Patch Management Explained: Best Practices & Benefits

Tony MasonCyber Security, Data Protection, Patch Management

All You Need To Know About Patch Management And Why Automated Patch Management Will Simplify Your Sysadmin’s Life – by ANDRA ANDRIOAIE.

What is Patch Management?

Patch management if the process of distributing and applying updates to software. These patches are frequently required to fix bugs in the software known as vulnerabilities. It entails the acquisition, review and deployment of patches to an IT infrastructure. A patch is a piece of software code that enhances a programme that has already been installed; you may think of it as a ‘bandage’ that has been applied to software. Software developers produce a patch each time a security flaw or bug is found or the program’s functionality has to be improved. Patches can be applied to your whole infrastructure, including servers, routers, IoT devices, servers, software/operating systems and more.

Why Is Patch Management Important

Regular software patches improve the functionality, stability, and security of your system. Not to mention that recent years have seen a rise in system vulnerabilities. Take a look at PrintNightmare, which targeted Windows Spooler, or the 16-year-old flaw in the print drivers for HP, Samsung, and Xerox. Plus, you must  recall the infamous WannaCry ransomware attack.  That occurred as a result of unpatched systems that were misused by malicious hackers. Microsoft had released a security patch that addressed the vulnerability in Windows OS two months before the ransomware attack began.  However, many organisations did not upgrade their systems in time, leaving them vulnerable and open to attack.

If this is not enough to persuade you:

Therefore Patch Management Is Important For:
  • Security: patch management fixes vulnerabilities in your software and applications that are susceptible to cyber-attacks
  • System uptime: patch management ensures your software & applications are kept up to date & run smoothly
  • Compliance: Cyber insurance, cyber essentials and other regulatory bodies often demand that companies maintain a certain level of compliance and patch management is a necessary piece of adhering to these standards
  • Feature upgrades: patch management can go beyond software bug fixes, guaranteeing you have the most recent and efficient product with the latest features and functionality.
Benefits of Patch Management
  • Reducing the attack surface: applications & software may have various vulnerabilities a hacker could exploit. By patching them, a company is less exposed to cyberattacks or security breaches. Patching works as a prevention measure against many types of malware.  All of which can spread fast throughout a network.
  • Enhanced functionality: as well as removing software flaws, patching can also improve features, and therefore enhance functionality.
  • Achieving compliance: the required level of conformity with different regulations is accomplished with satisfactory audit results. This also saves you from receiving unnecessary fines for not meeting compliance standards.
  • Increased productivity: patches can fix different errors and bugs and therefore increase system stability. This means users won’t waste unnecessary time from any system downtime, as they won’t come across system bugs or downtime every few days.  Therefore, they will become more productive.
  • Spotting old software: if your software vendor is out of business or has another problem, a patch management solution can help you identify the software that has not received updates in a long time.  You will then have more visibility and can replace it in a timely manner.
Risks of Not Patching Your Software
  • Your business is more exposed to cyberattacks – hackers can exploit any found vulnerability.
  • The financial impact of a cyber attack – Successful cyber attacks can cost a company millions, from downtime & recovery, to reputation. The cost of recovery will certainly exceed the cost of implementing an automated patch management solution.
  • Potential loss in productivity – you will be left behind with an outdated system. You can waste hours as you are left struggling to solve issues caused by not patching in due time.
  • You can be fined because of a lack of compliance.

Cyber attacks are on the rise and you have no control over this. However, you can have total control over the vulnerabilities within your organisation and you can control them efficiently. One of the causes of the biggest cyberattacks to date has been poor patch management. Patch management plays a significant role in effective organisational cyber security.

The Patch Management Process

Here are the key steps that must be followed to ensure a seamless & effective patch management process:

  1. Make an IT asset inventory of all your current software solutions and devices. Check out who has what on their computers. Check out which software is out of date.
  2. Categorise assets and patches according to priority and risk. An inventory will assist you in determining which applications are vulnerable. It will also determine their level of importance or sense of urgency. It will also show if the existing patches meet your software needs. Since patch management is part of vulnerability management, choose a patch management solution that will fit your needs. Ensure it targets the most vulnerable parts of your system. Find a tool that will search for available patches. Then analyse the results to identify what needs to be patched.  Then apply the patches and monitor the process.
  3. Test the patches – Before putting the patches into production, test them in a lab environment. Before deploying live, you should check if your software supports the vendor’s patches you want to use.  A smart way to figure out if your network will actually support the patch you want to make is to use a testbed that replicates your production network. This step unfortunately has drawbacks as well. It will take time, consume resources from the business, and postpone the actual patching process.
  4. Plan the release into production and put a patch management policy in place. A patch management policy should lay out specific guidelines to ensure your patching process operates correctly.  It should schedule patches to be applied on time, and the patching results should be documented appropriately.
  5. Deploy the patches into production. Even if your lab tests went without a hitch, there’s always a chance you could encounter issues in a production environment. When going live, it is recommended to deploy in small batches.
  6. Assess and document the results. You should document and analyse every patching cycle.  This will help you to continually improve and optimise the patching process.
Patch Management Best Practices

Creating the optimal patch management strategy starts with evaluating all the necessary steps involved.

1. Create an asset inventory – You should keep track of your systems’ configuration and you need to know which hardware and software your organisation has. Plus check which version of operating systems are currently in use.

2. Analyse the risk levels and assign priorities – You need to undertake a risk assessment. Investigate which ones of your systems are non-compliant, vulnerable, and therefore need to be patched urgently. Some software might need patches sooner than others. You need correct identification and prioritisation in place.

Setting priorities and identifying goals for patching are crucial steps in the patch management process. It’s crucial to identify the software that has to be patched and establish a plan in order to avoid confusion and enable auditing procedures.

Patch management is part of the whole process of vulnerability management. Vulnerability management detects bugs that might be system configuration flaws, open ports, or registry settings. Vulnerability management will find the vulnerabilities before patching. Therefore, these processes should complement each other and be used together. A tool that has them both will work better in terms of mitigation measures.

Critical vulnerabilities should be patched first.

3. Consolidate software versioning – Your software and OS versions should be standardised to improve patching speed, effectiveness, and stability.

4. Create a patch management policy – A structured and well-defined process will constantly protect your system against threats. Your patch management process should be done frequently rather than occasionally. Therefore, a clear schedule must be followed when applying patches in order to prevent mistakes.

For instance, a delay should occur between deployments if various group policies require patches.  You should wait a certain amount of time before installing a patch for the next policy group, so that the first policy group patches have time to take effect.

5. Do not delay important security patches -The process of patch management should not be postponed for too long or too often. Certain patches with a high security risk should always be applied as soon as possible to avoid being left open to attack.

6. Test on a small sample before wide deployment – Although software patches should be implemented in a timely manner, it’s also wise not to rush your patching, without making sure that the patches suit your system.  Doing so could cause you issues. Therefore, an important patch management best practice is to test.

Patch validity can depend on the vendor. As a result, you must ensure that you test your patches on a small number of devices first to evaluate how they perform. If everything goes smoothly, you can then apply them all at once. The reason being, new patches may also have bugs that haven’t yet been found. This way you will avoid damage to the rest of your estate.

7. Have a rollback plan – You should be able to restore your software/roll back to the previous setting as soon as possible.  This is to ensure that, in case of errors or conflicts, you can restore as soon as possible and reduce downtime.

8. Automate the patching process – As everyone knows, patching manually can be extremely time consuming.  An automated process will always be better in terms of speed and accuracy. In addition, it will also help by avoiding human error.  Not only is it a great tool to help minimise the risk of malware infections. It also frees up your sysadmins so they can focus on other security related tasks. In addition, it enables you to gain full visibility inside your IT environment so you can diligently keep track of vulnerabilities and patches.

Conclusion

In order to effectively manage software updates, a good automated patch management solution is essential.

Maintaining the security, integrity, and accessibility of data and systems is crucial for every organisation.  It should be as thorough as possible but also simple and fast. The more you keep on top of your patching requirements and update all your systems, the less likely your company will be compromised.

Patch management is crucial to ensuring strong organisational protection. However, by all means, it should not be viewed as the answer to solving all security issues, but as an essential layer of protection for your business.  For example, alongside DNS filteringEndpoint Antivirus & Firewall, and Privileged Access Management (PAM).

It’s time to move beyond server patching software like SCCM/WSUS or old patch management techniques.  Take a look at the automated patch deployment solution from Heimdal Security for your Microsoft 365 and Third Party Apps.

Zero Trust & ZTNA

Tony MasonCASB Cloud Application Security, Cyber Security, Data Protection, MFA, Web Security

Zero Trust Security

Zero-Trust is a security framework of products or services that removes inherent trust from your organisation. Instead it requires strong, regular authentication/authorisation of all devices and users, together with context & policy adherence. Zero-Trust Network Access (ZTNA) is a term coined by Gartner. It uses the concept of ‘Zero Trust’ in the control of access to the company’s resources at the network level. With the new model of remote working, instant access to applications, services and data at any location or time, Zero Trust ZTNA is the potential future of network security.

Cyberattacks aren’t just a direct threat to an organisation’s income and reputation. In fact, the threat to business continuity is just as concerning as the spectre of data loss.
 

Research points to the scale of the risk. In 2021, one in five mid-market businesses (21%) suffered a ransomware attack and subsequently paid the ransom. For each successful ransomware attack, businesses are subject to very real disruption, with essential files, systems, or devices locked away. Ransomware can stop workers from fixing the problem and continuing with business as usual.  This is all while employees are blocked from accessing essential information or even the entire network.
 

No matter the sector, the impact of this kind of disruption can be serious. Whether it’s knowledge-based companies unable to access their email servers and interact with clients. Or utilities providers unable to log jobs and request parts, continuity breaches are no joke.

The Remote Risk

This isn’t a static problem: the scale and complexity of the threats involved are growing exponentially. The corporate boundaries that used to mark the line between ‘safe’ and ‘unsafe’ have dissolved. Work is no longer a place. It is an activity, and the pandemic has only accelerated that with the move to remote work in many industries.
 
That means defining what’s a safe network, device, or login and what isn’t is now much more complex. Keeping on top of security for hundreds or even thousands of individual users, all connecting via a whole range of setups, seriously increases the risk of a continuity-breaking attack.
 
Yet research indicates that over half (51%) of mid-market firms admit they have not purchased cybersecurity products that protect against threats for hybrid and remote workers. And 41% of organisations admit that future-proofing their cyber defences ‘needs development’. Therefore, security needs a fundamental rethink to deliver rapid and secure access across business ecosystems.
 
Much has been said about the end of the traditional perimeter and the need for organisations to adapt and develop a Zero Trust security stance in response. But what does this mean in practice?

Zero Trust

In short, when it comes to providing secure access to network resources, a Zero Trust security model turns the old idea of ‘connect then authenticate’ on its head. Instead, it establishes a paradigm in which trust is consistently re-evaluated based on real-time behavioural data, not a single successful login. Think of it like those scenes in blockbuster movies where the heroes infiltrate the villain’s lair – one mistake and all the alarms in the building are blaring. Zero Trust is more nuanced than that, but the basic principle is the same.  If something looks suspicious, stop it first and ask questions later. Don’t just let it keep walking around because it flashed the right badge on the way in.
 
‘Trust no one’ may seem like an extreme mantra, but in today’s cybersecurity landscape, it’s essential. Here are four key steps to guide you along your way in understanding and implementing a Zero Trust position.

1) Trust no-one

This is the cardinal rule for perimeter-less security. The aim is to achieve a Zero Trust position. This is to ensure that users, devices, and logins are continually assessed and re-evaluated before access is granted to corporate resources. Rather than operating a ‘one and done’ policy, a Zero Trust approach dictates that every attempt to access potentially confidential information or systems should be met with checks and balances.

2) Follow the user

For seamless Zero Trust, security needs to go where people go. It needs to flawlessly adapt to whatever device, network or location they are using. Rather than denying access to unrecognised devices or simply requesting a password, businesses need systems that can draw on more complex datasets to make context-aware decisions. In other words, they need…

3) Smarter Security

…which can fuse context and identity to understand what ‘normal’ looks like and autonomously responds to suspicious behaviour. Truly smart security systems can analyse data about: geolocation, time of day, speed of movement, (i.e. logging in from two locations without expending the time required to physically get from one to the other), speed of access (i.e. clicking through files faster than humanly possible), and more to correctly identify risky behaviour – and shut it down.

4) Future-proof your investments

Finally, it’s worth bearing in mind that an effective security system is never static. The demands you face will change, as will the needs of your workforce. Given the need to continuously iterate, it’s advisable to consider combining your network and security services in one place. This will provide rapid, secure business access right across an environment, and enable upgrades without having to laboriously integrate new point products with old ones.
 
A single platform that provides all your core security requirements in one place, is a key consideration for maintaining continuity. It gives you the intelligence and automation to protect an increasingly mobile workforce whatever the future holds.
 
To find out more about how to implement a Zero Trust ZTNA approach, download this ebook Your Guide to Implementing Zero Trust.

Vulnerability Scanning

Tony MasonAPI Security, Data Protection, Penetration Testing, Vulnerability Management & SIEM, Vulnerability Scanning

Why scanning more often could deliver surprising benefits you may not have considered.

Can I just scan once per year, like with a penetration test?

Penetration tests are uniquely effective in uncovering highly complex vulnerabilities in web applications: those which may require detailed human awareness and context in order to detect. However, whilst irreplaceable, penetration tests can also be relatively expensive to deliver.  This is because they require significant time investment by highly skilled human penetration testers. Because of the costs, many organisations may, understandably, conduct them only an annual or bi-annual basis. However, automated vulnerability scanning (also known as “DAST” or “Dynamic Application Security Testing”) operates on a very different paradigm. A common misunderstanding by those establishing a vulnerability scanning programme for the first time is to apply existing schedules for penetration testing to vulnerability scanning without alteration. It is certainly possible to only run a vulnerability scan once per annum.  However, in doing so many of the benefits that the vulnerability scanning paradigm makes possible are left on the table.

How often should I run vulnerability scans?

When a vulnerability is introduced to a website or service, the clock starts ticking on a window of opportunity for attackers to exploit it before the organisation operating the service notices the vulnerability and remediates it. In cybersecurity this is known as the “attack window” for a vulnerability. The longer the attack window is open, the greater the opportunity for attackers and hence the greater the risk to the organisation.

The key advantage of vulnerability scanning is its ability to be executed as often as required. This means that it can be leveraged to detect vulnerabilities much sooner.  This allows them to be quickly remediated and to reduce the time available for attackers to exploit them. For all the strengths of penetration testing, it is not feasible to perform it weekly. A vulnerability introduced one week after a penetration test may go unnoticed for up to a year until the next penetration test is performed. Vulnerability scanning can help plug this gap. It “fills in” between scheduled penetration tests to uncover many common vulnerabilities almost as soon as they are introduced. Thus reducing the risks to you, your business, and your customers.

Doesn’t running scans more often increase workload and require more resources?

It seems intuitive to assume that running vulnerability scanning more often must surely require more – and potentially unmanageable – amounts of resources, including time commitments from already overburdened security teams.

However, this is typically not the case. Vulnerability scans operate very differently to penetration tests. They are “configure once, run forever”. That is, the scanning itself is completely automated. Once a scan profile is created to define how a scan should be performed, there is no additional burden between executing the scan once versions automatically re-execute on a repeating schedule as often as required. This can all be delivered for no additional cost. Nor even requiring any manual action or intervention for subsequent scans.

To understand why this is the case, we will take a look at some of the most commonly seen benefits cited by customers who have adopted an approach in which vulnerability scanning is performed more frequently in order to fully leverage their benefits, and how this is made possible.

Reduction in Workload Volatility

Managing workload for a security team is made especially challenging, the greater the volatility in workload. Preventing those days where everything lands all at once is key in establishing a manageable cadence and rhythm for a team that ensures the delivery of consistent performance.

For vulnerability remediation, ask yourself whether you would prefer to receive:

  1. A vulnerability scan performed once a week. Each scan finding two new vulnerabilities, giving you two vulnerabilities to remediate each week; or
  2. A single vulnerability scan performed in the second week of March. Delivering a flood of over one hundred vulnerabilities in one mammoth batch that seems overwhelming.

Hopefully you’re thinking “Option 1”. Performing regular vulnerability scanning at a higher cadence means that vulnerabilities are discovered more often but in far smaller numbers: that is the “delta” or difference from one scan to the next and is lower the more often that scans are run.

Business as Usual

Tasks become easier through repetition and familiarity. Performing processes more often makes them not only standard practice, but improves performance in the tasks. Where vulnerabilities need to be remediated by other teams, making vulnerability remediation a standard “business as usual” activity on an ongoing basis, ensures that managers can budget for it. For example, assigning say 5% of a team’s time to vulnerability remediation on an ongoing basis. This is a far more palatable approach for those managing technical teams than having a huge set of vulnerabilities “drop” on their team in one, unmanageable package. This would require completely derailing other delivery commitments in order to address. It is far better that vulnerabilities that need to be remediated don’t drop on teams in one unmanageable “lump” of work. It can help ensure that delivery timescales for other work are not impacted, prevent frustration, and foster co-operation between teams.

“Little and often” makes the vulnerability management process business as usual. Rather than an extraordinary demand for resources on an irregular basis. Vulnerability management becomes part of the status quo and providing regular vulnerability reports – from frequent scans – each with a small delta to the last, helps everyone.

Reducing the Attack Window Reduces Risk

When a new vulnerability is reported, it triggers a race against the clock between the various actors involved. From an organisation’s point of view, teams need to roll-out the necessary security patches to rectify the flaw as soon as the vendor supplies them. However, at the same time, attackers will start developing exploits with malicious code that can take advantage of the identified weaknesses. The race is on, and the period until you patch is known as the “attack window” during which an attacker can take advantage of the vulnerability on your systems. If you are only performing vulnerability scanning on a long interval between scans, it may be months before you are even aware that one of your systems is un-patched and vulnerable.  This gives attackers greater opportunity to target you for attack.

Scanning on a more regular basis doesn’t find more vulnerabilities or present a greater burden.  What is does do, is reduce the timescales or “attack window” between a vulnerability being exposed on your system and you becoming aware of it and patching it. It tips the scales in your favour, and against the attacker.

Alignment with Agile Development Processes

Systems development used to be a slow process with long development cycles. However, the advent and adoption of approaches such as Devops and Agile practices within organisations often means that development teams are using Continuous Deployment and other mechanisms to deliver multiple code deployments per day.

A key advantage of a vulnerability scanner is that since it is an automated tool it can be trivially integrated into DevOps and CI/CD pipelines. It can then execute scans of test and staging environments as frequently as on every code deploy, allowing vulnerabilities to be detected and remediated before they even make it to production.

Configuration Regressions

In contrast to approaches that are based on “static analysis” of source code (known as SAST), vulnerability scanning is conducted by performing active scans of live copies of running applications. Interacting with them directly in exactly the same way as a customer (or attacker) does.

One of the key advantages to this approach is that the scanner doesn’t care *which* part of the application its scanning is vulnerable, only that a vulnerability exists. Whereas SAST can only detect vulnerabilities in source code, a vulnerability scanner such as AppCheck can detect vulnerabilities wherever they exist.  This includes in underlying configuration errors on the host that the application is running, as well as server software and network components such as web application firewalls, routers, and load balancers.

Scanning your entire web infrastructure regularly ensures that any misconfigurations introduced in system or services are detected swiftly, just as vulnerabilities in code are.

Expiring Resources

It’s possible for new vulnerabilities to appear even when nothing has been deliberately changed, and when no new code has been deployed. This can occur either when a new vulnerability is discovered or published in existing software that is in service.  Or when the behaviour of a given resource changes, even though no explicit change action has been performed, allowing vulnerabilities to be introduced. (SSL certificates can expire or be revoked, domain registrations can expire, permitting domain takeover, and products can go End of Life (EOL) and cease to receive ongoing critical security updates or advisories).

Performing scanning regularly ensures a greater chance that these issues are detected early. Even when an organisation may believe that no new vulnerabilities can have been introduced because no new code has been deployed.

Forensics & Exploit Detection

Vulnerability scanning typically performs a vulnerability identification function.  It aims to detect vulnerabilities in exposed systems and services that are present due to weaknesses in software code or configuration. This is so that they can be remediated before an attacker can exploit them. However, whilst not being their primary function, vulnerability scans can provide a useful secondary control to detect what are known as “indicators of compromise”. Detecting exploits by attackers that have already occurred. This might present as new and unexpectedly open ports or services on your systems, or potential malware presence that may represent a breach in progress.

Cybercriminals spend an average of 191 days inside a corporate network before they are detected, according to a 2018 IBM research report. During that time they can attempt to compromise an increasing number of systems and exfiltrate large amounts of data. Faster reaction to breaches limits the potential harm to your organisation and its customers. Scanning more frequently can let you spot signs of potential exploit earlier.

Included Dynamic Third-Party Code

It is increasingly common for web applications to include third-party client-side JavaScript libraries within their applications. The use of third-party JavaScript can be beneficial in delivering time savings for developers. It allows them to leverage common functionality in an easy and standardised manner without having to devote time to develop the functionality themselves.

Many of these libraries are dynamically loaded by websites from remote servers or cloud platforms. Whilst generally safe, any compromise of these third-party libraries means that any and all websites making use of them may be open to compromise. Because the JavaScript or other libraries loaded in this manner are typically called directly from a CDN server, it will often have received no review by the organisation. The organisation controls only the call to load the library from a given URL, but has no control over the content returned. This can change immediately without the organisation having any visibility. Frequent vulnerability scanning ensures that this risk is reduced by detecting and flagging dangerous third-party JavaScript or other libraries as early as possible.

Retesting After Fixing

An advantage of vulnerability scanning is that it allows easy rescanning to be performed after a vulnerability has been fixed.  This verifies and provides assurance that the claimed fix has in fact been effective in remediating the vulnerability. In 2017 Equifax experienced a major data breach involving the theft of sensitive data relating to 145 million customers. Subsequent investigations uncovered indications that Equifax staff were aware of the requirement to patch their systems against a known and published vulnerability. However they failed to adequately retest systems after applying fixes in order to ensure that all affected systems had been remediation fully and effectively.

If an organisation only performs a scan annually, or quarterly, it may potentially be failing to follow up on verification that vulnerabilities discovered in previous scans, and which were believed to have been remediated are genuinely resolved and present no further risk.

Summary

The bottom line is that performing regular vulnerability scans – perhaps more often than you might have previously considered appropriate – provides a consistent visibility into your vulnerability landscape. It can provide the basis for a consistent and manageable workload and rhythm for your team. At the same time as reducing risk for your customers by minimising the duration of attack windows and reducing the chance of potential exploit.

Check out AppCheck for more information.

Protect your Office 365 users & business against evasive phishing attacks.

Tony MasonData Protection, Email Monitoring, Microsoft 365 Security, Security Awareness & Phishing

One of the key challenges organisations are currently struggling with, or have seen, is an increase in Evasive Phishing. In addition, Impersonation Attacks and Business Email Compromise are also a problem.  All of these are getting past traditional gateway and perimeter security solutions.

The sophistication of these attacks makes them increasingly successful in avoiding detection and fooling your employees.  This includes those who’ve been through Security Awareness and Training (SAT) programs. Obviously this puts companies at significant financial risk from imposter attacks.

Therefore to secure against phishing attacks, consider another critical layer of security, where it’s needed – right in the user mailbox.

Inbox Security

Cyren Inbox Security is software that connects into O365. It continuously monitors the inbox for phishing attacks that have been missed at the Secure Email Gateways (SEG).

It is an Inbox Detection & Response (IDR) solution that allows organisations to establish a critical layer of email security at the inbox. Thus strengthening your overall security posture.

It’s not a competitor to Secure Email Gateways but a complimentary solution.  It helps to significantly improve the rate of phishing/malicious detection from emails that evade perimeter security and reside in the inbox.

Therefore, protecting your Office 365 mailboxes has never been this easy.

The solution takes less than 10 minutes to integrate and deploy. Cyren then automatically significantly remediates malicious mail. This reduces the time burden on internal teams.

One key feature is that during the POC stage Cyren will produce a free delta report detailing exactly what is being missed by the perimeter security.

When evasive phishing and other threats get past traditional security barriers, Cyren detects them and remediates automatically through:

  • Continuous monitoring of all emails in all folders in user mailboxes
  • Continuous scanning and real-time analysis of URLs and web pages
  • Ongoing analysis of email sender and recipient behaviour to detect anomalies and threat patterns
  • Front-line detection and reporting of new, emerging threats — powered by users
Counter Sophisticated Phishing Threats Automatically

Cyren Inbox Security leverages the native API integration of Office 365. This means there is no requirement to change existing security gateways or appliances. It then continuously detects email threats that are delivered to user mailboxes. Their powerful set of automated remediation tools identify and mitigate a wide range of malicious attacks that avoid detection by perimeter defences, including:

  • Evasive Phishing attacks using techniques such as delayed URL activation, URLs hidden in attachments, HTML obfuscation, sophisticated encryption, real and valid SSL certificates, etc.
  • Spear phishing and spoofed messages that carry no payload to detect
  • BEC, CEO fraud, and other targeted social engineering attacks
  • New zero-day phishing campaigns
  • Account takeovers (credential theft) and monitoring of internal email
Quick Two-Step Deployment

Cyren Inbox Security is a non-intrusive security solution-as-a-service. It complements your existing secure email gateway without the need for MX record changes or any changes to current infrastructure. Get up and running in just a few clicks — simply:

1) Authorise Cyren to access your email flow, and then

2) Configure your preferred filtering and remediation policies, including flexibly applying different rules-based policies to different users and groups.

Cyren

More than 1.3 billion users around the world rely on Cyren’s cloud security solutions to protect them against cyber-attacks every day. Powered by the world’s largest security cloud, Cyren delivers fast time-to-protection with embedded threat detection, threat intelligence and email security solutions.

Find out more information here.

Data BackUp – Is Your Microsoft 365 Data Safe & Secured?

Tony MasonData Backup, Microsoft 365 Security

keepit backup for Microsoft 365 data
keepit backup for Microsoft 365 data

With the increased adoption of Microsoft 365, many organisations assume that data backup is included in Microsoft 365.  As a platform, it is secure. However, your data isn’t backed up in a way that you would requireMicrosoft will not cover any data loss caused by your own internal errors. Nor from malicious actions, ransomware or any other cybercrime event. 

Microsoft (and other Global SaaS vendors like Salesforce) don’t take any responsibility for your data. Nor how you use their application. They only take responsibility for their own infrastructure and operation. In other words, the main reasons for losing data in the cloud are not covered by Microsoft.  Plus, it can take days to recover from a ransomware attack. Don’t take chances with the data your business relies on.  You need secure & backup your data.

Microsoft themselves even recommend that you seek third-party backup and recovery for Office365 data. A good backup with quick recovery is critical after a ransomware attack or accidental deletion. Restoring sites, entire folders, or mailboxes can be a tedious, manual process. If the data you need is mission-critical, that means costly downtime you can’t afford.

Also, compliance is one of the key reasons behind the adoption of Microsoft 365 backup solutions. Typically, there’s only a 30 day retention period inbuilt into Microsoft 365.  Plus, Microsoft SharePoint Online is only backed up every 12 hours. Added to that, that’s only within a 14 day retention period.  Many Microsoft backup solutions are incredibly flexible.  This means that you can keep your email data for as long as you need. Plus, you can tailor it to meet your business’s compliance needs.  One of the key compliance requirements, including GDPR, is to ensure that you have constant availability of your data at all times.

Your Microsoft 365 Data is At Risk Without Backup.

A recent *Gartner report sums it up. ‘By 2022, 70% of organisations will have suffered a business disruption due to unrecoverable data loss in a SaaS application’.  In a survey of 1000 IT Pros, 81% said they had experienced data loss in Office 365.  This was caused by simple user error to major data security threats.

To avoid losing data, your Microsoft 365 needs backup. You need a third-party backup. One that stores the data at an independent location. It’s a data protection best-practice.

Complete Microsoft 365 Coverage

Barracuda and Keepit both have products that offer easy to use solutions. They both give you complete coverage across all workloads: Exchange, One Drive, Teams, SharePoint, Groups and Public Folders.

No On-Premise Installation

Your Microsoft 365 data is already in the cloud. Now that you’re in the cloud, it makes sense to avoid unnecessary on-premise installation for that backup. Saving secure, encrypted backups in the same network means better performance and instant scalability. Cloud backup means easy deployment and no on-premise installation.  These two solutions are designed with perfect integration for Microsoft cloud services.  Therefore, you can run backups in the background and not impact on how you use the platform.  They offer fully automated backup with several daily backups. This ensures your backed-up data is always up to date.

Easy Find & Recover

It’s not just important to have data backup.  It’s also vitally important to be able to recover that data and easily. Plus you want to recover it in a format that is easy to use and understand.

In any case of data loss, finding and recovering is as easy as it gets with Barracuda and Keepit. They have unique find & recover features.  You may find and recover anything from a single email to a full user account recursively.  Finding and recovering has never been quicker whilst helping you meet compliance demands.

Secured and Encrypted

As for security, Keepit will back up your data to the global data centres of your choice.  Your data is stored on two separate physical locations with the latest encryption technology. This ensures your data is backed-up and secure. Barracuda retain three external copies of backed up data.

For more information, check out Keepit and Barracuda.

*Gartner Report “Assuming SaaS Applications Don’t Require Backup Is Dangerous”,2019.

Cybersecurity Awareness Month

Tony MasonSecurity Awareness & Phishing

KnowBe4 Free Resource Kit

October is Cybersecurity Awareness Month, which is now in its 18th year. Its primary focus continues to help raise awareness about the importance of cybersecurity, ensuring everyone has the resources they need to be safer and more secure online.   

The Themes this year are:
  • Be Cyber Smart
  • Fight The Phish
  • Explore, Experience, Share (Cybersecurity Career Awareness Week)
  • Cybersecurity First
KnowBe4 Resource Kit

To help you make the most of Cybersecurity Awareness Month, KnowBe4 have created a new free Resource Kit for this year. They are providing the resources you need to help your users defend against cybercrime from anywhere. 

In today’s hybrid work environment, your users are more susceptible than ever to attacks like phishing & social engineering.  Cybercriminals know this and are constantly changing tactics to exploit new vulnerabilities. Therefore, KnowBe4 have put together some resources so you can keep your users safe with security top of mind. 

The kit includes:
  • Free resources, including their most popular on-demand webinar & whitepaper as well as Kevin Mitnick cybersecurity demo videos, infographics, tip sheets, awareness posters, and wallpapers
  • Cybersecurity Awareness Month Guide and Cybersecurity Awareness Weekly Planner to help you plan your activities
  • Two free training modules; “Your Role: Internet Security and You” and “2021 Social Engineering Red Flags,” 
  • Everything is printable and available digitally, so they can be delivered to your users no matter where they are working from 

We hope these resources help you keep your organisation safe throughout the month of October and beyond.  Start a good cyber culture now! Access your resource kit here today.

#thinkb4uclick #becybersmart

UBA vs UEBA and SIEM

Tony MasonVulnerability Management & SIEM

User and Entity Behaviour Analytics (UEBA)

What is UEBA?

What is the difference between UBA vs UEBA and how does it fit in with SIEM?

User and Entity Behaviour Analytics (UEBA) focuses on analysing activity. Specifically user behaviour, device usage, and security events ­within your network environment.  It helps companies detect potential insider threats and compromised accounts. The concept has been around for some time. It was first defined in detail by Gartner in 2015 in its Market Guide for User and Entity Analytics.

How Does UEBA Work?

In essence, UEBA solutions create a baseline of standard behaviour for users and entities within a corporate network.  Ultimately they look for deviations to the baseline. They alert network admins or security teams to anything that could indicate a potential security threat.

To do this, UEBA solutions collect live data that includes:

  • User actions. Such as applications used, interactions with data, keystrokes, mouse movement, and screenshots.
  • Activity on devices attached to the network. Such as servers, routers, and data repositories.
  • Security events from supported devices and platforms.

Advanced analytical methods are then applied to this data to model the baseline of activity. Once this baseline of behaviour has been established, the UEBA solution will continuously monitor behaviour on the network.  Then it compares it to the established baseline.  It looks for behaviour that extends beyond an established activity threshold to alert appropriate teams of the detected anomaly.

UBA vs UEBA and SIEM 

Initially this technology was referred to simply as User Behaviour Analytics (UBA). As the name implies, this concept focused exclusively on activity at the user level. This was to indicate potential threats. However, Gartner later added the “entity”. This was to reflect the fact that “other entities besides users are often profiled in order to more accurately pinpoint threats”. Gartner defined these other entities as including managed and unmanaged endpoints, servers, and applications. This included everything that was cloud-based, mobile-based, or on-premise based.

This expanded scope then includes looking for any “suspicious” or anomalous activity that may be based on network traffic. Or requests sent from a specific endpoint to unusual ports or external IP addresses.  It also looks at operating system process behaviour, privileged account activity on specific devices, the volume of information being accessed or altered, or the type of systems being accessed.

By broadening the scope of its focus to cover non-human processes and machine entities, Gartner’s UEBA definition means UEBA can analyse both sources of data. This helps to gain greater context and insight around activity.  As a result it can produce a more accurate profile of the baseline of activity within an IT network.

Therefore, the solution is able to more accurately pinpoint anomalies and potential threats.  This even includes things that would often have gone unnoticed by “traditional” security monitoring processes such as SIEM or DLP.

Do SIEM And UEBA Offer The Same Protection? 

With many corporate security teams having already implemented security information and event management (SIEM) solutions, a common question is whether UEBA and SIEM offer the same protection. After all, they both collect security-related information that can indicate a potential or active threat.

UEBA solutions typically include the following benefits:

  • The ability to use behavioural baselining to accurately detect compromised user accounts.
  • Automation to create improved security efficiency.
  • The use of advanced behavioural analytics helps to reduce the attack surface by frequently updating IT security staff and network admins about any potential weak points within the network.

The key difference is that SIEM solutions are traditionally more focused on log and event data. These wouldn’t allow you to create a standard baseline of overall user and network environment behaviour in the same way that a UEBA-focused solution would. However, it’s important to note, that similar to UEBA solutions, this information gathered by SIEM solutions comes from a wide range of different IT network endpoints. It is then collated and analysed within a central system.

Sound familiar? It should; the line between UEBA and SIEM can be rather thin, depending on the collection and analysis capabilities of a given SIEM solution.

With the right input data, the SIEM solution can process the collected data and combine it with real-time event analysis. It can then present it in a format that helps provide security analysts and system administrators with actionable insights into anomalies that may indicate a threat.

Successful SIEM

The use of SIEM solutions is becoming increasingly widespread within the corporate landscape. This is because they do offer organisations a number of important benefits, these include:

  • Improved handling of cybersecurity incident and response.
  • Improved security defences.
  • The ability to automate compliance reporting to help organisations achieve compliance with the relevant regulations for their industry ie GDPR, HIPAA, and PCI DSS etc.

To be able to more accurately predict potential threats through user and entity activity, SIEM solutions need to both:

a) Be able to collect needed and relevant activity and behavioural data.

b) Plus have the ability to accurately analyse that data in the context of finding anomalous threat-related activity to produce more targeted and actionable alerting.

As you can see, there are some differences between the two solutions. However, SIEM solutions become a viable option in an organisation’s journey to implement UEBA as long as SIEM solutions can:

  • Be set up to comprehensively collect enough similar data to provide the same value as a traditional UEBA solution.
  • Plus provide the needed conclusive analysis to identify leading and active indicators of threat activity.

By Nick Cavalancia Microsoft Cloud and Datacenter MVP for AT&T.

AlienVault USM – UBA vs UEBA and SIEM

Traditional SIEM software solutions promise to provide what you need, but the path to get there is one that most of us can’t afford. Traditional SIEM solutions collect and analyse the data produced by other security tools and log sources, which can be expensive and complex to deploy and integrate. Plus, they require constant fine-tuning and rule writing.

AlienVault USM provides a different path. In addition to all the functionality of a world-class SIEM, AlienVault USM unifies the essential security capabilities needed for complete and effective threat detection, incident response, and compliance management—all in a single platform with no additional feature charges. Their focus on ease of use and rapid time to benefit makes the USM platform the perfect fit for organisations of all shapes and sizes.  See here for more information.

KnowBe4 National Cybersecurity Awareness Month Update

Tony MasonSecurity Awareness & Phishing

October is National Cybersecurity Awareness Month (NCSAM).  Therefore, to help celebrate, KnowBe4 has fresh content updates and new features. Plus they have a great security awareness resource kit.

Check out your 2020 NCSAM Resource Kit from KnowBe4. Firstly this includes resources for your users like infographics, cybersecurity awareness tips and new posters. In addition they have their most popular security awareness assets and a sample training plan.

KnowBe4 National Cybersecurity Awareness Month Resource Kit

We hope these resources help you keep your organisation safe throughout the month of October! Access your resource kit here today.

KnowBe4 National Cybersecurity Awareness Month PRODUCT UPDATES – October 2020

NEW!

Language Localisation in the Phish Alert Button for Microsoft 365.
We are excited to announce the availability of KnowBe4’s enhanced Phish Alert Button (PAB) for Microsoft 365 with the new language-aware feature! 

With this new version of the PAB, you can now enable languages in your Phish Alert settings. You can then automatically display the preferred language based on your users’ system language settings. The same languages (22) offered for the KnowBe4 Learner Experience, are supported for this version of the Phish Alert Button. Also, you have the ability to add custom languages by adding them to your manifest file and reinstalling the PAB.

Phish Alert Button for Microsoft 365

As a result, this localisation enables your users to interact in a more immersive experience for reporting suspicious emails through their Phish Alert Button.  Plus this also reinforces the learning experience when accessing their KnowBe4 training in their preferred language.


KnowBe4 National Cybersecurity Awareness Month – QUARTERLY PRODUCT UPDATE VIDEO

Every quarter, the KnowBe4 Technical Content team creates an update of all new content and features added during the last three months. Here is the Q3 2020 issue. This covers new content that has been added to the KnowBe4, PhishER, and KCM platforms.

KnowBe4 Quarterly Product Update

FRESH TRAINING CONTENT BY PUBLISHER

KnowBe4

This new brandable training module was added by KnowBe4 this month. 

Basics of Credit Card Security

Basics of Credit Card Security
This module covers the basics of credit card security. It is meant for all employees in your organisation who handle credit cards and/or credit card data. Employees will learn what the hackers are after and the techniques hackers use to try and gain access. Plus they will also learn the best practices they can take to protect the organisation and its valuable credit card data.


The Security Awareness Company (SAC)

SAC added five new pieces of training content to the ModStore this month.

KnowBe4 National Cybersecurity Awareness Month – October 2020 Security Awareness Newsletter
Cybercrime goes well beyond data breaches and the exposure of confidential information. Sadly it can also lead to life-threatening scenarios or total disruption of services that millions of people rely upon every day. In this issue, we dive into the many threats cybercrime poses and the results of successful attacks. Plus most importantly, how to prevent cybercrime from impacting organisations and individuals.

Security Awareness Newsletter

Scavenger Hunt Fun for Your Employees
Each month, scavenger hunt questions are created to help you gamify and reinforce the topics covered in each newsletter. You can use these questions as-is or edit as you see fit. You can simply look for the complementing pdf of scavenger hunt questions in the ModStore. The newsletter and questions are both available in 18 languages.

PHI in Peril Puzzle

HIPAA Puzzle

Four employees of the Better-U Clinic have violated HIPAA regulations. You can find out who violated what rule, what their job title is, and which patients’ Personal Health Information (PHI) was affected.

You can use this logic puzzle to challenge your users! Puzzles are shown to improve brain elasticity and helps us form new ways of doing things. In this instance, solving problems before they occur. This puzzle can be found under SAC’s security documents content category. 

These two video modules focus on privacy, security, and protecting confidential information. 

HIPAA Training
  • The What, Why, and How of HIPAA
    This short brandable training module will provide your users with a quick overview of HIPAA. Why it matters, and how it impacts all of us, professionally and personally. A brief quiz is included at the end of the course.
  • Privacy vs. Security: What’s the Difference?
    Privacy and security are two sides of the same coin. This video module explains the differences between privacy and security. It then explains why they go hand in hand in protecting your data and your organisation.

All training content from The Security Awareness Company is available at the Diamond subscription level.


Twist & Shout


Security Snapshots Season 1 Series
Twist & Shout delivers a new video series with 12 stand-alone security micro-dramas. Each video takes a light and comedic approach to a fundamental behavioural issue. It demonstrates how employees’ actions can jeopardise your security. The frame-by-frame slow-motion effects educate and entertain your users. It also has how-to conclusions to help avoid these situations.

Security Snapshots Season 1 Series

Topics include phishing, unsecured WiFi, waste-disposal, email attachments, and oversharing on social media.

Restricted Intelligence Season 1 Series – Now with Quizzes
In a world of sensitive information…they were their own worst enemies. In this 6-episode series, your users can watch in disbelief as our well-intentioned but clueless team staggers from one data debacle to another. Pausing only to leave the doors unlocked on the way out and enjoy a little phishing. The new quizzes have been added to the series so your users can take a short quiz at the end of each module. 

Restricted Intelligence Season 1 Series

This brandable series covers topics on passwords and access, safe surfing, phishing, removable media, social media, and mobile devices.

All training content from Twist & Shout is available at the Diamond subscription level.


Popcorn Training

Three new brandable training modules were added this month from Popcorn Training.

Ethics (Fraud & Anti-Money Laundering) & Digital Identity: Authentication.
  • Ethics: Fraud 
    Fraud has the potential to limit the confidence that stakeholders have in an organisation. As well, it can also promote mistrust inside the workplace. Your users can learn how to spot fraud red flags in this short training module.
  • Ethics: Anti-Money Laundering 
    Money laundering can happen in many institutions and is a lot more common than you think. Your users can find out more about the process of money laundering and what to look out for in this training module.
  • Digital ID: Authentication
    From the Building Secure Software Series, episode 6 explains how authentication is the first part of managing the digital identity of your users. Overall, this module covers the basics of authentication controls and how to implement it based on the value of the data in your applications.

All Popcorn Training content is available at the Diamond subscription level.


exploqii

Three new video modules from exploqii were released in September.

Money Mules, Internet Explorer: End of Support, Cyberattacks Overview
  • Money Mules
    A tempting job advertisement promises high commissions and demands only a small service in return – making a private bank account available for a transaction. But behind the apparently reputable offer is nothing less than money laundering. And those who take up the offer, risk being liable to prosecution. Therefore, your customers can learn about the ‘money mules’ scam in this module.
  • Internet Explorer: End of Support
    The first steps onto the internet: more than a few users took them with Microsoft’s Internet Explorer. It hasn’t always been the most innovative web browser. However it certainly is one of the most widespread. In the environment of larger organisations in particular, it may represent a risk because older versions are often used. This video module explains why and how important it is to switch to a successor web browser.
  • Overview: Cyberattacks
    What is ransomware – or phishing? And what does it have to do with your data? And your organisation’s security? But above all: How can your users protect themselves? To explain, this video module provides an initial overview of the most widespread attack methods and raises awareness of data security. It also shows that cybersecurity training sessions are an effective way to protect your data, employees, and organisations.

All exploqii content is available at the Diamond subscription level.


El Pescador

Remote Work 
Remote work is now a reality for many employees. It is important to remember how to ensure the security of your organisational data. Not to mention all the information from your employees, suppliers, and customers.

You can use this poster to promote and reinforce the “Remote Work” series as part of your training campaign.

All El Pescador content is available at the Diamond subscription level.


FRESH NEW TRANSLATIONS

In addition to fresh new training content, you really want content localised to the language needs of your organisation and users. That’s why in addition to constantly updated and new content, KnowBe4 releases fresh new translations regularly to the ModStore.

Any training content with new languages available will be tagged with an orange “New Translation” banner.

Therefore, check out the new translations added in the KnowBe4 ModStore:

  • Tuesdays with Bernie Trader Edition is now available in multiple languages across all seasons.
  • 2020 Security Culture Survey is now available in English US, English GB, Danish, Dutch, Finnish, Norwegian, Polish, and Swedish.

In the month of August, 177 new translations were added for the following training content categories:

  • Newsletters/Security Documents/Posters: 34
  • Games/Assessments/Training modules: 34
  • Video Modules: 109

KnowBe4 National Cybersecurity Awareness Month

With a Diamond level subscription, there is so much available for your training needs!

As of September 30, 2020 KnowBe4 has: 

  • 1,187 Pieces of Education and Training Content
  • 288 Interactive Training Modules
  • 403 Video Modules
  • 244 Posters and Artwork
  • 229 Newsletters and Security Docs
  • 23 Games
  • Over 5,000 Phishing Templates

Secure Your Cloud Infrastructure For Remote Workers

Tony MasonData Protection, Enterprise Security, Microsoft 365 Security, SIEM, Vulnerability Management & SIEM

Secure Your Cloud Infrastructure For Remote Workers
Remote Workers

As working from home becomes more long-term, it’s important to secure your cloud infrastructure for remote workers.

Cloud Infrastructure allows for great speed and ease of deployment. New infrastructure can be deployed in minutes.  The rate of change in cloud infrastructure is far quicker than with on-premise and it is so easy and quick to deploy. This is enabling businesses to move quickly and keep dynamic in this ever-changing world.

On the one hand, this is great, speeding up set-up and new solutions.  However, on the other, it leaves relatively inexperienced staff creating new infrastructure and leaves you vulnerable to misconfigurations that can be exploited.  DevOps & developers are now creating new infrastructure not just IT and security teams.

Companies Need To Consider Cloud Best Practices

Importantly, you need to minimise the chance of misconfigurations and be able to quickly remediate them should they occur.

At the same time, you need to ensure you don’t restrict the dynamism of a company, keeping your environment secure without impacting its flexibility.  In addition, you must ensure you don’t restrict and block developers as they will find a way around these and leave you even more exposed.

Create A Baseline

You need to create a baseline to define what your cloud environment should look like from a security perspective. This should include what services are and are not authorised to be used.

In addition, you should set how things should be configured and who gets what access and who can make changes. Fortunately, you can start with existing best practice recommendations such as CIS Benchmarks for AWS, Azure, and Google Cloud Platform (GCP). Plus each cloud provider has their own best practices.

You also need to create an incident response plan that everyone can follow when responding to incidents.

Enforce Your Baseline

To help enforce the baseline you can use a cloud security posture management (CSPM) solution. Rapid7 now work with DivvyCloud which help you to create & enforce baselines. These solutions help you with visibility of misconfigurations and policy compliance.  You can then remediate quickly.

Otherwise you can use infrastructure as a code solution.  Here you create templates for cloud infrastructure where everything is properly configured according to your baseline.

Developers can then use those templates to reduce the possibility of human error during configurations of new infrastructure. However, your cloud infrastructure can still be changed at a later date, so you still need to monitor for misconfigurations as you would for other software vulnerabilities.

Access Management

Ensure users are accessing cloud accounts with single sign on tools.  Plus consider assigning the same permissions at group or team level so no-one sneaks under the radar with an access they shouldn’t have.

Another consideration is to never use the root user if you can absolutely avoid it.  If this user were to be compromised, the system would be seriously vulnerable.  Check the credential reports from your cloud platform to check who has access to what and what they are doing. This can help you set up specific permissions if necessary.

Set Up Vulnerability Monitoring

Cloud networks need to be monitored and patched as much as on-premise networks do. As instances can be spun up and down so much more quickly in the cloud, you need regular monitoring to give you up to date information.

Log Everything

All cloud providers have logging facilities. It’s important to keep using these for all areas as someone could quickly and easily deploy something where you are not currently monitoring.  It’ll enable you to see what’s happening and whether there was any unauthorised access. Ensure this data is encrypted and no-one has access so nothing can be changed.

As cloud providers don’t monitor your on premise networks and remote workers, you’ll need to consider a 3rd party SIEM with threat detection capabilities such as Rapid7 InsightIDR or Alien Vault USM Anywhere.  This can then monitor your cloud and all other environments in one place. This will also help you monitor lateral movement.

Consolidate Your Team

When it comes to your IT team, ensure you have one unified team overseeing your security with clear accountability and responsibilities. Don’t separate this out to cloud and on premise or vulnerabilities will get missed.

Automate

As you can see, things in the cloud can move extremely quickly and humans can’t keep up. Therefore, automate where possible. The more you can automate, the fewer human errors you will get.

Data Storage & Microsoft 365

In order to maximise and enhance the security of the new cloud-based office, businesses must be aware of the shared responsibility of data.

Unfortunately businesses often incorrectly store their data in the same service and OS that operates the core aspect of their business such as Microsoft 365.

You need to back up data separately, to ensure there is a duplicate source available in case the original is compromised.  Your backup solution should also offer regular automated backups, rapid recovery and the capability to safeguard business continuity as well as meet compliance requirements (such as GDPR).  Barracuda Total Email Protection offers an all in one cloud based email security, with backup archiving and eDiscovery.

In summary, cloud-based offices are definitely our future with Gartner reporting 41% of employees planning to continue working remotely. However, this puts an immediate security concern on businesses as we are faced with increased risks of cyber attacks and ransomware threats.

Therefore, we need to put security at the top of our agenda and secure cloud infrastructure for remote workers, as we transition to long term remote working.  We need to be reassured that we have the sophisticated tools in place to monitor our networks, recover files from unexpected problems, and solutions in place to repair any damage.

Do You Evaluate Your Security Controls?

Tony MasonBreach & Attack Simulation, Enterprise Security

Do You Evaluate Your Security Controls?
How Secure Is Your Security Posture?

With many now working from home and businesses changing, are you sure your security controls are robust enough? When checking your security posture, be sure to ask the right questions.

The only way you can really see if your security controls are working effectively is to test them.  There are many tools available to do this.  However, you need to decide what you specifically want to know and how the findings are relevant to you at the moment. After that, you can choose the best tool for the job.

Typically, security teams use various testing tools to evaluate their infrastructure. According to SANS, 69.9% of security teams use vendor-provided testing tools, 60.2% use pen-testing tools, and 59.7% use homegrown tools and scripts.

Pen Testing

Vendor provided tools test for a specific security solution. Whereas pen testing is often used to check that controls meet compliance requirements, eg PCI DSS regulations. Automated pen tests are good at showing you whether an attacker can get in, highlighting the vulnerable pathways. However, they don’t always cover the entire kill chain.

They can imitate many threat actor techniques and even different payloads.  However, they typically don’t copy and fully automate the full Tactics, Techniques, and Procedures (TTPs) of a real threat actor.

Also, it is difficult to get consistent data from automated pen tests.  This is because they rely on skilled human pen testers, who typically have varying levels of expertise. 

Added to this, the sheer variety of pen-testing tools and different approaches can really complicate testing. An example of this can be seen with different attack vectors requiring different testing tools. These tools also tend to be weak at recognising vulnerabilities in business logic, which can skew results.

Pen testing is costly and requires a significant amount of advance planning. This means testing can often be restricted to only annually or half yearly. In addition, organisations can still be slow to respond accurately to immediate threats even with automated pen tests.  This is because pen-testing takes time to scope, conduct, and analyse. 

The SANS poll found that most respondents test their controls quarterly at best.

However, as we know, the real-world threat landscape is evolving every day. This means cyber criminals have lots of time to exploit any gaps or weaknesses in between each pen test.

Security Questions To Ask

According to Cymulate, if you want visibility into the effectiveness of security controls – right here, right now – you’ll have additional questions that pen testing cannot easily answer:

  • Are your controls working as they are supposed to work, and as you expect?
  • Are interdependent controls correctly generating and delivering the right data? For example, are your web gateway, firewall, and behaviour-based tools correctly alerting the SIEM when they detect suspicious activity?
  • Have configurations drifted over time or been set incorrectly? For instance, are controls actively detecting threats, or were they left in monitoring mode?
  • If you have rolled out new technology or settings, how have they affected your security posture?
  • Are controls able to defend against the newest threats and variants?
  • Does your security defend against the latest stealth techniques, such as living off the land (LOTL) fileless attacks by sophisticated attackers?
  • Do you have visibility into security outcomes that require both human processes and technology?
  • Is your blue team able to identify and respond effectively to alerts?

Breach and Attack Simulation (BAS) Tools

Automated Breach and Attack Simulation (BAS) tools enable you to answer these questions.

BAS complements point-in-time testing to continually challenge, measure, and optimise the effectiveness of security controls. BAS is automated, allowing you to test as needed, and the best solutions assess controls based on the latest malware strains and threat actor TTPs—without having to assemble teams of security experts.

Organisations are using BAS to:

  • Simulate attacks without jeopardising production environments
  • Simulate attacks across the full kill chain against all threats, including the latest attacker TTPs
  • Test continuously with the flexibility to target specific vectors, infrastructure, and internal teams for awareness against the latest threats
  • Automate simulations for repeatability and consistency
  • Conduct testing at any time interval—hourly, daily, weekly, or ad hoc with results in minutes
  • Identify gaps and evaluate controls against the MITRE ATT&CK framework
  • Remediate security posture and the company’s exposure using actionable insights

As the threat landscape changes daily and the attackers continue to up their game, you and your executive team need assurance that controls across the kill chain are indeed delivering the protection you need – every day, every hour, or every moment.

Cymulate, Breach & Attack Simulation (BAS)

For a growing number of organisations, BAS is delivering the continuous security control and cyber risk assessment data needed to achieve that goal.

Cymulate is a Breach and Attack Simulation (BAS) platform that lets you protect your organisation at the click of a button. Operating thousands of attack strategies, Cymulate shows you exactly where you’re exposed, and how to fix it.

During the Coronavirus Pandemic, our security controls are currently more vulnerable with many of our workforce working from home, with home VPNs, and more distractions etc.

To help, Cymulate are currently offering 60 days Free use of their license, no strings attached.  Please get in touch to take advantage of this offer and test your security now.  It may bring up some surprises, but better earlier rather than later.

Tel: 01628 362 784  Email: sales@s3-uk.com