evaluation of your IT risks and their severity to your organization.

According to M. Scott Koller, counsel at BakerHostetler, these steps include: evaluating data and systems; identifying risks to those systems; evaluating those risks for likelihood, severity, and impact; and identifying controls, safeguards, and corrective measures. Tools for evaluating your data and systems can include network maps, system inventories, and data audits of collected and stored data, explains Koller. These go beyond www.securityadvisorme.com


simple understandings and high-level views of topologies to encompass your core network(s) with all their servers, switches, routers, hardware, software, and services all the way out to our network edge, gateways, and endpoints, with all their incumbent data, accounting for everything that is or resides within your network. You can’t tally all your risks unless you measure them against all your network assets that could be at risk. To pool a current and meaningful list of real potential risks to your systems and data assets, consider including a manual empirical phase in your overall approach: take a census of the risks that concern your stakeholders and team members most, making sure to address each system and all data; validate the list and remove any real duplicates; and identify risk types. In other words, whatever else you do to compile a risk list, make sure to simply talk to your people. Any number of them may have seen something new that has escaped inclusion among previously identified risks. There are also tools that can help the enterprise to identify specific risks. There are tools in the category known as data infrastructure / advanced data analytics that provide a holistic view of real-time situational awareness and a common operating picture of virtually any asset, system, operation or facility to anyone in a vendor-agnostic fashion, operating at near limitless scale, says Steve Sarnecki, VP at OSIsoft. IBM and PwC are two more vendors offering products in this category. In this category, there are tools that can cull risk information from enterprise assets to help identify risks. OF METRICS AND CORRECTIVE MEASURES To create a visual metric of the likelihood and severity of the risk, simply rate each risk from one to 10 or one to 100 for its likelihood and www.securityadvisorme.com

Defending risks without knowing what those risks are is like playing a round of paintball with your eyes closed — you’ll keep missing your opponent.

then again for its severity. Use the two numbers to plot the risk as a resulting dot on a line graph using X and Y axes. The dots that concentrate in the upper-right corner inside a square that is one-fourth of the whole line graph will comprise the top 25 percent of your risks. To assess potential impact, remember that impact reaches far beyond financial measures. Look to your organization’s own history of realised impact. Look at news coverage and IT industry analysis of the realised impacts of organisations in a similar position to yours. Ask your stakeholders about the kinds of impacts that leave them restless. To identify more controls, safeguards, and corrective measures to enact to mitigate risks, look to industry best practices with a history of success. NIST offers a resource with ample discussion of controls. SANS offers a list and discussion of controls. “For example, a safeguard that you can implement to reduce the potential risk of a ransomware infection is to update your anti-virus software. You then re-evaluate the risk after implementing the safeguard to determine whether you have sufficiently mitigated the impact and probability of the risk. If not, you should repeat the process,” says Koller.

LEVEL SETTING RESULTS AND EXPECTATIONS Risk assessments won’t eliminate risk but rather should reduce them acceptably. Going back to ransomware as an example, residual risk remains that the anti-virus software won’t prevent the ransomware infection, says Koller. “An organisation must weigh the risk associated with that event with the probability of occurrence and the potential costs associated with additional safeguards,” says Koller. If anti-virus doesn’t do enough, the enterprise may consider adding additional protections. An enterprise should address the greatest risks, those with the highest likelihood, severity, and costs, first. Without the information that a risk assessment provides, the enterprise cannot adequately protect its data. REFRESHER COURSE For some enterprises, these resources are a reminder of a roadmap, a refresher course on the elements of a risk assessment, and good for sharpening your next gaze into assessing risks. If not, and there’s something completely new here for you, you may want to consider moving up the data on your next evaluation of real risks to your enterprise data. 02.2017

27


OPINION

28

02.2017

www.securityadvisorme.com


IOT SECURITY NIGHTMARES IoT security costs to climb

T

The IoT security market will reach a valuation of $36.95 billion by 2021, says data from a Marketsandmarkets. com analyst report. Where the cyber security mayhem grows, so flows the security market money. In 2017, experts predict that gaping IoT security holes will lead to the destruction of critical infrastructure and increases in

competitive intelligence gathering and intellectual property theft. 2017 will see more DDoS attacks of the magnitude that brought down the Dyn Domain Name System service and many high-profile web domains with it. CSO dives into top security nightmares stemming from the sheer multiplication, vulnerability, capacity, reach, and scale of IoT, delivering solutions and insights from IoT security researchers, academics, and experts.

2017 will see more DDoS attacks of the magnitude that brought down the Dyn Domain Name System service and many highprofile web domains with it.

www.securityadvisorme.com

A top five collection of IoT security nightmares Nightmare No. 1: 5 million new IoT devices added daily equals as many and more new security vulnerabilities each day. In 2016, the world connected 5.5 million new things to the internet daily, according to Gartner. The more the IoT devices, the more the security vulnerabilities, given that there are typically multiple security holes per device, and the broader the attack surface, since these connected gadgets are popping up everywhere, says Roberto Tamassia, Executive Master in cybersecurity at Brown University. “Factors that contribute to IoT device vulnerabilities include device manufacturers who don’t have extensive cyber security experience, computing power and storage constraints that limit the available security mechanisms, cumbersome software update procedures, and the lack of user awareness of the security threats posed by these devices,” explains Tamassia. Nightmare No. 2: IoT devices are a very attractive and powerful form of ubiquitous, low-hanging fruit for 02.2017

29


attackers. The growing number of easily hacked IoT consumer products is leading to a greater likelihood, frequency, and severity of IoT security nightmare scenarios including attacks on enterprise data, plants and equipment, and employees as well as consumers. It is not hard for an attacker to gain control of entire networks starting from the compromise of any one of the many vulnerable consumer IoT devices; the popular NEST thermostat presents one example. In 2015, upon accessing the NEST’s mini USB port, TrapX Security engineers used an ARP spoofing app to spoof the ARP address for the network gateway as part of a man-in-the-middle (MITM) attack, says Moshe Ben-Simon, co-founder, TrapX Security. Hackers use MITM attacks to gain increasing control of systems on either or both ends of the communication, including enterprise networks. Even if you find the NEST thermostat in the home and not on enterprise property, close to company networks, the massive remote and mobile workforce ensures that criminal hackers’ control of home computer systems ultimately leads to attacks on the corporate systems that employees connect to from home. A NEST hack is only one way that innocent IoT devices can open entire networks and organisations to the high risk of compromise, theft, and perhaps disruption of ongoing operations, says Ben-Simon. With control of IoT in the home or the enterprise, hackers can not only steal data but put life, limb, and property at work or away in jeopardy. Nightmare No. 3: IoT is key to unlocking mountains of private consumer data, adding to hackers’ targets and attack vectors and enabling them to easily guess common passwords used by key 30

02.2017

With control of IoT in the home or the enterprise, hackers can not only steal data but put life, limb, and property at work or away in jeopardy.

business, government, military, political and cultural targets, according to Ryan Manship, Security Practice Director at RedTeam Security. IoT collects consumer data to aid companies with targeted marketing by building a digital representation of each consumer’s preferences and features, says Manship. Attackers steal and combine the different data to reveal consumer interests and habits, which they use to guess user passwords and answers to security questions so they can log into the enterprise where employees have reused the same passcodes, explains Manship, a contributor to the SANS Securing The Human (STH) training program. Nightmare No. 4: The increasing access to SCADA and industrial controls through IoT makes broad devastation possible. When IoT such as industrial control systems connect to the internet, it becomes extremely challenging to protect utilities and national infrastructure against attack. Imagine attackers using 10- to 15-percent of the IoT devices in the U.S. to form a DDoS attack to take down all internet traffic on Wall Street.

Examples of such attacks include the recent hack of a Ukrainian power plant, leading to power outages for tens of thousands of people, mentions Ryan Spanier, Director of Research, Kudelski Security. “In this attack, hackers targeted the management system of the critical infrastructure to enable the disruption of service. This is a fairly small-scale example of the problems an attack on critical infrastructure could create,” says Spanier. Nightmare No. 5: Prevalent and largely open IoT makes the simultaneous “Fire Sale” attacks on every agency, service, and utility as depicted in the movie, “Live Free or Die Hard” easier than ever. IoT makes it possible for hackers to create and use botnets on such a large scale that taking down many kinds of infrastructure at once using DDoS attacks becomes relatively routine. “Imagine attackers using 10- to 15percent of the IoT devices in the U.S. to form a DDoS attack to take down all internet traffic on Wall Street,” suggests Ben-Simon. www.securityadvisorme.com


Mitigating the top five and many other IoT security concerns By 2020, Gartner expects that the 5.5 million IoT devices connected-per-day in 2016 will grow to 20.8 billion IoT devices in use in total. There is little slowing the advance of these devices. To safeguard that hardware, enterprises should first weigh their convenience and efficiency advantages against the risks, institute security policies and procedures that cover each type of device, and include IoT security training in employee security education programs, says Tamassia. Behavior-based and IDS/ IPS security technologies will have to envelop the potential bad behavior of IoT devices as well. When an enterprise installs and uses a consumer device such as a NEST thermostat, they need to implement new second generation firewalls, allow only specified IP addresses to connect, apply second generation endpoint security, and use deception technology, says BenSimon. The appearance of NEST and other devices in the home and the repercussions are more reasons to educate employees and increase the security of their connections and communications to work.

No matter how attackers guess passwords and answers to secret questions, using additional authentication can keep sites secure. Methods such as using PINs and sending codes to user email to confirm identity are great examples. As approaches to guessing passwords change, the enterprise must adapt. “Enterprises must utilize security professionals to understand the risks of new technology, to ensure their technology is updated continuously (not introducing new risk), and to act when they identify new risks,” says Manship. It is challenging to secure SCADA and legacy industrial control systems because these tend to be closed systems without even the fundamental facility for cyber security mechanisms. “At a minimum, enterprises should isolate these systems on their network, closely monitor them, and control access,” says Spanier. “Industrial control systems have high availability requirements – meaning that downtime for an upgrade is unacceptable. In an ideal world, these systems would be enhanced with state-of-the-art cyber security defenses, isolated from the internet,” says Spanier.

It is challenging to secure SCADA and legacy industrial control systems because these tend to be closed systems without even the fundamental facility for cyber security mechanisms.

www.securityadvisorme.com

As for putting out fire sale fires, securing IoT against use in DDoS attacks includes securing the devices while assuming the network is hostile and securing the network while assuming that the devices are hostile. This approach falls in line with the least privilege zero trust model of security. Organisations can mitigate hackers who add IoT to botnets by upping the security game for networks that contain IoT. “Government agencies and enterprises need to examine security solutions that work inside the corporate network. New technologies that use deception enable organizations to identify attackers already inside a network that also has IoT devices attached to it,” says Ben-Simon. Considering additional progress toward securing IoT The future of IoT presents security challenges, but also solutions. Here are three firm recommendations from Tamassia, one of the 360 most cited computer science authors by Thomson Scientific, Institute for Scientific Information (ISI): First, the Federal Trade Commission should fine companies that sell appliances with poor security, such as back doors, until they recall and repair their products. Second, legislators should write laws that require that IoT appliances periodically restore the software to its initial state. This requirement would kick out any malware that managed to penetrate the appliance. Third, new IoT hardware could have IPv6 addresses in a restricted range, making it easier for any domain owner that is under a DDoS attack to have its ISP reject all packets directed toward it from IoT appliances. 02.2017

31


5

AREAS FOR CYBERSECURITY INNOVATION IN 2017 By Michael Xie, Founder, President & Chief Technology Officer, Fortinet

32

02.2017

www.securityadvisorme.com


OPINION

T

he world never stands still. In the technology space, this means that constant innovation and discovery is the key to a solution provider’s survival and growth. In the cybersecurity arena, this creed is even more vital. Many hackers are brilliant people. There’s only one way to get the better of them – be even more brilliant. And faster and more creative. Which is why R&D is crucial in the security technology business. Cybersecurity solution providers must deliver open, integrated security and networking technologies that enable enterprises to see and react rapidly to changing attack techniques, increase proactivity, and scale and provision their security along with business growth. To cope with this breadth of demands – sometimes in very short time spans − technology providers need to be able to cross traditional boundaries, allowing them to innovate across the entire ecosystem. Fortinet is at the forefront of such innovation. In 2016 alone we were granted close to 80 patents in such diverse areas as CASB, malware detection techniques, data leak protection, virus detection, hardware acceleration, DDoS and cloud services. However, the cyber threat landscape is continuing to become more challenging in 2017. Here are a few areas that Fortinet has identified for intensive R&D during the coming year:

1

Deep learning for attack analysis Different types of detection technologies have emerged over the years. It started out with signatures (a technique that compares an unidentified piece of code to known malware), then heuristics (which attempts to identify malware based on behavioural www.securityadvisorme.com

characteristics in the code), followed by sandboxing (in which unknown code is run in a virtual environment to observe if it is malicious or not), and machine learning (which uses sophisticated algorithms to classify the behaviour of a file as malicious or benign, before letting a human analyst make the final decision). Now, the latest technology − deep learning − has come onto the market. Deep learning is an advanced form of artificial intelligence which uses a process that is close to the way human brains learn to recognize things. It has the potential to make a big impact on cyber security, especially in detecting zero-day malware, new malware, and very sophisticated advanced persistent threats (APTs). Once a machine learns what malicious code looks like, it can identify unknown code as malicious or benign with extremely high accuracy, and in near real-time. A policy can then be automatically applied to delete or quarantine the file, or to perform some other specified action, and that new intelligence can then be automatically shared across the entire security ecosystem. In 2017, Fortinet will continue to develop technologies designed to make our appliances learn more intelligently and identify unknown malware more accurately.

2

Big data for log correlation IT is deeply entrenched in both our businesses and personal lives, leading to an increasing amount of data being generated, collected, and stored around the world. And since the working principle is that the more things a security solution provider sees, the more opportunities there is for it to connect the dots, understand the threats, and hence

protect the network, leveraging big data to make sense of exponentially growing event logs will be an important area of research for us in 2017.

3

Strengthening container security Running applications in containers instead of virtual machines (VMs) is gaining momentum. At the heart of this ecosystem lie solutions like Docker, an open source project and platform that allows users to pack, distribute, and manage Linux applications within containers.

There are several benefits to Docker technology, including simplicity, faster configurations, and more rapid deployment, but there are also some security downsides. These include: • Kernel exploits − unlike in a VM, the kernel is shared among all containers and the host. This amplifies any vulnerability present in the kernel. Should a container cause a kernel panic, it will take down the whole host, along with all associated applications. • Denial-of-service attacks − all containers share kernel resources. If one container can monopolize 02.2017

33


access to certain resources, it can cause denial-of-service (DoS) to other containers on the host. • Container breakouts − an attacker who gains access to a container should not be able to gain access to other containers or the host. In Docker, users by default are not namespaced, so any process that breaks out of the container will have the same privileges on the host as it did in the container. This could potentially enable privilege escalation (e.g. root user) attacks. • Poisoned images – it’s difficult to ascertain the sanctity of the images you are using. If an attacker tricks you into running his image, both the host and your data are at risk. • Compromising secrets – for a container to access a database or service, it will likely require an API key or some username and password. An attacker who can get access to these keys will also have access to the service. This is especially a problem in a micro-service architecture in which containers are constantly stopping and starting, vis-àvis an architecture with small numbers of long-lived VMs. Our 2017 research will address the above areas. Such research is important because container technology can only gain wider adoption in the coming years.

4

Securing vCPE Still in the domain of virtualization and cloud, virtual customer premise equipment (vCPE) is another growth area ripe for research. Today, business requirements are changing quickly, and firms need the flexibility to adapt their branch offices to those changing requirements in a fast and secure manner. They need to be able to turn on new services ondemand from a single platform, without the cost and complexity of deploying and managing additional devices. 34

02.2017

Today, business requirements are changing quickly, and firms need the flexibility to adapt their branch offices to those changing requirements in a fast and secure manner.

vCPE is a way for managed service providers (MSPs) to deliver network services to enterprises, such as firewall security and VPN connectivity, by using software rather than dedicated hardware devices. By virtualizing CPE, providers can simplify and speed up service delivery, remotely configure and manage devices, and let customers order new services or adjust existing ones on-demand.

5

Helping enterprises leverage SD-WAN A growing number of enterprises are demanding more flexible, open, and cloud-based WAN technologies, rather than accept the installation of proprietary or specialized WAN technology that often involves fixed circuits or costly proprietary hardware. This heralds the rise of Software Defined Wide Area Networks (SD-WANs), which eliminates expensive routing hardware by provisioning connectivity and services via the cloud. SD-WAN technology also allows connectivity to be flexibly controlled through cloud software. SD-WAN has the potential to improve network security in a number of ways, for instance: • SD-WAN allows traffic to be easily encrypted.

• SD-WAN allows the network to be segmented, limiting the impact of a breach or an attack to a small, manageable area. • The growth in cloud traffic has made direct Internet access from the branch a reality, and an SD-WAN can be used not just to provide the connectivity but to also secure the connection. • By providing a vast amount of visibility into the amount and types of traffic traversing the network, SDWANs allow attacks to be discovered sooner. This year, Fortinet will conduct R&D on the above areas to make SD-WAN a feasible endeavour for enterprises. We will continue to expand the coverage of our Fabric, with our R&D focus moving from visibility and awareness to measurement and benchmarking, and finally to understanding how close an enterprise is to the prevailing best practices within its industry. With so much planned development on the horizon, cybersecurity will remain an exciting sphere for enterprises to watch during the new year. www.securityadvisorme.com


OPINION

A GROWING TARGET FOR CYBER CRIMINALS By Hemayun Bazaz, Regional Manager - Channel Sales, Middle East and Turkey at Aruba, a Hewlett Packard Enterprise company

T

he threat to SMEs comes from the wider trend for cyber criminals to target the individual, as well as the enterprise. With the consumerisation of IT and BYOD, workers carry a great deal of sensitive data on their smartphones that is exchanged back with their company servers. This makes single devices a potential gateway to a wealth of company and private data. If employees are working remotely, for example from a café using guest Wi-Fi, that can also add a layer of vulnerability unless the correct security policies have been applied to the user and device based upon their location. Typically, the SME market lacks the in-house IT expertise that is required to monitor and secure the network at the individual device level, meaning they may be viewed as an easier target by cyber criminals, as recent attacks have suggested. KEY CYBER THREATS FACING SMES Most employees believe IT has their back so the weakest link are many times employees themselves. Our recent research has shown that, in order to get the job done, 6 in 10 workers are sharing their personal www.securityadvisorme.com

device with colleagues. In the fastmoving world of SMEs, we see a good deal of entrepreneurial spirit, lots of sharing of information and a fairly minimal focus on company security policies. This has an impact – a third of workers admit to losing company data through misusing a mobile device. The answer is not to restrict employees sharing data or connecting using mobile devices. It’s about providing a secure infrastructure for them to work in. Even for a small firm of just two employees, formalizing an approach to information security is crucial. Such a policy should cover roles, devices, locations and other contextual attributes, securing corporate information and systems without impacting usability and employee productivity. In the past, SMEs have lacked this kind of expertise in house, but through growing partner networks that offer service models via the Cloud, they are now able to access expert consultancy and infrastructure without paying the premium price. BEST WAYS SMES CAN PROTECT THEMSELVES FROM MALICIOUS CYBERATTACKS SME leaders need to nurture creativity and a degree of risk taking in order

to get the best from their workforce, while at the same time recognising that attacks will happen and to have a contingency plan for this. Inevitably, this puts a lot of pressure on IT to take an adaptive trust approach to device connectivity and data security. It starts with identifying individual worker preferences in order to build secure infrastructures around them. Employee training comes next, and this should not only include a needsassessment by employee type, but should also educate employees on why such actions are important and how they can assist in improving company security. Finally, there must be a mechanism for employees to provide feedback to IT and a service level agreement should be in place for how to respond to employee input and requests. Often IT is able to improve the effectiveness of workflows and policies simply by listening to employee feedback. How SMEs adapt to the preferred behaviours of their workforce may be the make or break for long term growth. Embracing the need for openness, innovation, collaboration and some degree of risk is good – but only when an organisation can understand and plan for the security risks these behaviours bring with them. 02.2017

35


PRODUCTS

Brand: Epson Product: EB-1460Ui

Brand: Axis Product: Axis Q1659 Axis Communications’ Axis Q1659 interchangeable-lens network camera combines Canon imaging and Axis network technologies for high-resolution surveillance. According to Axis, the camera brings a new level of ultra-high definition (UHD) image quality for a fixed, widearea surveillance camera, and leverages image sensor and EF lens technologies for rich colour, contrast and detail even in the most challenging lighting conditions. AXIS Q1659 features a 20MP resolution at eight frames per second (fps), achieving unprecedented levels of detail for observing open spaces and across long distances. It features digital singlelens reflex (DSLR) imaging technology and offers a choice of seven different EF/EF-S lenses depending on individual user needs. Equipped with an EF lens mount, the camera enables easy lens changes. What you should know: The new camera, according to the vendor, has the latest enhancement of Axis’ Zipstream technology, which offers even more storage and bandwidth savings in video surveillance applications without compromising on important image details.

36

02.2017

Epson has launched a new interactive projector, the EB-1460Ui, which according to the vendor, is designed for increased collaboration and advanced business integration in meetings rooms. The device is equipped with Wi-Fi capabilities for remote working and support Skype on full HD screens of up to 100 inches. The EB-1460Ui, according to Epson, is an all-in-one solution designed to create collaborative meeting rooms, enabling Skype and other video call solutions during meetings, and a host of other easy to use interactive features. It has finger-touch and dual-pen interactivity, which lets users control any presentation and lets them easily share and stream various types

of content wirelessly from IOS or Android mobile devices with the iProjection App. What you should know: EB-1460Ui has a splitscreen option, which can be used even from two sources. Epson highlighted that this is ideal for users that are keen on carrying out two tasks at once, such as conducting presentations and hosting a video conference calls. It also has a built-in 16W speakers for audio without needing extra equipment or cables. It includes password access for whiteboard sharing, encrypted passwords for whiteboard content and wireless security to keep data secure.

Brand: IRONSCALES Product: IronShield IRONSCALES, an email security company that specialises in combining human intelligence with machine learning, has recently announced that it will unveil the first anti-spoofing email security tool to combat phishing threats in real-time. Known as IronShield, the antiimpersonation and spoofing plugin for Microsoft Outlook will inspect and analyse all emails at the mailbox level using deep scans and machine learning. Acting as an employees’ virtual security analyst to prevent against business email compromise (BEC) and CEO fraud, IronShield will automatically validate sender

reputation and authenticity, while also assessing behavioural patterns in search of anomalies in communications. What you should know: Through the solution, all suspicious emails are visually flagged the second the email hits the inbox, and a quick button link inside the Outlook toolbar enables instant notification to SOC teams for further investigation or immediate remediation. www.securityadvisorme.com


ADVERTORIAL

JUNIPER NETWORKS HOSTS

“THE OPEN DISRUPTIVE DECADE SUMMIT”

Juniper Networks recently hosted “The Open Disruptive Decade Summit” series in Riyadh, Kingdom of Saudi Arabia (K.S.A) and Dubai, United Arab Emirates (U.A.E). At these events, Juniper discussed how open networking is fundamentally changing the way data centers are designed and architected today, and how this will develop in the future as digital transformation evolves. Additionally, key customers and technology partners from the region shared their insights and added independent perspectives to the discussion. Hatem Hariri, general manager for Middle East and Africa at Juniper Networks, delivered the welcome address at both events. Senior executives from Juniper discussed how key IT use cases, such as hybrid cloud, automated and secure workflow automation and multi-tenancy combined with micro-segmentation, are delivered on an ‘Open Networking’ platform. Commenting on the event, Hariri said: “The Open Disruptive Decade Summit was a wonderful platform to talk about how an open networking approach can provide real benefits within mission-critical data center and cloud environments in the Middle East. Juniper’s open networking vision is based on the concept of de-layering, disaggregation and standards-based platforms where key functions and applications can execute anywhere within the infrastructure and where security is embedded and pervasive. Both the summits were successful in helping us share this vision with not only our partners, but also prospective clients.” According to IDC, 20 percent of companies in EMEA will have an Open Source / OpenStack-first strategy by 2018, with new www.securityadvisorme.com

applications being driven by DevOps. Intelligent, open networking can drive business transformation, according to IT decisions makers who participated in Juniper’s recent survey commissioned to explore the attitudes of senior network professionals across EMEA towards open networking adoption. The research driven by Juniper Networks further revealed that 55 percent of U.A.E respondents stated that their network is now measured on its effectiveness and ability to respond to a range of business needs, rather than merely its capacity and performance. Cost effectiveness is also considered a priority, with 65 percent of U.A.E IT experts surveyed aiming to reduce expenditure for their network infrastructure over the next 12-24 months. The reasons for open networking are clear – open means freedom and choice, translating into faster roll-out of new applications and services and a better use of IT resources and external partners. At the event, speakers highlighted how effective security is all-pervasive, from the container to the cloud, and elaborated why having a network-embedded approach to security provides the most comprehensive defense mechanism for the prevailing, constantlydynamic threat landscape. They also underlined the importance of network-embedded security in the delivery of successful open solutions. In his session, Mark Hosking, data center and virtualisation leader, Juniper Networks MEA, discussed how an ‘any underlay for any overlay’ approach provides maximum flexibility in design, by building upon what exists and incrementing with a platform built for scale, automation, seamless integration and supreme agility. 02.2017

37


BLOG

PREPARE FOR THE INEVITABLE SECURITY INCIDENT By Rob McMillan, Research Director at Gartner

D

he 2014 cyber attack on Sony Pictures Entertainment was a game changer. It was a very public example of an aggressive business disruption attack, which caused Sony to experience significant system disruption. Such an outcome could have happened to many digital businesses and was a wake-up call for this type of attack. Although the frequency of an attack on this scale is low, it showed how an aggressive cybersecurity attack can seriously impact business operations. Targeted attacks like this reach deeply into internal digital business operations, with the express purpose of causing widespread damage. Servers may be taken down completely, data may be wiped and digital intellectual property may be released on the Internet by attackers. Your business must be prepared – an intrusion is inevitable for many organisations and preventative security measures will eventually fail.The question you must accept isn’t whether security incidents will occur, but rather how quickly they can be identified and resolved. This reality of the digital economy makes effective incident response — that is, reducing the risk of incidents and mitigating the damage they cause — a top concern for security and risk professionals. WHY YOU MUST PREPARE While incident response is a regulated requirement for organizations in some

38

02.2017

industries, the costs of preparation for any company can be surpassed by the hundreds of millions in damages and recovery expenses that follow an intrusion. Along with bad press, the aftermath is littered with ransom payouts, fines, lawsuits and often increased operational expenses used to address system failures. Gartner predicts that 60% of enterprise information security budgets will be allocated to rapid detection and response approaches by 2020, up from less than 10% in 2014. As critical as it may be to protect the business from the fallout of an intrusion, effective incident response allows an organization to continue to pursue its objectives despite a disruption. Resilience is the by-product of mature incident response practices. Incident response is one of the core processes that any security leader must define, develop, implement and prioritize to protect the enterprise and demonstrate security’s value to the business. Following are three integral steps that should be considered:

1. Develop your incident response process Advance preparation is crucial to effective incident response, but it’s also extremely difficult, especially in complex, distributed enterprises. Adequate preparation will ensure that: • You already know what the most critical assets are • You are able to detect that an incident has occurred or is occurring

• A procedure is in place to resolve the incident and manage the consequences • The people involved know what their role will be

2. Prepare your people You must be prepared to manage the totality of the impact, and not just the cause of it. A breach or intrusion reaches across an entire business, with partners, executives, remote business units and customers all affected. The sudden transparency produced by an information leak requires an effective response capability that addresses the totality of the consequences across the organization, not just the consequences on IT. You must develop the right expertise to lead the organization’s response to a security incident. 3. Implement operational response Security operations are evolving with greater recognition that traditional approaches of protecting the perimeter and investing in prevention capabilities are inadequate, in light of today’s persistent and advanced attacks. The failure of traditional preventative techniques has had two important impacts: • Organisations are retooling their security architectures to improve their detection, response and, ultimately, their predictive capabilities. • Organisations now recognize that “incidents” are not just a point-in-time issue, but rather a continuous problem for IT to confront. www.securityadvisorme.com


INTERCEPT A completely new approach to endpoint security.

Sophos Intercept X is a next-generation endpoint detection and response

Sophos Intercept X is a next-generation endpoint detectionand platform designed to stop ransomware, zero-day exploits, provide detailed intelligence. response platformand designed to stopthreat ransomware, zero-day exploits,

and provide detailed threat intelligence. • Stop ransomware before it can take hostages • Block zero-day attacks with signatureless anti-exploit technology

• Stop ransomware before it can take hostages • Get easy to understand threat insight and root cause analysis • Block zero-day attacksremediation with signatureless anti-exploit • Automate and malware removal technology • Get easy to understand threat insight and root cause analysis Learn more and try for free at

· Automate remediation and malware removal www.sophos.com/intercept-x

Learn more and try for free at

www.sophos.com/intercept-x


Security Advisor Middle East | Issue 14  
Read more
Read more
Similar to
Popular now
Just for you