Page 1

ISSUE 25 | MARCH 2018


Securing digital transformation

Data loss prevention

Data protection and privacy

Intergrated cloud suite for email






The Cyber Exposure Company FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) PUBLISHING DIRECTOR Natasha Pendleton +971 4 440 9139 EDITORIAL Managing Editor Michael Jabri-Pickett +971 4 440 9158 Group Editor Jeevan Thankappan +971 4 440 9129 Online Editor Adelle Geronimo +971 4 440 9135 Contributing Editors James Dartnell +971 4 440 9153 Janees Reghelini +971 4 440 9167 Glesni Holland +971 4 440 9134 DESIGN Senior Designer Analou Balbero +971 4 440 9140 Designer Mhar Delaben +971 4 440 9156


ADVERTISING Group Sales Director Kausar Syed +971 4 440 9130 Sales Manager Merle Carrasco +971 4 440 9147 Business Development Manager Youssef Hariz +971 4 440 9111


CIRCULATION Circulation Manager Rajeesh M +971 4 440 9119

How to keep your company’s confidential data within the confines of your building

PRODUCTION Operations Manager Shweta Santosh +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin

10 +971 4 440 9100 Published by

Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE

SECURING DIGITAL TRANSFORMATION How to win the battle to secure the digital world


Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Al Ghurair Printing and Publishing Regional partner of


© Copyright 2018 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.



ON DATA Dell EMC’s Michel Nader shares critical strategies needed for protecting data.

HUNTING THE HUNTER Security Advisor ME together with Micro Focus delved into why threat hunting is the direction the security industry needs to head towards.


TELLING YOUR VALUE STORY Why IT teams need to view metrics as a critical security tool.

THE DARK RECRUITER Secureworks’ Ian Bancroft gives an overview of how threat actors operate.


UNDER A WATCHFUL EYE Norden’s Joseph John discusses the latest trends driving the physical security market.


US, UK GOVERNMENT SITES HIT BY CRYPTOMINING MALWARE Thousands of websites, including ones run by US and UK government agencies, were infected for several hours in February, with a code that causes web browsers to secretly mine digital currencies, technology news site The Register reported. The prevalence of these malware schemes has increased in recent months as the volume of trading in bitcoin and other cryptocurrencies has risen. The prevalence of these malware schemes has increased in recent months as the volume of trading in bitcoin and other cryptocurrencies has risen. Websites such as the UK’s NHS and ICO to the US government’s court system were just some of the 4,200 sites infected with a malicious version of a widely used tool known as Browsealoud from British software maker Texthelp, which reads out webpages for people with vision problems. For several hours on 11th February, anyone who visited a site that embedded Browsealoud inadvertently ran this hidden mining code on their computer, generating money for the miscreants behind the caper, according to The Register. The news comes amid a surge of these types of cyber-attacks, and the prevalence of these schemes has increased in recent months as the volume of trading in bitcoin and other cryptocurrencies has risen. Texthelp told The Register that it had shut down the operation by disabling Browsealoud while its engineering team investigated.



UAE DEPUTY PM “COMMITTED” TO MAKING INTERNET SAFE FOR YOUTHS Lieutenant General Sheikh Saif bin Zayed Al Nahyan, the UAE’s deputy Prime Minister and Minister of Interior, has said that the fast-paced developments witnessed in technology and Internet usage encourages growth and innovation, but can also be accompanied with challenges. “The fast-paced developments witnessed in technology and Internet usage encourages growth and innovation, but can also be accompanied with challenges,” said Lt. Gen. Al Nahyan. In a statement marking Safer Internet Day, which falls on the 6th February ever year, Sheikh Saif bin Zayed noted that the UAE is one of the world’s leading countries that is committed to providing a safe and secure online environment for children and families, while also promoting safer and more responsible use of online technology and electronic devices. “Creating a safe online environment for children and young people is necessary to address these challenges,” he added.

He emphasised the role and responsibilities parents play in guiding children and young people on using the Internet, thus assisting national institutions and government agencies’ efforts to create a better digital experience for all. Just last year, a report by global cybersecurity firm Kaspersky Lab, revealed that 23 percent of children in the UAE have faced threats associated with social media. An additional study by B2B International also found that 10 percent of UAE children have used the Internet to meet dangerous people offline, eight percent have become a cyberbullying victim, seven percent have shared too much personal information about themselves, and seven percent have been exposed to deliberately hurtful and malicious messages from strangers through social media.

MIDDLE EAST TELCO TARGETED BY NORTH KOREAN HACKING GROUP: FIREEYE A Middle Eastern telecoms organisation was targeted by a cyber espionage threat from North Korea, a report has revealed. FireEye said that the espionage group was now being tracked as ‘APT37’ or Reaper. The targeting effort may have been on behalf of the North Korean government in an attempt to gather information on a former business partner, the report by security firm FireEye suggests. In a blog post released by FireEye, it said that the espionage group was now being tracked as ‘APT37’ or Reaper. “Our analysis of APT37’s recent activity reveals that the group’s operations are expanding in scope and sophistication, with a toolset that includes access to zero-day vulnerabilities and wiper malware,”

the post said. “We assess with high confidence that this activity is carried out on behalf of the North Korean government given malware development artifacts and targeting that aligns with North Korean state interests. FireEye iSIGHT Intelligence believes that APT37 is aligned with the activity publicly reported as Scarcruft and Group123.” The report also suggested that APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities, the report added.



Google has removed 60 games from the Play Store after it was uncovered that the so-called Adult Swine bug was delivering inappropriate and malicious ads to kids. According to Google, that’s just a drop in the bucket compared to the 700,000 it booted from the Play Store in 2017. In a blog post titled, “How we fought bad apps and malicious developers in 2017,” Google spotlights the numerous

ways it has stayed ahead of bad Play Store Apps over the past 12 months. In addition to the 700,000 apps it took down in 2017—a 70-percent increase over 2016’s numbers—Google also says it was able to identify and root them out much quicker. The company boasts that 99 percent of apps “with abusive contents” were tossed from the Play Store before anyone could install them. Google also says it has developed new detection techniques to weed out repeat offenders and identify “abusive developer networks at scale” to stop them from simply submitting another set of bad apps. According to Google, the biggest reason for the jump in removed applications was machine learning. Google used its AI-powered engine to help “detect abusive app content and behaviors—such as impersonation, inappropriate content, or malware” which then helped the human reviewers detect problematic apps.

AMAZON BOLSTERS SMART HOME SECURITY OFFERINGS WITH LATEST ACQUISITION Amazon has reportedly agreed to buy Ring, maker of security cameras and Internetconnected doorbells. Details on the deal are still very light, however, reports by Reuters said that the deal valued Ring at more than $1 billion. Amazon declined to discuss the terms. Ring is set to be one of Amazon’s most expensive takeovers, after its $13.7 billion deal last year for Whole Foods Market. “Ring’s home security products and services have delighted customers since day one,” an Amazon spokesman said in a statement. “We’re excited to work with this talented team and help them in their mission to keep homes safe and secure.” The online retail firm’s move comes four months after it introduced its own smart-home technology to allow delivery workers to bring packages straight into customers’ homes – Amazon Key. According to analysts, Ring’s security devices could work well with Amazon Key, a smart lock and camera system that lets delivery personnel put packages inside a home to avoid theft or, in the case of fresh

food, spoiling. The company’s Alexa voice assistant works with Ring gadgets. Amazon invested in Ring last year through its venture capital arm, the Alexa Fund. Amazon uses its Alexa fund to support businesses that develop apps for the Echo and Alexa. “We are committed to our mission to reduce crime in neighborhoods by providing effective yet affordable home security tools to our Neighbors that make a positive impact on our homes, our communities, and the world,” Ring said in a statement. “We’ll be able to achieve even more by partnering with an inventive, customer-centric company like Amazon.”

DUBAI POLICE TO MAKE THE EMIRATE THE WORLD’S SAFEST CITY The Dubai Police will soon have eyes all over the emirate with the launch of its latest smart security project. The law enforcement agency has recently unveiled its Oyoon (Eyes) project with the support and participation of the governmental, semi-governmental and private sectors to implement the Dubai 2021 plan in a bid to enhance the emirate’s global position it terms of providing a safer living experience for all citizens, residents and visitors. According to the Dubai Police, the aim of the project is to create an integrated security system that works through all strategic partners to exploit modern and sophisticated technologies and artificial intelligence features to prevent crime, reduce traffic accident related deaths, prevent any negative incidents in residential, commercial and vital areas and to be able to respond immediately to incidents even before they get reported to the command unit. Major General Ibrahim Khalil Al Mansouri, Assistant Commander for Criminal Investigations of Dubai Police, said the project is an effective translation of the UAE’s strategy for AI to achieve its objectives of relying on services, data analysis and smart application in various fields of work efficiently and effectively. Maj-Gen Al Mansouri said the project also contributes to supporting the decision-making process, ensuring the protection of all vital areas and roads, and optimising the use of human resources through reducing human intervention, especially in the areas of monitoring, analysis and surveillance. Maj-Gen Al Mansouri said a project committee, which includes strategic partners from the government sector, was formed. The committee will set standards on the installation and use of all CCTV cameras across the Emirate of Dubai, and conduct field studies across all jurisdiction areas to ensure highest levels of security and safety in the region.




ELIMINATING INSIDER THREATS How to keep your company’s confidential data within the confines of your building





hile so much noise is focused around external threats, very little attention is paid to the insider threats, which is growing at an alarming rate. According to a 2017 survey of security professionals from Haystax Technology, 56 percent of respondents said insider threats have grown more frequent in the past year. Another study from IBM says insiders are responsible for 60 percent of all data breaches. Of those breaches, 75 percent were done with malicious intent and 25 percent were accidental. A Verison study puts the number of insider-led data breaches even higher at 77 percent. Just how big is the insider threat problem? “As businesses embrace digitisation— and the Internet of Everything (IoE)¹ begins to take shape—defenders will have even more to worry about. The attack surface will only expand, giving adversaries more space to operate. Ask any cybersecurity specialist to name the biggest security threat to an organisation and they’ll tell you it’s people,” says Scott Manson, Middle East cybersecurity lead at Cisco. According to the Cisco Connected World Technology Report, 7 of 10 employees admitted to knowingly breaking IT policies on a regular basis, and 3 of 5 believe they are not responsible for protecting corporate information and devices. Brian Pinnock, cyber resilience expert at Mimecast, breaks down insider threats into three categories: “With a malicious insider threat, an employee inside the organisation purposely seeks to steal data, leak information or otherwise damage the organisation. A careless insider threat occurs when employees don’t understand security policies or follow security rules, putting the organisation at risk for malware infections and data leaks. Forrester (2017) indicated that 57 percent of respondents reported incidents that

involved careless insiders. Lastly, the Compromised Insider Threat involves an employee whose email account has been taken over by hacker through credential harvesting, social engineering, phishing emails or malware in order to steal information or make fraudulent financial transactions. 63percent of respondents reported incidents involving compromised insiders. Kamel Heus, regional manager of Centrify, says the fundamental issue is that too many people have too much access, to too many things from too many places. “It is very important that people have access only to what they need for their job, following “leastprivilege” principles. This includes access to applications (either onpremises or in the cloud) and appropriate access to systems and network devices for administrative users.” Of course, not all insider threats are malicious, which makes it harder to spot. “This can be very hard to detect and it may actually go undetected for years. Behaviour is the key and it is important to determine the behaviour patterns of individuals. Technology will be key to this. However, technology is not the only way to detect behaviour changes. Peers, time cards and physical access records are important when identifying these physical changes,” says Mohammed Al-Moneer, regional directgor of A10 Networks. There are also other steps companies can take to prevent insider threats. “You can lock every window and bolt every door to keep out intruders, but it won’t be of much use if the attacker is already inside; if the attacker is an insider. An effective security strategy with a comprehensive incident response plan helps to protect an organisation before, during and after an attack. A good operational model for security begins with articulating and implementing effective policies, strong change management processes, disciplined access control mechanisms, and automated authorisation and verification rules. A combination of 03.2018



training, strict policies and procedures is important to address employee bad behaviour,” says Manson. Rick Vanover, director of strategy for Veeam Software, says the most single effective tool to mitigate the risk associated with insider threats to backup data is visibility. “Visibility however means more than just one perspective, however. Whether it is who has access to what, what individuals are doing with this data and most importantly be aware of situations where only one individual has access to backup data. Beyond that, identify what anyone is doing with backup data; including the situation where something is not restored (just viewed) or restored into a new direction. Beyond that, organisations can build mechanisms with backup data to keep it resilient to sabotage and risks such as ransomware kits and scripts that can wipe out a lot of data.” For an insider threat programme to be successful, it is important for CISOs to gain boardroom buy-in and highlight the value such a programme would bring to the company in detecting and preventing harm to people, property and company reputation. A through assessment of the known or existing vulnerabilities and threats, weighed against the overall company risk appetite is essential. Aadesh Gawde, Principal- R&D and Innovation at ProVise Consulting, says

The programme has to have a directional combination of policies, technical, procedural and behavioural controls. - Aadesh Gawde, Principal- R&D and Innovation, ProVise Consulting

insider threats are constantly evolving and changing. It is imperative to design an effective Insider Threat Program to at least mitigate the damage. The programme has to have a directional combination of policies, technical, procedural and behavioural controls. Roland Daccache, senior regional sales engineer at Fidelis Cybersecurity, says the typical security stack (firewall, AV, IPS) is usually considered ineffective against insider threats. “From a technology standpoint, the most useful solutions are User Behavioural Analytics that look for outliers and erratic user behaviour changes and Data Leakage Prevention that identify data theft and exfiltration attempts. More recently, we have seen the great evolution of deception technologies that plant traps and decoys in the malicious

The fundamental issue is that too many people have too much access, to too many things from too many places. - Kamel Heus, Regional Manager, Centrify



user paths, the latter is considered as one of the most relevant technologies that acts as an early warning system to quickly spot the insider threat before any damage can occur.” Another important technology to help prevent employee exfiltration of data are solutions focused on monitoring employee activity and how content is accessed. There are varying level of features and functions for the variety of monitoring tools available, but capabilities enabled include monitoring all email and webmail traffic, tracking the web sites that employees visit, capturing all of their instant messages and even keystroke logging in some cases. While these types of tools carry with them a bit of a “creepiness” factor, they useful in two ways: first, by allowing IT to understand just about everything an employee is doing; and second, by inhibiting inappropriate behavior because employees know their activities are being tracked. Dealing with the problem of insider threats requires more than technology; it also mandates CISOs to creature a culture of security and cyber-aware workfoce in their organisations. Putting in place a proactive insider threat detection programme and safe reporting structure can go a long way in mitigating situations such as malicious employees, data loss or even liability from false accusations.


SECURING DIGITAL TRANSFORMATION How to win the battle to secure the digital world


ecurity teams often have been perceived as barriers to the business’s seamless adoption of new digital technologies because keeping the business secure trumps the benefits of technologies that foster employee productivity. A true digital transformation programme must entail a proactive approach to information security, which strengthening the corporate risk posture and protecting customers. However, securing digital technologies poses a myriad of challenges. “While it is difficult to quantify one barrier to success over another, security is certainly one of the biggest barriers to a “successful” digital transformation (DX). Because DX involves working with multiple digital technologies, some of which organisations have never worked with previously, DX efforts without comprehensive security integrated into the project will be a major liability,” 10


says Patrick Grillo, senior director of solutions marketing at Fortinet. Sebastien Pavie, regional director of enterprise and cybersecurity at Gemalto, agrees security is often seen as a key barrier to digital transformation, and a chief concern for most organisations. “Digital transformation, especially in cloud and mobility, is a fast-growing reality in the business world. Beyond going paperless, which was one of the major drivers initially, digitalisation is about the wave of new generation applications and services leveraging exponential amount of data at your fingertips. However, there are several barriers to digital transformations that prevent organisations from taking a full leap.” Adrian Davis, EMEA managing director of (ISC)² adds quite the reverse can also be true.“Security ensures digital transformation will be able to deliver against the aspirations companies have for their

digital transformation strategies. The barriers come from the lack of maturity in understanding of the risks and, therefore, the investment in the controls and security warranted. The rush to take advantage of modern technologies, new methods of reaching customers and delivering services has prevented careful consideration of the risks and fuelled a drive to shorten development and delivery processes,” he says. What are some of the risks created by incrasing wave of digitalisation? Scott Manson, cybersecurity lead at Cisco says, the internet was built on the idea of openness – getting more things on rather than keeping them off. Today, devices and people are coming online at an unprecedented scale. By 2021, more than 1M IoT devices will come online every hour of every day. “As a result, points of threat entry are constantly changing and expanding every time a new “thing” comes onto the network. As the attack surface increases and the stakes grow,


the number of threat actors is increasing as well, and their level of sophistication is evolving quickly.” Pavie from Gemalto offers another perspective: “Today, things like mobility, IoT, and cloud computing are requiring us to develop a new, third generation of security. Data and applications travel between a variety of users and devices and span multiple borderless networks, making visibility and control more difficult. We need to be able to secure the growing number of vulnerable IoT and endpoint devices touching the network. Networks themselves have become highly elastic and distributed. Security needs to be able to dynamically scale and respond to shifting network resources. To do that, security needs to be broad, powerful, and automated.” Another issue is the fact that security teams are consulted too late

on digital transformation. According to a Dimensional Research study commissioned by Dell, IT decision makers who have responsibility for security believe security teams are brought in too late to have a meaningful effect on digital transformation initiatives. All the respondents to the survey listed security as one of their major responsibilities, but 76 percent felt their security teams were either brought into transformation projects too late to have an impact or were bypassed entirely. Eighty-five percent said business users avoid engaging their security teams for fear their initiatives will be delayed or blocked, while 63 percent said there is no basis in those fears. “I think this varies largely from organisation to organisation, but often security is not prioritized as much as it really should be,” says Nicolai Solling,

CTO of Help AG. “Any organisation that is going through a proper digital transformation will go from having the ‘organisation operating technology’ to ‘technology operating the organisation’, and when you aim for such an intimate link between technology and your business success, I believe that all efforts associated with securing your business should be expected.” For years, security vendors have touted the necessity and superiority of their tool as one-stop solutions to security woes. Now, the advent and ubiquity of the Internet has changed the attack surface and this highly-dynamic digital environment has introduced a complexity that eludes both security professional and solution providers alike. The only panacea is to bake in security right from the beginning and stop treating it as an after-thought.



LEARN MORE: 03.2018 11



At a recent roundtable discussion on the future of cybersecurity, CISOs spoke about why threat hunting is the direction the security industry needs to head towards.

n ever-changing threat landscape and growing sophistication of threats have made the responsibility of CISO much more complicated and important than ever. From inherent risks associated with emerging technologies, non-technical employees who lack security awareness, to advanced threats such as ransomware, there is a plethora of problems forcing enterprises, both small and





large, to rethink their security strategies to mitigate risks to the business. To discuss some of the burning issues faced by security decision makers today, Security Advisor ME, in association with Micro Focus, organised a


roundtable discussion last month. The event was kicked off by Dirk Benecke, security products pre-sales director at Micro Focus, who gave an overview of the company, which launched its operations in the region last year, after its merger with HPE Software. “We are the seventh largest pure play software company in the world and second largest in Europe. Micro Focus has a huge security portfolio addressing all key aspects of securing, ranging from IAM, security operations management, application security to encryption.” He went on to list out some of the top CISO challenges including the increasing frequency of attacks in a complex environment, lack of skilled resources and articulating the business value of security investments. This was followed by a presentation by Marcus Knorr, security solutions pre-sales manager at Micro Focus on the ways to master SOC challenges leveraging big data and machine learning techniques. He also shared the latest developments around the company’s ArcSight enterprise security manager platform, which now boasts of real-time correlaton, detection analytics and threat exploration engines. With a capability to handle 2

million security events per second, thanks to Kafka-based message bus, ArcSight is the foundation of modern SOCs with its ability to collect, normalize and enrich all data and logs to provide advanced analytics.” When the floor was opened for discussion, CISOs and CIOs who participated in the event raised some of the challenges faced by enterprises today when it comes to dealing with the ever-changing threat landscape. “There is no silver bullet to security issues today but you can take a silver gun approach – having multiple solutions working in tandem to solve the challenges. We need solutions that can help us actively hunt for threats, detect them and respond quickly. If there is a ransomware attack, we need tools that can help us understand the blast radius and take remedial measures immediately,” said Vivek Gupta, CISO of Landmark Group. Speaking about the issue of privilege user abuse, which is a daunting challenge for many enterprises, Ashith Piriyattiath, CIO of Al Masah Capital, said the remedy is to integrate DLP and

UBA tools into HR systems, and realtime analysis of live network traffic. Though cybersecurity is now a boardroom agenda, finding funding for security projects and winning top management support can still be an issue for many CISOs. “One way to overcome this challenge is to talk the language of business to your board, and articulate the risk to business,” said George Eapen, CISO of GE. “You need to explain to your CFO the cost of not doing something and that would make it easier to get funding for your security projects.” Anoop Kumar, CISO of Al Nisr Publishing, pointed out security is often treated as an after-thought in many organisations. “Business project managers fail to involve us right from the beginning and this could cause serious problems.” Kuldeep Bhatnagar, CISO of Environment Agency, Abu Dhabi, said security tools itself can’t address the challenges. “You may invest in cuttingedge solutions or tools, but if you don’t make the best use of it, it is not going to help you. It is why the human factor is so important in security today,” he said. Also speaking at the discussion were Venkatesh Mahadevan (CIO of Dubai Investments), Shailesh Mani (CIO of Flemingo International), VJ Srinivas (IT security head at EGA, RAK) and Clen Richards (senior IT security officer at Meraas).




KEEPING DATA SAFE Kristina Tantsyura, business development director of Infowatch Gulf, talks about why we need a more systematic approch to protecting data and privacy


hat are the technologies available in the market today to help companies meet every-changing data protection regulations? The new “General Data Protection Regulation (GDPR)” introduces fundamental changes in the principles of management and processing of personal data. From now on, personal data protection mechanisms will evolve from an “additional option” added at the last moment to an elaborate component of data processing systems. This means that companies will have to reconsider their approach to the use of technology. There are a large number of data protection technologies on the market, but it is important to understand that the key issue is not the choice of a specific technology, but the formation of an understanding and rules for the company’s overall data protection system, its features and details, for a specific company. And only the next stage to choose specific technologies. All over the world, intruders are hunting for huge volumes of personal data. However, this is not true for the Middle East, with local cyber criminals targeting the most liquid data and, hence, banking, manufacturing, government, and hi-tech sectors.” According to InfoWatch Analytical Сenter report every third data leak in the middle east compromises state or trade secret. InfoWatch’s main



solution InfoWatch Traffic Monitor prevent confidential data leaks and thus eliminating financial losses. What will be impact of regulations such as GDPR on the Middle East businesses? The companies in the Middle East that do business in EU or offices of European companies in the region - and handle European’s data - now must comply with the European Union’s new General Data Protection Regulation. Any organisation with European customers must ensure that they comply with various new measures mandated by the EU law, which include mandatory data breach notifications and stronger privacy protections for consumers as well as stringent data security requirements. GDPR also gives privacy regulators stronger enforcement powers. Any organisation that violates the rules could face penalties up to 4 percent of their global annual revenue or € 20 million ($21.2 million) - whichever is greater. The regulation would entail companies to probably re-engineer their processes and information systems to ensure compliance with GDPR unless they have an adequate privacy assessment and compliance processes in place. Many Middle Eastern countries already have implemented their own data protection regulations. For

instance, UAE issued a Data Privacy and Protection Law, which is closely aligned with GDPR. But till now Middle Eastern countries’ privacy and breach notification regulations, in general, are less strict and detailed than GDPR. But because Dubai’s law is less tough than GDPR, companies in the nation that do business in Europe will face the new challenge of complying with the EU regulation as well, he points out. In fact, GDPR could serve as a catalyst for nations in the region to enforce stronger privacy protections and breach disclosure requirements, some security experts say. Should companies have a data protection strategy for mobile devices? Data protection is a complex problem and, of course, it is necessary to analyse all information traffic channels, including mobile devices, to solve it. To analyse the threats to data when using mobile devices, companies should not create separate strategies. At the same time, of course, the sensitive moment remains that employees of almost any company use their mobile devices not only for work, but also personal goals and this factor must be taken into account. From this point of view, of course, the most effective is to provide employees with special mobile complexes, such as InfoWatch Taigaphone, which can protect company data.

REDEFINING technology transformation

+971 4 440 9100



THE DARK RECRUITER Ian Bancroft, vice president and general manager, EMEA, Secureworks, gives an overview of how threat actors operate.


t’s no secret that 2017 was the year of high-profile cyber-attacks. From WannaCry to NotPetya to BadRabbit, cyber-attacks hit hundreds of businesses, crippled hospital networks and compromised the security of hundreds of thousands of devices around the world. Unfortunately, the rise in cybercrime shows no sign of slowing as attacks are becoming more sophisticated and the number of cyber gangs continues to grow. Over the next three years in total, experts predict that the damage is set to hit $6 trillion, with cybercrime becoming one of the ‘greatest transfers of economic wealth in history’. With the advent of emerging technologies such as the Internet of Things (IoT) and Artificial Intelligence (AI), the threat landscape is only going to continue to grow. Correspondingly, we’re seeing organisations investing heavily in cybersecurity, as nearly half of them were hit with a cyber-attack in the first half of 2017 alone. 16


The question is, do we have the right pool of cybersecurity talent available for organisations to dip into? On the one hand analyst houses like Gartner are predicting that the shortage of skilled cybersecurity workers will continue to rise – which is partly evidenced by the zero percent unemployment rate. On the other you have governments investing millions into tech initiatives and promising an increase in the number of teachers trained in computer science and coding. However, with all of the high-profile attacks of last year taking centre stage, there hasn’t been a tremendous amount of focus on what’s under the hood, e.g. how organised crime rings themselves operate and recruit; and what cybersecurity skills they prioritise for nefarious gain. Down the rabbit hole If you were to take a guess, the first image filling your mind might be of hooded people gathered on street

corners trading secrets and job specs – it’s the go-to depiction of a traditional cybercriminal. But, organised cybercrime groups function like any other business. The first concern for the discerning dark recruiter will be keeping the cybercrime ring off the radar - but much like mainstream industry, job ads can also be posted to forums on the dark web and referrals are frequently used to ensure the candidate isn’t an undercover law enforcement officer. As with any business, attracting and retaining the right talent is important for organised cybercriminal enterprises. Before posting a job ad or talking to fellow threat actor, cybercrime recruiters need to differentiate between roles and think about the skills they need. Within the cybercrime ecosystem there are a range of diverse roles, which are filled from inside criminal groups or “outsourced” for efficiency. These roles can be anything from a traditional cybercriminal (distinguished by their focus on minimising risk and maximising

INSIGHT profit) to an inject writer (an expert coder able to write malware to interact and mimic the websites of banks) to a data processing specialist (skilled at triaging large amounts of data and identifying the value of it). These are highly skilled roles that require years of training, experience and technology skills. But when on the lookout for cybercriminals, dark recruiters don’t just look for computer geniuses – as there are always different levels and job descriptions in all organisations. If someone isn’t overtly tech savvy, their role might be as a “money mule”. Money muling is continuing to show up as an integral component of the online criminal landscape, even though criminals are diversifying their cash out operations. Why is this? Most cybercrime is perpetrated in an effort to make money, so cybercriminals have to be able to turn stolen financial data, such as online banking credentials and credit card details, into physical cash or goods, unless of course Ransomware is the preferred approach. Turning stolen data into cash is often risky, so experienced criminals minimise their own risks by using money mules to do this work. Mules are either knowing or unknowing accomplices who receive the stolen funds or high-value goods, and then transfer them on through a distribution chain out of their country and eventually into the hands of the cybercriminal. Cybercriminal groups may advertise for money mule positions on the Internet underground and sometimes other threat actors will volunteer to open a bank account and receive stolen funds in exchange for a percentage of those funds or a flat fee. In this way, cybercriminals who are not as technically capable can fill a niche by offering a different service. Forums on the internet underground often feature “trust rating” systems and specific message boards dedicated to grievances and outing so called “rippers” — individuals who have been deemed untrustworthy. More sophisticated and experienced organised criminal groups will make use of the services of specific mule recruitment groups that specialise 18


Mules are either knowing or unknowing accomplices who receive the stolen funds or high-value goods, and then transfer them on through a distribution chain out of their country and eventually into the hands of the cybercriminal.

Ian Bancroft, Secureworks EMEA

in recruiting, grooming and organising unwitting members of the public, rather than using other criminals to receive the initial stolen funds. Into the light The old adage “keep your friends close, but your enemies closer” is how organisations and cybersecurity teams need to view these online crime rings. By understanding how these networks operate, it will be easier to safeguard against attacks and spot potential mules within the organisation. But beyond understanding how these threat actors operate, how else can organisations put measures in place to continuously counteract ever-more sophisticated cyber-attacks and outsmart threat actors? Education at the early stages is paramount. The security industry is

already developing interest with the likes of the Cyber Academy and GCHQsponsored hacking challenges, but it needs to do more to attract talent. By appealing to students at university and hosting open information days, security firms can help capture interest and encourage graduates to apply for their schemes. Once a company has identified and hired its security talent, it must then nurture and retain that talent for the long-term future. Organisations need to grow talent from the very beginning, encouraging those with an aptitude for cyber security to push themselves further and further. A role in cyber security should not only challenge employees, but also give them the opportunity to develop their own niche and progress upwards with real career options. Finally, it is critical that organisations help employees adopt the right mindset for a career in cybersecurity. Cybersecurity shouldn’t panic organisations. They are inevitable and will only become more commonplace as cryptocurrencies like Bitcoin, that offer untraceable extortion capabilities, become increasingly popular. Organisations must relish the challenge that cybersecurity presents; approach it from the top-down, and view it as an ongoing challenge rather than a problem. This is the view that the younger generation must also adopt, and it is our responsibility to help ingrain this cultural mindset at the earliest possible stages to ensure they are driven to help protect organisations of the future.


27th March 2018 | Habtoor Grand Hotel and Resort, Dubai UAE


Nominate now Security Advisor ME’s CISO 30 awards recognise 30 organisations (and the people within them) that have delivered ground-breaking business value through the innovative application of risk and security concepts and technologies. Winners will be recognised in March 2018 at the inaugural CISO 30 conference taking place in Dubai. Here is what you will need to complete your nomination: • The name of the project/initiative, a brief description of its objective • A more detailed narrative describing the project • Some empirical facts/metrics that demonstrate the project/ initiative’s value • Additionally, you will also be asked to provide details about key contacts in the nominated organisation Award nominations may be submitted by an organisation itself, by public relations professionals representing a nominated organisation, or by solution providers/partners of a nominated organisation. The deadline for submission is 7th March 2018. Thank you in advance for your nominations and good luck

When: 27th March 2018 Where: Habtoor Grand Hotel and Resort Dubai UAE Who: CISOs/CIOs/CTOs Chief Risk Officers GRC teams Infrastructure and technology decision makers Security evangelists and consultants For sponsorship enquires, please contact

Kausar Syed, Group Sales Direcror Mobile: +971 50 758 6672


3 PILLARS OF CYBERSECURITY DEFENCE Morey Haber, vice president, technology, BeyondTrust, explains why regional organisations should ensure that their cybersecurity defence must include solutions that integrate identity, privilege and asset.


he foundation of cybersecurity defence has been clouded by point solutions, false promises, and bolt on solutions that extend the value of a given technology, based on a need. After all, if we count how many security solutions we have implemented from anti-virus to firewalls, you find dozens of vendors and solutions throughout an organisation. The average user or executive is not even aware of most of 20


Data Storage & Back-up I CCTV Surveillance I Networking I IT Security

UAE +971 4 2602760 salesuae@snbgroup.netn

KSA +966 5485 37521 salesksa@snbgroup.netn

QATAR +974 5508 9055 salesqatar@snbgroup.netn

EGYPT +20 111 295 0006

PAKISTAN +92 306 021 6771 salespakistan@snbgroup.netn


them even though they may interact with them daily from VPN clients to multi-factor authentication. If we step back and try to group all of these solutions at a macro level, we will find each one falls into one of three logical groups. These form the pillars for our cybersecurity defences, regardless of their effectiveness: Identity – The protection of a user’s identity, account, and credentials from inappropriate access Privilege – The protection of the rights, privileges, and access control for an identity or account Asset – The protection of a resource used by an identity, directly or as a service While some solutions may be supersets of all three pillars, their goal is to unify the information from each in the form of correlation or analytics. For example, consider a Security Information Enterprise Manager (SIEM). It is designed to take security data from solutions that reside in each pillar and correlate them together for advanced threat detection and adaptive response. Correlation can come from any of the pillars that have traits that exist in each of the pillars. Time and date parameters are typically the foundation, and an identity accessing an asset with privileges is a simplistic way of looking at how the pillars support the entire cybersecurity foundation of your company. This answers, “What is inappropriately happening across my environment that I should be concerned about?” A good security solution should represent all three pillars. For most vendors and businesses, the integration of these three pillars is very important. If security solutions are isolated, do not share information, or only operate in their own silo (one or two pillars), there protection capabilities are limited in scope. For example, if an advanced threat protection solution or anti22


As we stabilise our cybersecurity best practice, and focus on basic cybersecurity hygiene, consider the longer-term goals of your business.

virus technology cannot share asset information, or report on the context of the identity, then it is like riding a unicycle. If pushed too hard, an environment could lose its balance and fall over. If that analogy does not resonate with you, imagine not tracking privileged access to sensitive assets. You would never know if an identity is inappropriately accessing sensitive data. That is how threat actors are breaching environments every week. When you look at new security solutions, ask yourself what pillar they occupy and how they can support the other pillars you trust and rely on every day. If they must operate in a silo, make sure you understand why and what their relevance will be in the future. To this point, what is an example of a security solution that operates only in a silo? Answer—One that does not support integrations, log forwarding, has concepts of assets (even it if it just IP based) or even basic role access. Sounds like an Internet of Things (IoT) device. An IoT door lock that provides physical protection for assets based on a static identity that cannot share access logs or integrate with current identity solutions is a bad choice for any organisation. A standalone antivirus solution that has no central reporting on status, signature updates, or faults is another. There is no way of knowing if it is operating correctly, if there is a problem, or even if it is doing an exceptionally good job

blocking malware. Why would you essentially pick a consumer grade anti-virus solution for your enterprise? Unfortunately, this happens all the time and we end up with the bolt on approach to solve the problem. As we stabilise our cybersecurity best practice, and focus on basic cybersecurity hygiene, consider the longer-term goals of your business. If you choose a vendor that does not operate in these three pillars, has no integration strategy, or is an odd point solution, be aware of the risks. Everything we choose as a security solution should fall into these pillars; if they do not, then ask a lot of questions. For example, why would you choose a camera system without centralised management capabilities? It falls into the asset protection pillar, can monitor physical access by an identity, but without centralised capabilities and management, it is a standalone pole not supporting your foundation. It needs to support all three pillars to be an effective security solution and ultimately provide good information for correlation, analytics, and adaptive response. In conclusion, some may argue there could four or even five pillars for a sound cybersecurity defence. They could be education, partners, etc. to support your foundation. I prefer to think of all tools and solutions in these three categories. Why? A three-legged stool never wobbles!



Network World Middle East Awards 2018 Is your network a platform for business innovation and growth? If the answer is yes, we would like to hear from you. Now in its 9th year, Network World ME Awards has established itself as the major event that recognises and celebrates networking excellence. The 2018 NWME Awards are open to companies anywhere in the Middle East. It aims to honour IT and business pros who have demonstrated innovative leadership on all sides of the networking industry. Nominees can apply for the awards at no cost.

NOMINATE NOW For sponsorship enquires, please contact Natasha Pendleton, Publishing Director, Mobile: +971 56 787 4778 STRATEGIC TECHNOLOGY PARTNER





UNMASKING DLP Thomas Fischer, global security advocate, Digital Guardian, on how organisations can create data-centric security strategies in 2018.


s businesses continue to go ‘digital’, we find ourselves in a perimeterless world; constant information flow is the lifeblood of the business ecosystem. Data is distributed and disbursed throughout the ecosystem, expanding the domain requiring protection. Adversaries are actively targeting critical data assets throughout the ecosystem — significantly increasing exposure and impact to businesses. Faced with this new reality, protecting your organisations’ most critical assets, requires a shift in mindset and a datacentric approach to security. Enter Data Loss Prevention (DLP). Today’s DLP solutions must protect against insider threats, external attacks, and outsiders posing as insiders. DLP must protect enterprise data no matter where it resides and how it is used. It must protect financial information, customer data, and intellectual property. DLP technologies provide valuable context that can help enterprises recognise the sensitivity of potentially compromised data, and then focus remediation and incident response efforts accordingly. Success with DLP depends on setting reasonable data protection priorities, selecting a deployment method and correctly evaluating vendor solutions. STEP 1: DETERMINE YOUR PRIMARY DATA PROTECTION OBJECTIVE c Traditionally, organisations adopt DLP to achieve one of three objectives: • Comply with Regulations - Compliance has long been and remains 24



a primary driver of DLP demand. Starting more than 15 years ago, regulatory requirements mandated controls for handling sensitive data and helped drive a surge of “checkbox DLP” purchases by large, compliance-bound enterprises. Heavily regulated industries, such as financial services, retail, government and healthcare, tend to invest most in DLP when compliance is the primary objective. • Protect intellectual property - Forrester Research makes the case for IP protection as the top DLP objective as compared to securing personal cardholder information (PCI), personal health information (PHI) or personally identifiable information (PII). The loss of IP can result in a permanent loss of competitive advantage. IP tends to skew towards unstructured data. DLP tools must be trained to understand which unstructured information constitutes your organisation’s critical IP, meaning the solution must be able to discern unstructured data’s content and context.  • Business partner compliance - The globalisation of the supply chain means that manufacturers of goods and services rely on global relationships to deliver value to their customers. To facilitate this an unimpeded data flow is needed, often this stream contains sensitive data. Global relationships require an unimpeded data flow, necessitating robust data protection. STEP 2: DETERMINE THE ARCHITECTURE With your data protection objective defined, there are four primary DLP deployment architectures, and a growing number of organisations are leveraging a mix to cover their evolving business. • Endpoint DLP - Endpoint DLP relies primarily on purpose-built software agents, that live on endpoints - laptops, desktops, servers, any device that runs on Microsoft Windows, Linux, or Apple OS X. The agent delivers visibility and, if desired, control over data. Deployment involves installing the agent on machines where protections is desired. No agent means no coverage. • Network DLP - Often referred to as agentless DLP, Network DLP delivers

The most important consideration before undertaking a DLP project is to determine your organisation’s primary data protection objective.

visibility and control of traffic that passes across the network. A physical or virtual machine inspects all traffic, such as mail, web, IM and can then enforce data policies. Deployment is either via a physical appliance or a virtual machine then configuring network traffic to pass through for the inspection. • Discovery DLP - Discovery DLP proactively scans your network, including laptops, servers, file shares, and databases to deliver a comprehensive analysis of where sensitive data resides on all these devices. To perform the data discovery some solutions require an agent to also be installed on the machine being scanned. • Cloud DLP - Cloud DLP, much like Discovery DLP, scans storage repositories and delivers an accurate picture of where sensitive data lives, though as its name suggests Cloud DLP focuses on your data that lives in the cloud. Cloud DLP relies on an API (Application Program Interface) to connect with the cloud storage service (Box, OneDrive, etc.) and then scans the content. Cloud DLP sees data as it is being put into the cloud and can perform a cloud storage audit or remediation. STEP 3: SELECTING A VENDOR Before reaching out to vendors, engage business leaders informally on what data exists and how it’s used. What pockets of information exist in your business? Who uses the data, who shouldn’t use it? How does sensitive information move? How could your data be lost, compromised, or abused? Compare these insights with how perception differs from reality. The benefits of this are twofold. For one, these discussions provide you with the details needed to create a strategic data protection plan and secondly, it will make

business leaders aware of the programme and begin the process of gaining buy-in from critical constituencies. When it comes down to actually selecting a vendor, make sure you: • Research initial vendor set Hundreds of vendors offer some form of data protection. I recommend identifying and applying a set of filters to narrow down your organisation’s choices. One common filter is identifying whether the vendor supports all of your operating environments. Another guide used by many organisations is the Gartner Magic Quadrant report for Enterprise DLP. Peer research is a valuable source of information as well. • Reach out to vendors with a plan After you create the short list, it is time to contact the vendors. Have a list of use cases or critical business needs. This process can be as structured as you need it to be to satisfy your internal organisation.  • Consolidate responses - Gather the key stakeholders and seek to build consensus around which vendors have the best ability to solve your problems. • Narrow choices down to two vendors Based on RFP scores or rankings, you should be able to eliminate all but two vendors that can be engaged for onsite presentation and risk assessment. • Conduct pilot tests - Request pilots from both vendors, or from a single finalist as selected from onsite meetings. Select, negotiate, purchase - After pilot testing has concluded, take the results to the full selection team and begin negotiating with your top choice. If you are business manager who values the data you own, demand a DLP solution. If you lead IT security, make DLP a priority initiative for 2018. 03.2018



7 THINGS YOUR IT DISASTER RECOVERY PLAN SHOULD COVER Enterprise networks and data access can be knocked out without warning, thanks to natural and man-made disasters. You can’t stop them all from happening, of course, but with a good disaster recovery plan you can be better prepared for the unexpected.


urricanes. Tornadoes. Earthquakes. Fires. Floods. Terrorist attacks. Cyberattacks. You know any of these could happen to your business at any time. And you’ve probably got a disaster recovery (DR) plan in place to protect your enterprise’s data, employees and business. But how thorough is your DR plan? When was it last updated and tested? Have you taken into account new technologies and services that can make it easier to recover from disaster? The following are 7 things your IT disaster recovery plan should include. 1. AN ANALYSIS OF ALL POTENTIAL THREATS AND POSSIBLE REACTIONS TO THEM Your DR plan should take into account the complete spectrum of “potential interrupters” to your business, advises Phil Goodwin, research director of data protection, availability and recovery for research firm IDC. (IDC is part of IDG, which publishes CSO.) 26


You should then spell out a recovery plan for each scenario. For example, Goodwin says, “If there’s a cyberattack that shuts down servers in D.C., do you have a transition plan for that scenario?” Of course, not all scenarios are equally likely to occur. So as best you can, try to anticipate which potential disruptors are most probable. Sadly, cyberattacks are becoming “a more likely scenario” these days, Goodwin notes. So, you might want to give cyberattack planning precedence over some natural disruptors in your planning, he explains. 2. A BUSINESS IMPACT ANALYSIS (BIA) To effectively determine DR priorities, put each major information system through a business impact analysis, recommends Mark Testoni, president and CEO, SAP National Security Services. A BIA “identifies and evaluates the potential effects (financial, life/safety, regulatory, legal/contractual, reputation and so forth) of natural and manmade events on business operations,” according to Gartner.

“Completing a BIA for major IT systems will allow for the identification of system priorities and dependencies,” notes Testoni. “This facilitates prioritising the systems and contributes to the development of recovery strategies and priorities for minimising loss. The BIA examines three security objectives: confidentiality, integrity, and availability.” Testoni adds that a BIA helps establish priorities for your disaster recovery, business continuity, and/ or continuity of operations plans. “A standard approach to developing a comprehensive disaster recovery plan is to first develop the policy, then conduct the BIA,” he says. “After creating a prioritisation with the BIA, contingency strategies are developed and formalised in a contingency plan.” 3. PEOPLE A common mistake many organisations make in their DR plans is being “too focused on technology and not enough on people and process,” Goodwin says. “IT is an enabler. Never forget you’re not just recovering data and servers.”


A common mistake many organisations make in their DR plans is being too focused on technology and not enough on people and process.

He recommends thinking about how to build a DR plan in the context of your entire organisation. “What behaviours will you need from your user community? What do they need to get up and running again after a disaster?” Also, identify by name the critical people charged with responding to a crisis, says John Iannarelli, a security consultant and speaker and former member of the FBI Cyber Division. Make sure you have their email, cell and home numbers. Make it clear who will be called in to work during a crisis. Know who you’ll call for help, such as law enforcement, and if possible, establish a relationship with authorities before a disaster strikes. And decide in advance who will speak for your company to the victims, clients and employees in the event of a disaster. “Know what you plan to say, how much you plan to reveal, and how you’ll reassure those who might be nervous of continuing business with your company,” he adds. 4. UPDATES  Another big mistake organisations make is not updating their disaster recovery plans after changes are made to their internal systems, such as major software updates, notes Mark Jaggers, a Gartner research director focused on IT infrastructure strategies. Your plan isn’t complete unless it takes into account all the technologies, systems and applications currently in use.

Plus, there may be new technologies or offerings to come along since you made your DR plans. DR plans are based on assumptions about the processes and tools available at the time the plans are finalised. “But those assumptions can change significantly, as technology evolution is quicker than ever before and innovations spring from unlikely places,” notes Milind Kulkarni, VP of product management for network resilience company Veriflow. “Advances in computer science, predictive algorithms and the availability of huge compute capacity at a reasonable price-point allow the emergence of new approaches and solutions to guarantee IT systems’ resilience, uptime, availability and disaster recovery,” Kulkarni adds. For example, with services such as Amazon’s AWS Snowball, organisations can transfer petabytes of business data to a dedicated, secure appliance on site. Once the transfer is finished, you ship the appliance to the AWS center of your choice, where your data is transferred into the cloud. AWS Snowball and others like it give organisations innovative, affordable new ways to ensure data redundancy, Kulkarni says—which is a foundation of any DR plan. 5. PRIORITIES “Identify what’s most important,” recommends Iannarelli. “Not everything in your business is worth saving or needs to be protected. Your proprietary information, of course, is. But any

info that is for public release is not as important. Think of it as if your house were on fire. What would you grab as you run out the door?” 6. REGULAR PRACTICE DRILLS “Just having a DR plan isn’t enough,” warns Kulkarni. “The plan needs to be regularly tested, and people need to practice procedures, just like a school prepares its students for fire and emergency drills on a regular basis. If not regularly practiced, the plan is ineffective.” 7. A CONSIDERATION OF DRAAS The growing practice of moving data operations into the cloud has helped give rise to disaster recovery as a service (DRaaS). These ondemand services from providers such as iland and IBM have made DR easier and more economical, which in turn is enabling more organisations to be better prepared for disasters, Goodwin says. When considering DRaaS, ask how the provider will test and validate recovery of your data and workflows, Goodwin advises, as some testing is more extensive than others. DON’T WAIT The biggest mistake most companies make is waiting until after a cyber-attack or disaster to figure out what to do next, says Iannarelli. “In my 20 plus years with the FBI, I’ve never seen anyone fired from a company because of a data breach. But I have seen many people fired for their failure to respond properly to a breach.” 03.2018



ANATOMY OF AN ATTACK An intelligence report from Palo Alto Networks unit 42 on cybercriminals using the Hancitor malware


nit 42 has been tracking malicious spam (malspam) pushing Hancitor malware during the past 2 years. Hancitor, also known as Chanitor or Tordal, is a macro-based malware spread through Microsoft Office documents distributed in malspam campaigns. Hancitor is designed to infect a victim’s Microsoft Windows computer with additional malware, and the end result is most often a banking Trojan. But the impact of Hancitor malspam is fairly limited. On a default-configured Windows 10 host, the malware is easily detected by Microsoft’s built-in Windows Defender anti-virus tool. Furthermore, many spam filters catch these emails before they get to their intended recipients. Who is Hancitor effective against? An ideal target victim be someone running an outdated version of Windows like Windows 7 with anti-virus disabled. Such victims would also click through any warnings they encounter. Apparently, this target demographic is substantial enough that criminals behind Hancitor 28


malspam continue to push their emails on a frequent basis. While researchers have published many technical reports on Hancitor campaigns, their primary focus has been on the malware and its capabilities. But how does this type of attack with a limited base of victims remain profitable? Little has been published about how this campaign uses fraud accounts and the compromised infrastructure of legitimate businesses. Understanding the playbook used by these criminals is essential to understand why they continue to operate. We continue to see several hundred examples of Hancitor malspam every month sent to a wide variety of recipients. The image below shows data extracted from our Autofocus threat intelligence platform. It provides high-level visibility on how frequently we’ve seen Hancitor malspam so far in 2017. According to our Autofocus data, we can infer criminals behind this campaign follow a 5-day work week from Monday through Friday. Spikes in the email activity often occur in the middle of the week. This

reflects a general pattern of productivity seen with most people who follow the same type of schedule. Campaign History In previous years, Hancitor malware was delivered as email attachments in malspam campaigns. Microsoft Word documents from this malspam downloaded other malware like Pony, Vawtrak, and DELoader. Hancitor campaign updates its playbook In the past, criminals have successfully infected victims using email attachments, but email filtering has improved in recent years. Most current enterprise-level security solutions now include a sharp focus on email attachments and can easily detect malicious documents and ultimately impact the success rate of the attackers’ campaigns. To further evade detection, since the end of 2016, actors behind Hancitor have added another step in the infection process. Instead of email attachments, a link in the email points

INSIGHT to distribution servers hosting these Hancitor-base documents. Malicious Hancitor documents are hosted on compromised webservers located at multiple regions globally, or they are hosted on fraud-based accounts at various hosting providers. After they establish distribution servers for a particular malspam run, the threat actors use botnet hosts to push malspam with a link to the Hancitor Word document. This malspam uses several different templates to impersonate legitimate businesses. These emails are often disguised as invoices, eFax messages, and UPS or Fedex delivery notifications, to name a few examples. If a victim clicks the embedded link, a Hancitor document is sent to the victim’s computer. Traditionally, the link from these emails include the victim’s email address as part of the URL, sometimes obfusctated using base64 or other encoding. This is likely an attempt by the Hancitor actors to track the victims who would have successfully downloaded the malicious Hancitor sample. Two examples seen earlier this year are: • hxxp://[distribution server domain name]/api/getn.php?id=[base64encoded string representing recipient’s email address] • hxxp://[distribution server domain name]/f.php?sik=[recipient’s email address in plain text] While investigating the distribution server domains, we found an open directory hosting two text files: visitor.txt and block. txt. The visitor.txt file appears to track all downloads of Hancitor Word documents hosted on that server. The block.txt file appears to track IP addresses that should be blocked. Many IP addresses in the block.txt file resolved to Amazon AWS servers. We suspect this list maybe used to block analysis on automated systems run by security vendors and researchers, by not serving content to IP addresses known to be analyzing malware. Since early October 2017, these distribution servers have usually been servers set up through fraudulent accounts at hosting providers. In September through November 2017, links from Hancitor malspam occasionally resolved to these domain names without any additional text in the URL. Distribution server characteristics Given how actors behind Hancitor malspam leverage compromised servers,

we investigated the numbers and regions where these servers were compromised. The below heat map provides a high-level overview of the affected countries. The distribution servers seen throughout the year are located globally. While United States accounts for a large number of distribution servers, majority of the servers in the United States are from fraudulent accounts which are hosted at hosting providers. By contrast, the majority of the distribution servers in the rest of the countries are from compromised servers belonging to legitimate businesses. According to data from January to September 2017, the majority of compromised domains used for Hancitor-based infections are located in the Asian region. Most compromised servers belong to local businesses in each country. While no specific region appears more vulnerable than others, the domains we’ve seen so far in 2017 imply that organizations in Asia, especially small and medium sized businesses may be running vulnerable services likely to be exploited by the Hancitor campaign to host associated malware. As of December 2017, Hancitor Word documents have most commonly been distributed through fraudulent accounts at hosting providers. However, during post-infection activity, Hancitor downloads additional malware from additional distribution servers. These post-infection distribution servers are also legitimate websites that have been compromised by this campaign, and this characteristic of Hancitor-based infection traffic has been consistent since we started tracking Hancitor.

Recent developments The Hancitor campaign is still evolving. Unit 42 researcher Brad Duncan recently discussed a wave of Hancitor malspam on October 16th 2017, where Word documents from the distribution servers used the DDE attack method. In this case, Hancitor was completely separated from the Word document and downloaded as a separate malware binary. This added another distribution server in the infection chain of events. The DDE attack method spread to other actors for mass-distribution of malware through email. However, by November 2017, Hancitor resumed using macros in Word documents. Conclusion A key factor to this campaign’s longevity the abuse of hosting providers, a situation we have previously reported. Another key factor is the availability of vulnerable servers world-wide that criminals can compromise to host their malware. These are primary components in the Hancitor malspam playbook. As discussed in this blog post, we’ve seen an evolution in their playbook as criminals behind this campaign have fine-tuned their malware distribution techniques. Despite a somewhat limited target base of victims who disregard best security practices an run older versions of Microsoft Windows, the Hancitor campaign has remained active so far in 2017 with no extended absences. This indicates the campaign’s current playbook remains cost-effective. We continue to keep a close track of this activity for further developments. Palo Alto Networks customers are protected from this threat through our nextgeneration security platform.

Figure 7: Hancitor distribution servers globally thus far in 2017 03.2018



GETTING A HANDLE ON DATA Michel Nader, Regional Director, Data Protection Solutions, Middle East, Turkey and Africa (META Region), Dell EMC, shares insights on the critical strategies needed for protecting data.


ast year, we have seen a spate of ransomware attacks globally. Do you see this continuing in 2018? What do you think is still lacking among enterprises today that make them vulnerable to such attacks? Workforces today are more global and mobile than ever before. Hence, a growing number of connected devices are being added to the attack surface every minute. On the other hand, the threat landscape is also continually evolving where cybercriminals are finding new and improved ways, such as botnets, Trojans, adware, and ransomware, to bypass traditional security measures and avoid detection. Whether it’s an individual, small business or a large enterprise, no one in the region is immune to a cyberattack. While the sophistication of threats rapidly 30


increases, security teams struggle to explain and quantify the business implications of security incidents. Threats evolve quickly and it is imperative that organisations implement a multi-faceted security approach that can effectively stop evolving threats. While there is no silver bullet for complete endpoint and data security protection, there are comprehensive solutions available today that can significantly help protect against threats and keep critical data secure. With these challenges continuing to impact our customers, Dell is more committed than ever to playing a significant role in creating a new paradigm for the industry. Many organisations understand the need to minimise their business risk by protecting their information where it is stored but not when shared or used, which opens the door to the risk of disastrous and expensive breaches. To

this end, we believe that it’s imperative that organisations design their security programme to implement a combination of solutions that address security awareness, enablement and protection among the workforce. If companies are going to keep their critical assets truly safe amid an ever-evolving threat landscape, they need clear protocols in place that are backed by a realistic understanding of employees’ day-to-day responsibilities, as well as technology that protects sensitive data wherever they go – whether at rest, in motion or in use. How can organisations ensure end-toend protection and rapid recovery of data from premise to the private and public cloud? How can Dell EMC help organisations in this aspect? Data is the lifeblood of any company, no matter the size of the industry. And as


the workforce evolves, data is being used everywhere, at all times, which leaves it vulnerable to new risks. Organisations need to bolster security strategies by investing in technologies that help integrate security components in all devices, products and applications to safeguard this important company asset. Cloud protection needs to be an important part of any strategy. As more and more enterprises move their IT functions to the cloud, data backup and disaster recovery are #1 and #3 in a list of the top uses for cloud-based infrastructure-as-aservice (IaaS), according to a survey of IT professionals conducted by ESG Research. Whether applications are on-premises, extending to the cloud, have been moved to the cloud, or are born in the cloud, they require the same level of protection. Irrespective of where the data lives, Dell EMC’s data protection capabilities address both traditional and emerging workloads in the cloud. Our cloud protection solutions cover disaster recovery to the cloud, expanded support for long term retention in the cloud and seamless and efficient backup of applications in the cloud. Dell EMC Protection Software offers unified data protection for the enterprise that centralises, automates, and accelerates backup and recovery across the entire IT environment. It includes a data protection-optimised cloud storage appliance with support that spans across on-premises, hybrid, and incloud environments Over the past year, we’ve invested heavily in developing superior security solutions which protect critical business data wherever it travels, while also securing individual endpoints from today’s sophisticated threat landscape. From encryption and endpoint threat prevention to user authentication and compliance reporting, we are committed to delivering best of breed

Organisations need to bolster security strategies by investing in technologies that help integrate security components in all devices, products and applications to safeguard this important company asset.

security solutions to unlock the speed, agility and innovation of today’s mobile workforce. There is often a disconnect or misunderstanding when it comes to data recovery and backup strategies. How can this be addressed? Cyber-attacks have become a common occurrence. Reports of companies that have experienced IT infrastructure security breaches are on the rise. Beyond the exposure of sensitive or confidential information, there is growing concern that these hacks can also lead to the destruction of business critical systems. The business impact of not being able to recover can be devastating and in some cases lead to bankruptcy. To mitigate the risk of hostile attacks, companies need to develop strategies to deal with this threat. Destroying backup infrastructure is an emerging trend, because hackers think that neutering the backup system increases the likelihood of payment. Any system that is connected to the network is a potential target, including the backup system. Because cyber-attacks are becoming more sophisticated and devastating, organisations are considering new recovery strategies that represent the “last line of defense” for the lifeline of the organisation. Many are considering isolated environments

that host business critical data that is sequestered from the production network. In fact, recent regulatory guidance and government warnings emphasise that backup and recovery are key components of a good cyber security strategy, preferably with a backup or recovery infrastructure that is segregated from other systems. While tape backups can provide this level of isolation, recovery takes too long and involves too much risk when the daily revenue or mission critical applications are at stake. How can regulations such as GDPR impact regional firms? Do you see Middle East government implementing similar mandates? GDPR may sound like another exhaustive red tape practice, but regardless data privacy and protection should concern all organisations. According to a Deloitte study, 80% of consumers ‘somewhat to strongly agree’ with the statement that they are more likely to buy a product from companies which they believe protect personal data. In that sense, data protection is no longer just a risk management issue, but has also become a business consideration. For certain organisations, guaranteeing their customers’ data privacy will even be the new unique selling point (USP). 03.2018




ecurity Advisor ME’s CISO 30 Awards and Conference to spotlight projects that have demonstrated security innovation and business value Businesses continue to transform themselves in the digital economy and face a myriad of risks across a rapidly changing threat landscape. How do you proactively find and deploy new security technologies to minimise threats and risks to your organisation? To be held on 27th March, Security Advisor ME’s inaugural CISO 30 Conference will rally together leading security thought leaders from the region to demonstrate how forward-thinking organisations are embracing today’s challenges and preparing for the future with security innovation. The conference is a premier event that will draw 100 plus security decision markers, providing them with a platform to exchange ideas and best practices related to enterprise security, physical security and risk management with peers. The conference will feature two



roundtable discussions around cloud and IoT security, and defense strategies for the digital world. This will be followed by a panel discussion on building a cyber-aware workforce. The conference will conclude with an awards ceremony to celebrate the achievements of top 30 security leaders in the Middle East, who have fostered innovation and demonstrated thought leadership in their enterprises. We encourage nominations on a range of security topics. To be selected, nominations must not only show that the nominee organisation has executed its project well, but that it has done so in uncommon, innovative ways: pioneering a new technology, applying a familiar technology to a new purpose, or setting the bar higher for their organisation’s security objectives. And they must demonstrate business value, not just the benefits of better security and risk management programmes. The CISO 30 Awards are open to entries from internal business, security and PR stakeholders as well as vendors and their PR companies who are nominating customers. However, If you are a third party creating a nomination, you must agree to notify the nominated organisation before submitting the nomination. There is no cost to nominate. CISOs can nominate multiple projects or initiatives for a single company for consideration. Working with judges including security experts, academics and CISOs, the CISO 30 honourees will be selected by the Security Advisor ME editorial team based on information submitted in the online nomination form.

Get more from your

Bureau Data


with TransSys BureauCast PDF digitization

BureauOnTap A2A connectivity


Actionable insights


Move to an instant

Credit Decisioning Model Increase sales productivity by


For more enquiries

+971 44542076

Increase underwriting efficiency by


Impairment reduction by



TELLING YOUR VALUE STORY Security leaders must understand metrics as critical tools to explain how security services support the organisation and its strategic objectives, writes Gary Hayslip, global CISO, Webroot.


oday, we witness an increasing number of cyber incidents across all industry domains. Boards of directors and senior management are educating themselves on their organisation’s risk exposure to these cyber-related issues. Boards also are seeking a better understanding of the potential for cybersecurity initiatives to enhance their company’s strategic operations. Many board members have questions for their security staff such as, “How secure are we from a particular threat?” or “Can you promise me we won’t be the next [hacked company]?” Security professionals need to be able to answer these questions and help board members understand that cybersecurity does not control the threat landscape facing the company. Instead, the purpose of a mature cybersecurity programme is to provide the business with a platform to manage its risk environment. 34


A company’s senior management is often responsible for the development of a clear, concise strategy to address threats and vulnerabilities to cyberattacks. The chief information security officer (CISO) is expected to have technologies and security controls in place that reduce the organisation’s risk, as well as processes to monitor the effectiveness of the security programme. It is standard best practice to use a risk management framework, such as NIST CSF, ISO 27001 or COBIT 5, as a platform to establish the current risk baseline. With this platform, selected metrics are chosen as realtime measuring devices to provide visibility into the value being provided to the company. Security leaders must understand and embrace metrics as critical tools to tell their story about value. There is no specific template for what should be measured with metrics; every

company’s business environment is different. I would recommend, however, that metrics be reported to senior leadership in the guise of a narrative, using the metrics to explain how the security services support the organisation and its strategic objectives. Some primary considerations for creating this story with metrics are as follows: • What is its purpose? Metrics should support a business goal. Connecting metrics to the business will help to prioritise resources more efficiently. • Is it controllable? For metrics to have worth, they must demonstrate that specific goals are being met. So, metrics should measure processes and outcomes that the team controls. • What is the context? Don’t take the results of a security tool and call it a metric; it must have meaning. Ask questions such as, “why are we collecting it, what story does it tell?” • Is there an understanding of what


data should be collected, processed and posted to a central collection point. It should not take a long time to prepare and report your metrics. For example, if metrics are used in a weekly report, it should take two to three days to collect, process and post the received

“good” is? Know the target value you want to achieve and the actions you want to take based on that amount. • Is it quantitative? A quantitative value can be compared and demonstrate trends. • How trustworthy is your data? The data used to create a metric should have a high level of accuracy, precision, reliability or • Is it easy to process and analyse? The

The above recommendations help security leaders identify data and services to build the metrics they need. It is important to remember that the businesses environment will influence what data is collected to form these metrics. These metrics also will be dependent on the technologies deployed as part of the security platform; security controls and contracts for security services provided to the company. A good example of performancebased metrics is “Reduce desktop remediation time from 6 hours to 4 hours by <date>. Another metric that could be used to measure the number of servers needing critical patches; “Improve the number of fully patched servers from <current %> to 90% by <date>”. What is important with both examples is you have a specific action you want to measure, you have something to measure it against and you have a timeframe to show success. The above examples are measurements that would be collected and imported into a data portal or dashboard to be analysed and monitored for trends. Now let’s look at an example of how metrics can be used to provide insight

Security leaders must understand and embrace metrics as critical tools to tell their story about value. There is no specific template for what should be measured with metrics; every company’s business environment is different.

into how well an organisation’s security programme is performing. A CISO may collect a metric to track the number of compromised desktops each month, but that in itself provides little value to the business. If that CISO had requested to invest part of their security budget in a new AV/EDR solution, how would he/she measure the value this solution provides the business and its effectiveness in reducing risk? One way would be to estimate the cost of a compromised desktop. An infected desktop is removed, reimaged and the employee’s data recovered from the previous night’s backup. This process is equivalent to five hours of labor from the IT technician and five hours of lost productivity from the affected employee. Combined, this costs the business $225 per infected desktop, and currently, the organisation is averaging 45 infected assets per month which are equal to $10,125 per month or an annual cost to the business of $121,500 in lost productivity. With the new AV/ EDR solution installed, the number of infected desktops per month is reduced by 60 percent over time. This reduction in the number of infected assets and the savings to the business in lost productivity is a metric the CISO can use to tell their story of the value the company receives from the recent investment in this new technology. Security leaders will experience scrutiny from their organisation on the services provided by the security programme. To adequately answer these requests, make sure to balance the efficiency and effectiveness of the security controls continually, by understanding the metrics and data that is collected. Two helpful sources to assist in creating metrics come from SANS and the Center for Internet Security. Remember, metrics are an opportunity to tell a story about the value security professionals provide to the business and how a mature security programme is a risk-reduction, business-enablement platform. 03.2018



STRIKING THE RIGHT BALANCE Gerry Gebel , vice-president, Business Development, Axiomatics, discusses why everyone is a consumer with Consumer Identity and Access Management (CIAM)

ompetitive forces and market dynamics in many industries have led more organisations to focus on digital transformation projects to modernise their applications. A key driver for these projects is improving customer experience. To be successful, organisations must provide a




stellar experience at each juncture of the customer journey to gain a competitive advantage. Customers always have a choice to leave for a competitor if their experience isn’t up to expectations. To optimise the customer experience, organisations must rely on data analysis to identify customer patterns, trends and behavior to identify, attract and retain customers.

The power of consumer choice In competitive markets, consumers can easily switch to a competitor’s offering if they are frustrated with or unable to navigate through the buying process. So many kinds of obstacles may derail the consumer, such as: • Too many steps in the registration process • Preferences are not saved across login sessions


• Forcing multiple login steps across different product lines or services • Mobile and desktop browser experiences are completely different, leading to confusion • Presenting upsell or cross-sell choices that are irrelevant to the current online experience Of course, a positive or negative customer experience is considerably based on the design and flow of the application - mobile or desktop browser. In addition, profile data and usage patterns are key inputs into application behaviour which can be based on an individual’s data or aggregated data patterns. However, meaningful data analysis requires access to personal and confidential customer information, potentially leaving organisations at risk of mishandling that data, and exposing it via a breach or unauthorised access. Customers care deeply about the security and privacy of their personal data and organisations who fail to protect this sensitive data will lose customers, revenue and may even face regulatory fines. High-profile data breaches continue to expose massive amounts of consumer data. And with the impact from 2017 breaches like Equifax and Uber, there is both awareness and rising public concern over data privacy and where security was an afterthought, it’s now taking center stage. Consumer Identity and Access Management (CIAM) to the rescue The consequences of a data breach are immediate to a company’s reputation, share value and customer loyalty. Most organisations implement an Identity and Access Management (IAM) solution for employees to protect themselves against insider threats, but these are less effective for managing customer identities. IAM solutions often lack the functions that balance the trifecta of customer convenience, security and privacy; they’re simply too limited to handle the scale, performance

CIAM allows organisations to securely capture and manage customer identity profile data while also controlling customer access to applications and services.

and often complex customer-centric needs. However, progressive Customer Identity and Access Management (CIAM) solutions strike that balance of protecting customer information while enhancing the customer experience, without sacrificing one for the other. CIAM allows organisations to securely capture and manage customer identity profile data while also controlling customer access to applications and services. A CIAM solution provides a multitude of features like customer registration, self-service account management, consent and preference management, single sign-on (SSO) and multi-factor authentication (MFA). These features deliver a flawless customer experience while minimising the chance of a security breach. Here’s how: Improve the customer experience The goal is to make everything simpler for the customer. Forcing customers to provide their credentials over and over for each application can get annoying, and sometimes the customer will just leave the application altogether. And now it’s more than only web applications that require user credentials, there are also mobile applications, IoT, partner applications and many other channels. With CIAM, customs can use a single sign-on (SSO) from one application to another, reducing user frustration. For example, customers are much more likely to use certain applications if they offer Google or Facebook authentication instead of their own. This delivers a more seamless customer experience

as customers can quickly sign into websites with one SSO. Secure customer data Businesses need to make sure only authorised users attempt any given action (e.g., transferring money from checking to savings). Often, security is viewed as an inhibitor and a hurdle to business, but it actually can be a key differentiator over your competitors. CIAM solutions manage the customer’s preferences and other important metadata that can be leveraged by Attribute-Based Access Control (ABAC) systems to enforce security policies on PII and other regulated data. Ensure data privacy With CIAM, knowing what data is being held and shared and for what purpose, becomes fundamental. The constant stream of data breaches is beginning to raise consumer awareness about who is tracking their data, where it is stored/aggregated and who it is being shared with. In Europe, the GDPR legislation enumerates specific requirements for customer data collection, retention, use and so on. CIAM systems can be a key component to manage this preference data. CIAM encompasses all these capabilities to assist organisations to deliver the right balance between a seamless customer experience with security and privacy. CIAM is essential to help organisations turn their customer relationships into a true competitive advantage. 03.2018



UNDER A WATCHFUL EYE Norden, which has made its mark in the physical network infrastructure market, has recently forayed into the surveillance industry with its latest range of surveillance cameras called Eyenor. Joseph John, GM, Norden, discusses the trends driving the physical security market. What are some of the key physical security trends you are seeing in the market? Factors such as increasing expenditure on the security of critical infrastructure by organisations, adoption of Internet of Things (IoT) and cloud-based data storages and technological developments in video surveillance are expected to contribute to the physical security market rapid growth. The shifting focus from traditional solutions such as intrusion alarm systems, badge readers and door locks to logical security which includes threat management, breach detection, and intrusion prevention, among others, are helping to deter breach and crime incidence at a higher rate. Over the past few years, leading industries and sectors such as transportation, commercial, and banking and finance, among others have witnessed a steady increase in the number of physical incident and 38


Joseph John, Norden

breaches. The physical security to an environment continues to evolve globally. Rising threat incidents have accentuated the need to reinvigorate

efforts towards maintaining a high physical safety infrastructure to business as well as residential premises. Vendors are trying to avoid competing solely on price, so they are loading their cameras with features. Higher resolution is one thing, wide dynamic range, advanced low light performance and analytics are also certainly a hot topics now. Demand for 4K cameras is increasing but the standard now is really 1080p and, certainly, what most companies are looking to take from network cameras. Since these cameras are traditionally recording 24 hours a day, that means VARs must also meet a storage demand of on average 45 GB of storage per day for a 1080p recording at 15 Frames Per Second (FPS). Thatâ&#x20AC;&#x2122;s four times the storage and bandwidth as an HD camera. 4K is useless without smart compression because it generates too much data. The high resolution gives us


the possibility to have more information, valuable information in the image and it drives the compression and storage needs, and the best thing is to have them working together. Recording in the camera level with SD cards of high capacity add to the network redundancy over the network storage redundancy. Is the surveillance camera market moving from analogue to IP now? One of the great benefits of the IP

used to record, transmit and store data securely, to enable the right people to view pertinent data as and when they need it, and to automatically delete data as soon as it is no longer required. Such systems can also be configured to record CCTV data only when needed and also have all the required security and encryption necessary to protect data and verifiable audit logs to prove that data was handled, transmitted, viewed and deleted appropriately.

Over the years, we have gained good market share offering quality products that meet our customer expectations and offer consistent performance.

system is the cloud-based aspect. With this the authorised person can see what is going on at the required place from anywhere in the world. CCTV Surveillance is being replaced with IP video surveillance because of various benefits offered by IP networks. The shift from analogue to IP has led organisations to spend on technologies that add scalable security surveillance solutions to their organisationâ&#x20AC;&#x2122;s physical security. IP network can carry not only the video traffic, but also the power for the IP cameras via power-over-Ethernet (PoE) technology. To remain relevant and competitive businesses must embrace the Internet of Things (IoT). However, there also needs to be more of an onus on IoT manufacturers to ensure the safety of the equipment they sell to businesses. To help comply with the General Data Protection Regulation (GDPR), the latest cloud-based technology could be

Why has a cable manufacturer like Norden forayed into security market? We are a reputed brand in the market for structured cabling and ELV cabling system. Over the years, we have gained good market share offering quality products that meet our customer expectations and offer consistent performance. With new technology advances taking place in fields like Digital building and Internet of things (IoT) there is an increasing requirement for seamless integration of various systems within buildings, campus and cities. Norden will diversify and add new systems to cater to the growing market requirement for interoperating systems in the new scenario by providing consistent and quality products. EyeNor surveillance systems and NVS public address systems are new diversified product ranges. Norden strives to provide end to

end solutions, which is why we are investing more in our R&D and production facilities, developing new product ranges and innovative new solutions. Security systems is key element in this expansion plan that is critical in the changing physical security environment requirements. Our product diversification will be an added value to our existing portfolio and our customers. Are you offering both IP and analogue surveillance cameras? Can you tell us about your product range? EyeNor surveillance system from Norden offers a UHD (Ultra High Definition Cameras) to have a clear view of the critical areas. EyeNor offers both IP and analogue surveillance cameras with minimum 2MP HD to 24MP HD resolutions. EyeNor range boasts of all types of dome and bullet cameras along with corrosion proof to thermal imaging cameras. Norden tech experts will research and design the best solution for customer requirements. Our recently developed IP67 series of cameras and thermal cameras with special temperature detection algorithm are ahead of the technology in the field of analytics and detection technologies. What differentiates Norden from competitors? Norden has a value optimised and customer centric solution approach, extended research to suit geo graphic specific requirements. Our industry knowledge of many decades makes us to come up with innovations that meet expectations of our customers. Our end to end solution for the networking infrastructure and surveillance makes us responsible for delivering best performance. 03.2018



Brand: Panasonic Product: i-PRO Extreme PTZ Camera

Brand: Axis Communications Product: AXIS P1280-E and AXIS P1290

In launching the first thermal cameras in its P-line – Axis Communications aims to introduce the benefits of thermal imaging to a broader range of customers and environments. The AXIS P1280-E Thermal Network Camera is an indoor/ outdoor camera with a flexible form factor that allows the thermal sensor unit to be placed in locations with limited space. The devices are also designed to utilise a wide range of mounting accessories for both wall, ceiling or recessed installations. Meanwhile, the AXIS P1290 Thermal Network Camera is an indoor camera protected in a dome casing for discretion. According to Axis, the new cameras deliver thermal imaging capabilities to small and mid-size systems with budget limitations – such as schools, care environments and independent retailers– allowing for intrusion detection and incident identification, without compromising individuals’ identities. What you should know: The devices also have built-in analytics, such as AXIS Video Motion Detection that can send an alert when it detects motion from moving objects within a predefined area. The cameras also support AXIS Camera Application Platform, which is compatible with a broad range of third-party applications.



Panasonic has launched the new H.265 compatible outdoor PTZ camera, featuring high-quality Full HD WV-X6531NS video resolution with outstanding low light sensitivity of 0.015lx. This New heavy salt damage resistant camera is a new addition to Panasonic’s i-PRO Extreme X-series PTZ (Pan/Tilt/Zoom) cameras. The WV-X6531NS comes complete with an optional Vehicle Incident Detection analytics, while offering full 360° continuous panning and an ultra-long 40x optical zoom lens with integrated gyro-senor, along with the new PTZ provides Intelligent Zoom Stabilisation (IZS) that produces remarkably stable images even at longer zoom distances. A highly durable mechanical design

ensures a superior quality surveillance solution for outdoor applications and the new X-Series. What you should know: The cameras’ ultra-long 40x high-power zoom lens covers 1.3X the distance of standard models, allowing a single camera to be installed at up to one-mile intervals. Its ClearSight Dome coating prevents rain drops and dust from collecting on the dome surface, keeping surveillance viewing clean and clear and reducing field maintenance costs that are inherent with conventional domes.

Brand: Honeywell Product: CCS R200 Honeywell’s CCS R200 combines intelligent automation, advanced analytics and data visualization with the contemporary user experience of consumer home and mobile electronics, bringing simple, intuitive displays to building operations to enhance facility and security management in an easyto-understand manner for building operators in the region. CCS R200 has two core operational interfaces – the Command Station and Command Console. The Command Station is a single window, single monitor interface, designed for a desktop PC, laptop and Windows tablet. It is and is often ideal for facility technicians, security guards and management as well as for casual use by occupants. Meanwhile, the Command Console, is a premium multi-window, multi-monitor interface designed for engineers, control-room operators, and building

mangers and others who need to view insights from multiple systems and areas of a building simultaneously. It seamlessly integrates with Honeywell’s Digital Video Manager console to access and provide a view of video footage and corresponding data for improved operational decision-making. What you should know: In addition to new interfaces, CCS R200 includes enhancements to the original system’s Incident Workflow feature, which guides users through scripted responses to security incidents and other emergencies. The enhancements include map visualization to clearly locate an incident, such as a fire alarm going off, to quickly identify the exact location.


WHY WE NEED MDR IN 2018 By Sachin Varghese, EVP Americas and CMO at Paladion


n 2018, your network will most likely be breached. In previous years, we would not be able to say this. Network perimeters were limited and securable. Attacks were relatively uniform and predictable. And attack volume was low enough to be stopped with heavy investment in legacy SIEM systems. Those days are gone. The enterprise now runs on Cloud, Mobile, and IoT. By 2020, there will be 50 billion connected devices. 99% of these computing devices are vulnerable to cyberattacks. The enterprise security perimeter has dissolved. At the same time, attackers have learned to take advantage of the new, complex, and permeable enterprise. They take advantage of your moments of peak network traffic to hide their attacks. They have evolved fast, sophisticated, multichannel attacks. They now deploy complex unknown attack patterns—and the identity of the attackers themselves often remains unknown until it’s far too late. The result: Data breaches are increasing at an alarming rate. They are now inevitable. Attackers know this. They have let go of “smash and grab” approaches to cybercrime, and now focus on seeding your systems with Advanced Persistent Threats that take months to secretly find their target and inflict their harm. They now assume they will breach your systems, and be able to hide in your network as long as it takes to complete their mission. And if you hold onto legacy approaches to cybersecurity in 2018, your attackers 42


will be right to make this assumption. Organisations and cybersecurity experts are waking to this reality, and shifting their focus away from prevention, and towards Managed Detection and Response (MDR) services. IBM predicts 2018 will be the first year a major company will respond appropriately after suffering a significant breach. At the same time, Gartner argues detection and response capabilities will “drive a majority of security market growth” through 2022. MDR services assume a breach will happen, and answers the question “How do we act quickly to prevent a breach from becoming catastrophic?” MDR services continuously monitor your systems to find breaches in real-time. They then quickly shift to respond in near real-time. While MDR services do focus on what happens after a breach occurs, they do not ignore threat prevention entirely. A mature MDR program provides full left-to-right of the hack protection – a Paladion approach, including the following services: • Threat Anticipation: Continuously reviews the global threat landscape to identify, and protect your systems from most likely threats. • Threat Hunting: Deploys data science and machine learning models to proactively uncover known and unknown threats in your networks. • Security Monitoring: Applies realtime rules to logs and security events to detect known attacks and compliance violations.

Incident Analysis: Triages alerts to focus on evaluating your most relevant threats, and queuing up response in the case of security incidents. Incident Response: Executes rapid, coordinated containment, eradication, and recovery from major incidents. Breach Management: Leverages human experts and machine learning to derive lessons from the breach, and strengthen your system from similar future attacks.

The transition to MDR-led security services in 2018 faces certain challenges. In 2018, much of this challenge will come from contending with stringent new privacy and data protection regulations (such as GDPR) and selecting the right cybersecurity provider. The MDR service provider market will appear confusing, as traditional MSSPs attempt to adopt MDR-like services (or, perhaps, to simply adopt MDR branding without fundamentally changing their service offerings). However, it’s imperative to cut through this confusion. Select an MDR-first provider who has dedicated years of investment in anomaly investigation, forensic capabilities, and response playbooks. Challenging or not, MDR adoption is no longer optional. The average cost of a single data breach will exceed $150 million by 2020, and by the end of 2018, cybercrime damages are projected to exceed $9 trillion globally. Will you join these statistics in 2018? Or will you protect yourself with MDR?

Distribution is changing and it starts here Nuvias Group is the pan-EMEA, high value distribution business, providing a common proposition and consistent delivery across EMEA, allowing channel and vendor communities to deliver exceptional business value to customers, and enabling new standards of channel success.

Unified Communications

Cyber Security

Advanced Networking

Nuvias Middle East & Africa 3101 â&#x20AC;&#x201C; 3102, Concord Tower, Dubai Media City, Dubai, UAE

Security Advisor Middle East | Issue 25  
Security Advisor Middle East | Issue 25