Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • News

    The top 6 things CISO needs to do to…

    Whether you are a CISO actively pursuing a cloud security transformation or a CISO supporting a wider digital transformation, you are responsible for securing information for your company, your partners, and your customers.

    Enabling a successful digital transformation and migration to the cloud by executing a parallel security transformation ensures that not only can you manage risks in the new environment, but also you can also fully leverage the opportunities cloud security offers to modernize your approach and net-reduce your security risk.

    To secure your organisation from cloud transformation risks, CISO’s should channel their efforts in the following 6 major areas:

     

    Build and sustain a security culture that transcends all deployment and technology models

    Cloud adoption offers the CISO both opportunities and risks. A significant business driver for cloud adoption is to accelerate development and time to market timelines, with reduced time to release and between releases. Cloud also offers the opportunity to organisations to partially outsource some roles – for example hardware, network architects etc. Cloud adoption offers organisations the option to dispense with legacy perimeter based security models and embrace new security paradigms such as Zero Trust.  Speed, simplicity should not compromise security. Regardless of model, driver or paradigm you need an appropriate security culture. The following principles are universally applicable, in the cloud, on premise or hybrid:

    • Secure by design, secure by default
    • Follow a risk based approach
    • Security is your responsibility not someone else
    • Everyone needs to be security and risk aware
    • It’s not if but when you will have a security incident
    • You need a structured and sustainable approach to security
    • You need a continuous improvement mind-set
    • Don’t reinvent the wheel – use existing frameworks, standards, controls such as ISO27001, NIST, Cloud Security Alliance (CSA) and Common Controls Framework (CCF)

     

    Research and verify your cloud providers capabilities and collaborate

     Understanding a cloud security vendors in-cloud security capabilities is important in both cloud vendor selection but also in term of your strategy to secure your services in that particular tenancy.  Its safer to assume your cloud provider does not provide the security controls you require, until your due diligence activities prove differently. You need to consider the basic security functionality of the vendor e.g. access controls, authentication, encryption, etc. You should consider the vendors security philosophy e.g. whether secure by design, secure default etc. You also need to review features such as data retention and backup plans, disaster recovery capabilities, data residency options and features. You should assess the vendors commitment to security in terms of their current and historic investment, their security innovation, the maturity and rating of their own in cloud security features and their partnerships and alliances. Just because a vendor has a cloud native security technology baked into their cloud offering, does not mean that that particular security technology is good or effective. So look to truly independent ratings and assessment of security technologies to select the most appropriate technology and vendor for your cloud security needs. Be careful of “security awards” type ratings. The commercial operations of some of these award type of ratings can compromise the independence and objectivity of their assessment or review content.

    Understanding the responsibilities, your cloud providers have, and the responsibilities you retain, are important. Equally, so are the methods you will use to assure the responsibilities that both parties have, including working with your cloud service provider to consume solutions, updates and best practices so that you and your provider have a “shared fate”.

    Review careful the cloud vendors policies, service levels agreements and contracts with respect to security. Consider security from whole of cloud life scenarios – e.g. selection, proof of concept, on-boarding, BAU operation, change management, crisis management and exit.

    Major cloud vendors typically no longer allow discrete due diligence on the part of customers such as security audit and penetration testing of their services. Organisation typically need to rely on accreditations, 3rd party security audit and testing reports commissioned by the vendor. CISO need to satisfy themselves that these are adequate in scope, frequency and completeness to their needs, including not just certification compliance audits and penetration tests but other disaster recovery tests, customer service audits, incident response reporting etc.

     

    Focus on security management and inter-operability

     Most organisations will have multi and hybrid cloud solutions. You need to be able to operationally and economically manage your cloud estate from a security perspective. Best of breed, cloud native, vendor specific highly innovate security solutions rapidly lose their value and security effectiveness to a CISO if they cannot be easily managed and interoperate with other security technologies and security management solutions. Organisations are striving where feasible for “single pane of glass” visibility, single or small number of policy management, security administration, security operations, reporting monitoring and response solutions. Given factors such as increased risks, threat actors, incident costs and sophistication of attacks cyber security skills shortages etc. organisations are also looking for increased security automation and response.  Disruptive solutions that don’t neatly fit these requirement need to be critically assessed to see whether the disruptive/innovative nature of that security solution adds sufficient value to the likely extra security management overheads that the CISO and their staff may incur in utilising them.

     

    Transferring security risks

     As services are moved into infrastructure as a service (IaaS) hosting models, the business assumes less direct risk regarding hardware provisioning. The risk isn’t removed, instead it’s transferred to the cloud vendor. Should a cloud vendor’s approach to hardware provisioning provide the same level of risk mitigation, in a secure repeatable process, the risk of hardware provisioning execution is removed from corporate IT’s area of responsibility and transferred to the cloud provider. This reduces the overall security risk that corporate IT is responsible for managing, although the risk itself should still be tracked and reviewed periodically.

    As solutions move further up the stack to incorporate platform as a service (PaaS) or software as a service (SaaS) models, additional risks can be avoided or transferred. When risk is safely moved to a cloud provider, the cost of executing, monitoring, and enforcing security policies or other compliance policies can be safely reduced as well. CISOs need to assure themselves of the competence, capability and risk management of the vendors as well as the details of the contracts, service levels and insurances in order to ensure that these risks are actually transferred and managed.

     

    Focus on knowledge, skills and quality assurance to minimise Cloud Security misconfiguration risks

     Rapid new cloud, multi-cloud, shadow IT adoption coupled with rolling cloud development and releases increase the likelihood of cloud misconfigurations that can compromise your  security. According to the Fortinet 2021 Cloud Security Report, 67% of surveyed cybersecurity professionals stated that misconfigurations remain the most significant cloud security risk facing their companies. This is because when a user or team specifies settings that fail to provide adequate cloud data security, attackers can exploit those misconfigurations to compromise or steal data. Misconfigured cloud-based resources create risks for critical environments that can result in unexpected costs and disrupted services.

    Ease of purchase and apparent ease and speed of deployment and configuration often means that your own or 3rd party administrative or development resources are not adequately trained or experienced on designing, deploying or operating appropriately hardened services.

    Threat actors increasingly target misconfigurations as part of their attacks because they can move laterally within an organization’s infrastructure. This should be top of mind for CISOs as they look to secure their organization’s cloud environments.

    To address this CISOs should focus on ensuring that:

    • You use an appropriate secure systems development lifecycle (SSDLC) to risks assess and specify security requirements, to ensure secure design, secure by default deployments and change and to ensure quality control/testing tests for security as well as functionality and performance.
    • Your own and any 3rd party resources involved in design, deployment, development, administration and support of cloud services have appropriate security, secure administration, secure development and secure support skills and experience in each of the relevant cloud vendors that they service. Most vendors have a range of accredited training for architecture, design, administration, development, operations, support and security of their cloud services. Ensure resource have appropriate accreditation, but also look at their experience and their performance to service levels including security service levels.
    • You perform regular audit and testing pre deployment and during operation to identify and remediate security weaknesses, misconfigurations
    • You deploy appropriate include security technologies and controls as well as 3rd party solutions commensurate with appropriate remediation of identified risk
    • You perform regular security operations such as security monitoring, vulnerability management, security auditing, backup and disaster recovery testing etc.

     

    Evolving your security architecture and how security roles are performed

    In addition to working with new collaborators in your cloud service providers, your security organisation will also change how it works from within.  While every organization is different, it is important to consider all parts of the security organisation, from policies and risk management, to security architecture, engineering, operations and assurance, as most roles and responsibilities will need to evolve to some extent. There most likely will be a need for rapid new security skills acquisition. Your security models and frameworks may also need to change e.g. SecDevOps to reflect the shortened release cycles and deployment models. Similarly you may have new security paradigms such as Zero Trust, cloud native SIEM/XDR and integrated SOAR, adaptive authentication etc that you may wish to exploit in your cloud services.

    Some of these paradigms may be adaptable across your multi vendor and hybrid environments and thus may result in a paradigm shift across your whole digital estate. Some may not and thus you may need to operate different paradigms in different environments and manage user and customer experiences as well as administrative, operational and support models accordingly.

    Your transformation to cloud security is an opportunity to rethink your security-operating model. How should security teams work with development teams? Should security functions and operations be centralized or federated? As CISO, you should answer these questions and design your security-operating model before you begin moving to the cloud. Our whitepaper helps you choose a cloud-appropriate security-operating model by describing the pros and cons of three approaches.

    Each organization’s cloud strategy is tailored to its own needs, meaning that no one-size-fits-all approach to security exists. Most companies use more than one cloud service provider to mitigate the potential for a single-point-of-failure.

    For example, organisations may use different cloud providers for:

    1. Data backup
    2. Application resiliency
    3. Disaster recovery
    4. Global coverage

     

    Supporting this, the Fortinet cloud security survey found that:

    73% of organizations are pursuing a multi- or hybrid cloud strategy

    33% of organizations are running more than half of their workloads in the cloud

    56% of organizations will be running more than half their workloads in the cloud over the next 12-18 months

    The cloud provides the scalability, integration, and business continuity capabilities that companies need. While many will continue to maintain an on-premises presence, hybrid accounts for more than one-third of deployments.

    Organisations operate in a diverse and expanded digital landscape. Because of this, CISOs and security teams often struggle to manage and secure the various private and public cloud workloads and environments. Despite the benefits of multi-cloud adoption, the current strategies and multiple tools add extra layers of management complexity. And they only become more complex when organizations add cloud services in an ad hoc manner, creating management and operational challenges that also increase operational costs.

    On top of this, few IT teams have the expertise needed to manage a hybrid deployment that includes multiple public clouds, private cloud, and on-premises environments, leaving CISOs struggling to get ahead of any potential issues.

    Ward Solutions is a full service, full security lifecycle provider. If you don’t have the right manpower, tools and expertise then consider partnering with a Security consultancy and managed cloud security service provider with the knowledge and skills to help supply or augment your CISO, Security engineering and security operations resources. Talk to us today to see how we can help.

     

     

    News

    The top 6 things CISO’s should be doing to…

    Every organisation works or partners with key suppliers to provide non-core services or resources to their organisations. Supply chains are often large and complex. Securing your supply chain is important. Disruption or compromise to your supply chain may affect your brand, your revenue, core business operations, your customers, your staff, and legal, regulatory, contractual compliance. To protect your organisation from supply chain risks CISO’s should channel their efforts in the following 6 major areas:

    1. Clarify your CISO supply chain scope

    Supply chain security is a whole of business issue, not just an IT issue.  CISO’s rightly have a specific role in managing the risks associated with IT and digital related suppliers and services. It is very important to agree with the enterprise risk and procurement roles within your organisation the exact scope of CISO responsibility for supply chain assurance and controls. Grey areas such as shadow IT services, building management systems, integrated or managed services needing to “plug in” to your enterprise infrastructure services such as network, remote access, email, API access etc. needs agreed demarcation points,

    You also need a process for selecting, assuring, on and off boarding, operation, change management etc. Shadow IT SaaS services also needs particular CISO attention, business awareness and compliance. Ensure you generate awareness of supply chain risk, the need for processes and controls within your organisation and what your standard requirements and policies are.

    2. Use risk and maturity assessment based approaches

    Security budgets, time and personnel are all scarce resources. You need to ensure that you are spending wisely, optimising your security controls effectiveness. One of the best methods to prioritise your efforts and spend is to use a risk-based approach. Supply chain risk management should be part of your overall organisations enterprise risk management process. Use risk management tools to identify high-risk, high-impact suppliers and target your efforts and security controls to mitigate those risks first. High-risk high impact suppliers from a cyber-risk perspective are not always key strategic suppliers to your business. So you need to be mindful for example that a relatively low profile HVAC supplier credential compromise was the ingress point to the Target retail network in the US, resulting in one of the largest data breaches in history.

    You should use recognised processes and methodologies such as ISO28000 – specification for security management for the supply chain, ISO31000 for risk management and ISO27001 for Information Security Management, coupled with some maturity models such as CMM and CPNI to rank or rate supplier information security and supplier’s personnel capabilities. You also need a reasonably deterministic way of assessing your IT and digital suppliers based on parameters relevant to your organisation such as the value and sensitivity of the information or assets, which they processes, hold, supply or have access to.

    3. Know your suppliers and the risks they pose

    In order to properly risk asses you need to know who your suppliers are. You need to work with procurement and risk functions so that you have a comprehensive inventory of existing suppliers and your team are part of the process for identifying existing and new suppliers and services of relevance to your CISO supply chain scope. Using the methodologies above you need to assess the capabilities and the security arrangements of your suppliers and their sub suppliers. Also assess whether your own CISO and IT organisation are a supplier to your organisation and to your own customers and ensure that you enforce and meet any requirements that you are asking your supply chain to meet on your own service supply. This consistency helps ensure your controls and standards are relevant and your whole organisation is familiar with your standard.

    • Know the critical information assets your supplier supply or have access to

    You need to know, from your overall enterprise risk assessment the inventory and classification of your information assets and the controls to be applied to manage the risks you have identified to these assets. Your supplier due diligence then need to assess which supplier has access to these assets and their capability maturity. You then assess and define the controls they apply or propose applying to these assets to determine whether they are adequate or not.

    You need to know and understand the sensitivity of the contracts you are or will be letting and the information assets impacted by these contracts and suppliers

    4. Establish workable supply chain controls

    Set supply chain security goals. Clearly communicate both your minimum and desirable security requirements and supplier responsibilities at procurement stage. Ensure security requirements and capabilities are appropriately weighted metrics in your evaluation, selection and renewal criteria and in supplier contracts. Control your supply chain by establishing the right to audit and any reporting requirements. You should have regular interaction, visibility and reporting of BAU and exceptions from suppliers as to their security status prior and in addition to conducting any supply chain security audits.

    Security controls only work in your own or any third party organisation when they meet Specific Measurable, Achievable, Realistic, Timely (SMART) criteria. Some controls may not be economic to implement and other risk management mechanisms such as transference (insurance) or acceptance of the risk may be required.

    Consider whether it is necessary to integrate your suppliers into your cyber security incident handling and response processes. If this integration is required then ensure that the supplier understands their roles and responsibilities in this process. Identify if any required systems integration is needed in your IR process (e.g. helpdesk etc) and that contact matrices are fully documented and kept up to date. Consider whether suppliers need to be exercised and tested as part of any incident response rehearsals that your perform.

    5. Systemically operate controls

    Define processes for on boarding of suppliers, continuous monitoring and validation of in particular high risk, high priority suppliers.  Aim for consistency and sustainability of compliance with your supply chain controls and service levels over the lifecycle of supply. Identify conformity, reward consistently compliant suppliers. Remediate non-conformity by either allowing the supplier improve their performance or terminating and substituting with a better performing supplier. For newer suppliers or immature suppliers you may need to train and provide guidance, tools and processes to assist with controls. Ensure you have mechanisms for regularly reviewing your risks and modifying your controls as appropriate to remediate newly identified risks. Your supplier contracts need to cater for re-assessment and changes to required controls. For critical suppliers you should have resilience and redundancy in your supply chain. Best practice is to ensure regular contract renewals at appropriate intervals with reassessment of risks and improvement to existing supplier capabilities and value add.

    Establish continuous improvement and consider initiatives such as supplier collaboration and security information and threat intelligence sharing, outputs of after action reviews etc. to promote better understanding of emerging supply chain attacks

    6. Validate, Trust, Validate

    For newer supply relationships you may wish to satisfy your organisation as to the suppliers conformance and performance through references, independent audits prior to and shortly after on boarding. Once a pattern of performance and compliance is established, you may be able to “trust” this supplier depending on self-reporting with more limited or less frequent audits. For problem suppliers you may need audits that are more regular and increased self-reporting. For critical suppliers you may need higher levels of assurance, regardless of “trust”. In the event of supply chain compromise or non-conformance, you may need to either terminate or replace. Alternatively, you may default back to lower levels of “trust” with higher levels of audit and reporting until appropriate equilibrium is re-established. Supply chain breaches, similar to any breach, should always have after action review, assessment of the issue/vulnerability across the entire supply chain with appropriate risk management and control adjustments as required.

    Ward Solutions is a full service, full security lifecycle provider. If you don’t have the right manpower, tools and expertise then consider partnering with a Security consultancy and managed cloud security service provider with the knowledge and skills to help supply or augment your CISO, Security engineering and security operations resources. Talk to us today to see how we can help.

     

    News

    Security Advisory – Spring users face two new zero-day…

    What is ‘Spring’?

    The Spring Framework is an open-source application framework that provides infrastructure support for developing Java applications. A framework is a large body of predefined code to which developers can add code to solve a problem in a specific domain.

    Vulnerability Overview

    CVE-2022-22963 (CVSS 9.8 (Unofficial) – Critical) – Remote code execution in Spring Cloud Function by malicious Spring Expression

    A Critical severity vulnerability impacting multiple versions impacts Spring Cloud Function versions 3.1.6, 3.2.2 and older unsupported versions was disclosed publicly on March 28th.

    In Spring 3.1.6, 3.2.2 and older version when using routing functionality, it is possible for a user to provide a specially crafted SpEL as a routing-expression that may result in remote code execution and access to local resources.

    CVE-2022-22965 (CVSS – 8.1 – High) – Spring Framework RCE via Data Binding on JDK 9+ “Spring4Shell”

    A High severity vulnerability was responsibly reported to VMware on 29th March. A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. Spring Framework version 5.3.0 to 5.3.17 & 5.2.0 to 5.2.19 are reported as being vulnerable. Older, unsupported versions are also affected.

    It is worth noting that certain prerequisites are required to benefit from Spring4Shell. That is, the code needs to be exploitable. For the Spring4Shell vulnerability, those who use the following may be at risk:

    • Java Development Kit 9 and higher
    • Spring-Beans package
    • Spring parameter binding
    • Spring parameter binding using non-basic parameter types like POJOs

    Recommendation – Prevention

    • Apply appropriate vendor patches
    • (CVE-2022-22965) If you’re using the Spring Framework, upgrade to versions 5.3.18+ and 5.2.20+.
    • (CVE-2022-22963) If you’re using the Spring Cloud Function library, you must upgrade to 3.1.7+ or 3.2.3+ to prevent an RCE attack.
    • Ensure NGEN Firewall / IPS has appropriate signatures
    • Ensure EPP/EDR policies are set to block all types of malware from executing

    Spring has released a critical update for its system in the wake of vulnerability being discovered. Cybersecurity company Praetorian has also issued advice to technical teams to help them spot and block dangerous code.

    Recommendation Detection

    For those hosting applications using Spring, you can detect this vulnerability by:

    • Performing vulnerability scanning on your environment, prioritizing the network perimeter
    • Monitoring and performing threat hunting activities

    For application developers you can detect this vulnerability at three different phases of the application lifecycle:

    • Build Process: Use and image scanner to analyze contents and build processes of a container in order to detect security issues, vulnerabilities, or bad practices.
    • Deployment Process: Implementing image scanning on the admission controller, it is possible to admit only the workload images that are compliant with the scanning policy to run in the cluster
    • Runtime Process: Using a Runtime detection engine tool like Falco, you can detect attacks that occur in runtime when your containers are already in production.

    If you believe you are affected or vulnerable based on the criteria above, consider shutting down a service if it is exposed to the internet, and follow our recommended prevention actions.

    For Managed Service customers, the Ward Support team will be reviewing individual environments and making recommendations on appropriate patching for all supported devices, where applicable.

    A list of indicators of compromise has been added to all Ward SIEM tenancies to detect threat activity. This is being updated as more are published.

    If you would like additional information or would like support in assessing and protecting your environment:

    For managed services customers, they can contact our service desk via https://servicedesk.ward.ie or by phone:

    or alternatively for those with formal support agreements contact your account manager, as appropriate.

    Please share this information with any other IT professionals that you are working with.

    Further Reading:

    News

    Why Every Company Needs A SOC…

    Historically, the security operations centre (SOC) was needed only by the largest corporations and was a particularly heavyweight function. These days, however, more and more organisations see the need for a SOC so that they can detect and respond to threats in real time – and they look substantially different today than in the past.

    That’s because, in today’s world, everybody’s a target. Malicious actors and rogue nation-states can launch large numbers of attacks in no time at all, putting small organisations just as much at risk as large ones. Even organisations that aren’t targeted directly can suffer as collateral damage in a larger attack or as a route into a third party. For small organisations, the cost of a breach could be in the millions, so protection is vital.

    The SOC doesn’t have to be a huge undertaking. These days, a modern SOC can be delivered by a Managed Security Services Provider (MSSP) using tools such as  next-gen SIEMs (Security Information and Event Management) and EDR’s (endpoint detect and response). Increasingly, the most forward-looking organisations are integrating their SOC with their network operations centre (NOC). The resulting SecOps will be at the cutting edge over the next few years. This article explains the journey necessary to get there.

    What is a SOC and why do you need one?

    Asked to imagine a typical SOC, most people will picture a physical facility with people at banks of computers, facing a wall of screens filled with network and system data. The sort of complex, expensive facility reserved for a tier-one bank, government organisations or NASA.

    A SOC is a facility where security staff defend against breaches and identify and mitigate security risks. The analysts and security specialists staffing the SOC monitor everything from governance, risk and compliance (GRC) systems to intrusion prevention and detection systems to next-generation firewalls.

    Although SOCs were once large and expensive, the proliferation of the cloud and services supplied by third parties have made the technology more affordable. Just as security becomes a more widespread concern, the SOC has become more accessible. Organisations of all sizes are at risk today and therefore need to implement better security measures.

    The SOC is no longer necessary for just the regulated sectors or those handling sensitive data. Helping to increase accessibility is the fact that a SOC no longer needs to be a physical facility. These days, the SOC can be virtual and its staff remote. Some organisations set up a managed or hybrid SOC, combining in-house people and tools with expertise from a managed service provider.

    SIEM: The tech that pulls your SOCs up

    Every SOC faces challenges, and two notable ones are visibility and noise. First, a centralised SOC might not have visibility across the organisation. Some endpoints might not be connected to the SOC, for example, encrypted data might be inaccessible and so might data from third parties. On the other hand, the data that does come in can be overwhelming. Security analysts can spend large amounts of time dealing with false positives, and the sheer amount of data can make it easy to miss actual alerts.

    SIEM tooling can deal with both problems by filtering data to produce actionable insights across security tools, endpoints, cloud services and even SaaS applications.

    Next-generation SIEM uses machine learning and advanced analytics to sift through huge amounts of data, reducing false positives and lowering alert fatigue. That frees analysts to spend more time on more pressing or complex threats. The number of sources from which next-gen SIEMs gather data and the intelligent processing they apply means that they detect incidents that less advanced systems miss, such as insider threats and data ex-filtration. They can also automate tasks, such as finding unused credentials for employees who have left the organisation or quarantining malware in a sandbox. The SIEM develops a smart baseline for what normal network activity looks like, which means it identifies anomalies more quickly.

    How could you benefit from a SIEM?

     

    The road to SecOps

    Of course, having advanced tools like this in place is no use if organisational structure stops them from being effective. The security team was once viewed as an obstacle by operations – and in some organisations, it might still be. While operations are focused on up-time and performance, security can be often seen as slowing things down. This is the wrong approach, and attitudes are changing.

    Increasingly, we are seeing that, at an organisational level, security is seen as an integral requirement like up-time or performance. It’s no longer an afterthought and security considerations are becoming more baked in rather than added on at the end of a project. Analysts communicate with Ops about threats and incidents, while Ops can use the SOC for advice and guidance. For DevOps organisations, security can be involved even earlier.

    The resulting SecOps (or DevSecOps) environment is more proactive and, with both teams working together, they can diagnose and address problems much more quickly.

    Security has gone beyond simply installing the right tools and has become part of the modern trend towards entirely new approaches that require new skills. For many organisations, especially smaller ones, the rate of change is too fast for them to train or hire people with the necessary skills. They might not even be able to justify a security hire, despite the essential need to keep the organisation safe.

    What does a next generation SOC look like?

    Not all SOCs are equal and when looking to a SOC provider you need to select one that is built using the right people, has mature processes, is aligned with next generation technologies and can deliver capabilities such as rapid detection and response, user risk detection and complex advanced threat detection.

    The answer is to find a third party that can handle this for you. Managed services providers can deliver the entire SOC for you or fill specific gaps in your coverage. This means that someone is always focused on securing the cloud, leaving you to focus on what you do best.

    Ward Solutions delivers a next generation SOC capability that addresses the needs of all clients from small and medium sized enterprises to large multinational and government agencies. Using advanced SIEM and EDR tools our 24×7 SOC delivers rapid detection, speedy response detecting and reacting to those internal and external threats that are so prevalent today.

    For more information, view our security services here. If you have any specific queries, get in touch with our expert team today.

    News

    Pat Larkin’s opening statement to Houses of the Oireachtas,…

    Pat Larkin spoke to the Houses of the Oireachtas committee on Transport and Communications to address the cyber security risks to Ireland arising from the war in the Ukraine yesterday. After listing the risks Ward advised our client of, Pat took the opportunity again to appeal to the committee for “a much more comprehensive, robust, better-resourced, highly innovative national cyber security strategy, integrated as part of our national security strategy to protect Ireland.

    You can watch him address the Oireachtas committee in this video:

    Or read his opening statement below.

    Chairperson, Committee Members, it is my pleasure to attend, give an opening statement and answer any questions you may have today.

    The last time we were here, you asked contributors about the emerging trends we saw in the cyber realm, affecting our clients and what was required to mitigate such threats. This last hearing took place in the ominous shadow of the HSE cyber-attack. Since then cyber-warfare threats have escalated in a manner and in a timeframe, which has blindsided the majority.

    On foot of the Ukraine invasion, Ward Solutions notified our clients in our situational security advisories, of what we believe to be significantly increased risks:

    •  Increased criminal activity capitalising on emotive curiosity arising from the war.
    •  Increased cyber militia activity from both global and local activists, attacking Russia, Ukraine or Western countries with commensurate direct or collateral damage and the associated problems with attribution and blame.
    • Increased Nation state activity responding to current geo political objectives. For example cyber actions as part of hybrid warfare, malicious reaction to sanctions and counter strikes to actual or perceived nation state cyber activity.
    • Failure of risk transference mechanisms, such as cyber insurance, arising from policy exclusions for cyber events, originating from Nation State activities or acts of war.
    • Attacks and disruption to near stream and downstream supply chains of national and global critical national infrastructure (CNI) providers such as finance, health, utilities, telecoms, cloud/SaaS, transportation etc.
    • The lack of capacity issue for already stretched cyber service providers to support wide scale attacks.
    • Accelerated segregation (“cyber-balkanisation”) of the Internet.

    We continue to advise our clients on actions that should be undertaken, based on urgently revising risk assessment, mitigation and security operation plans. This encompasses increasing awareness, increasing security controls, performing basic and advanced cyber security tasks better, testing and rehearsing incident response, disaster recovery. We have advised our clients of the need to maintain a hyper-vigilant security posture for the long term, planning their programs and resource accordingly.

    Out of the tragedy and adversity of the Ukraine invasion, where Ireland is not politically neutral and previously the HSE cyber-attack, where Ireland was at that time in a politically neutral state – we can now see that neither aligned, nor non-aligned status offers us effective protection from nation state, militia or criminal cyber-attacks.

    On a daily basis, Ward Solutions continues to deal with ever growing operationally and financially crippling cyber-criminal activity against our clients, regardless of the current geo-political situation.

    Once again, I am appealing to this committee and to anyone that will listen, advocating the need for a more comprehensive, robust, better-resourced, highly innovative national cyber security strategy, integrated as part of our national security strategy to protect Ireland. We have started the journey and made some inroads, but we are nowhere near the levels of protection required for this decade and the rate at which the threats are developing. Time is of the essence. We have seen malevolent nation state activity for over 15 years. Ireland has been hit both directly and indirectly. National cyber security strategy, practice, capacity, resources, research and capability is not something that you can switch on in days and weeks in response to a specific crisis. It requires deliberate planning and constant adaptation to extract short and long-term success. This strategy is needed to protect our society, citizens, public, private services and our prosperity. If well executed, it will also bring very significant economic benefit to Ireland – the direct cyber security market estimated to be worth $270 BN by 2026. There is a significant digital sector, which is heavily cyber security dependent. An effective National Cyber Security strategy offers multiple levels of pay back not only funding the strategy, but also returning real profits in terms of investment, jobs, export revenue, corporate taxes from the direct cyber security sector and from the cyber security dependent sectors.

    The state’s role in this strategy should be that of leader, coordinator, enabler, incubator and accelerator.

    I am also a board member of Cyber Ireland, whose chairperson and cluster manager presented to you during 2021. Cyber Ireland have been steadily working to coordinate the triple helix of Industry, Government and Academia in order to make Ireland a Cyber Security Global leader, over the last 4 years. As part of our work, Cyber Ireland recently commissioned an international expert study of the Cyber Security sector in Ireland and will be launching this study and an accompanying sectoral policy paper in May 2022. Both will be submitted to this committee. We believe these will be invaluable to your considerations on Ireland’s cyber security strategy.

    Thank you for the opportunity to make this statement today.

    News

    Five Mistakes To Avoid When Securing a Hybrid Network

    Most organisations today now operate on a hybrid network. According to Gartner, the recent shift to a remote workforce has had a lasting impact on networks. “Through 2024, organisations will be forced to bring forward digital business transformation plans by at least five years as a survival plan to adapt to a post-COVID-19 world that involves permanently higher adoption of remote work and digital touch-points.”1

    However, today’s hybrid networks make centralised visibility and control increasingly difficult to achieve, especially when an organisation does not have a central security strategy in place. Instead, organisations have deployed an average of more than 45 security tools across their network, most from different vendors. And each incident they respond to requires coordination across 19 different solutions. Such complexity inevitably leads to poor visibility, limited control, and exploitable security gaps.2

    Consolidation and integration of networking and security are the best strategies for addressing such overly complex environments. Deploying a common next-generation firewall (NGFW) platform as the backbone of a unified security strategy enables end-to-end visibility, ease of management and control, and consistent enforcement across the network. But selecting the right solution can be daunting, and there are several critical mistakes IT leaders need to avoid.

    Five Common Mistakes When Securing Hybrid Networks
    Mistake 1—Over-rotating to a cloud-based solution. Some organisations are considering replacing their traditional security with a secure access service edge (SASE) solution. However, few organisations have a cloud-only environment in place. The reality is, most have—and will continue to own and operate—a hybrid network. Over-pivoting to a cloud-only security strategy ignores the needs of those users working on-premises in local campuses.

    According to Gartner, “Classic data center edge firewall designs are not obsolete and must be maintained in support of traditional inbound data flow patterns and residual outbound connections from internal users that remain on-site in campus environments or at large branches.”3

    Mistake 2—Ignoring the importance of the on-premises data center. For a variety of reasons, many organisations simply can’t move critical services from the data center to the cloud. But many of its applications need to remain available for external customers and corporate users, reinforcing the importance of traditional, on-premises firewalls.

    The Gartner report confirms this approach, as well as acknowledges challenges related to cloud provider security solutions. “A significant minority of organisations consider these offerings to be immature when compared to third party vendor solutions and sometimes deploy network virtual appliance (NVA)  versions of these third-party solutions directly in public cloud IaaS instances.” “Private and public cloud operators offer native solutions for firewall, WAF, distributed denial of service (DDoS) and ADC.”4,5

    Hybrid networks need a security solution designed to operate natively in any environment—protecting all edges consistently, seeing and sharing threat intelligence across the network, and delivering coordinated security enforcement anywhere. That starts with a common network firewall platform deployed at every network edge: campus, data center, branch, private and public clouds, and as a cloud-based service for remote and mobile workers.

    Mistake 3—The “Best-of-Breed” myth. There is a mistaken belief that a best-of-breed approach provides better security at the edge. Instead, such an approach usually leads to product sprawl, resulting in an overly complex network and isolated security architectures that can’t effectively share threat intelligence. This defeats the very purpose of building a strong security posture— point solutions can never provide the same level of visibility and security as those designed to work together. Only integrated security ecosystems, built around the premise of sharing actionable threat intelligence, can provide robust, coordinated, and timely responses to cyber events.

    A unified system is always more secure than the sum of its components. For example, how would a best-of-breed approach handle the case of a user with a compliant laptop who then inserts an unauthorised USB thumb drive? Most isolated network security devices have no way to detect or respond. But an endpoint detection and response (EDR) solution designed to collaborate with other security systems can inform the NGFW about this policy violation, which can then provide policy enforcement, such as isolating the device or removing it from the network. This is only possible with a security ecosystem
    approach built around a common security platform, where actionable threat intelligence is shared across all security devices, and policy can be enforced wherever it is most effective.

    Mistake 4—Not thinking holistically. Evolving hybrid architectures expand the attack surface, reducing visibility and increasing risks. Compounding the problem further, the volume of encrypted traffic is estimated to soon reach 95%.5 However, most network firewalls are unable to inspect encrypted traffic while maintaining the performance levels today’s applications require. So how do you secure a network when you only have real visibility into 5% of your traffic? IT leaders need to choose an NGFW solution that can operate at scale across the network without getting bogged down with compute-intensive operations like secure sockets layer (SSL) decryption, threat detection, and automated remediation.
    This begins with a solution designed to support the latest encryption standards, like TLS 1.3, while ensuring existing TLS 1.2-based communications are not broken. Beyond visibility, the real challenge in future-proofing your security is selecting a solution able to learn about the state of dynamically changing resources scattered across the network and then adapt in real time. This is especially challenging when your security strategy needs to include multi-cloud. Not considering how various clouds are built and
    configured can pose a nightmare for normalising security policy across different cloud providers. Therefore, reasonable care must be taken to select an NGFW solution capable of learning about the ever-changing state of private and public cloud resources and then delivering consistent end-to-end security across this hybrid IT architecture for a strong and consistent security posture.

    Mistake 5—The risk of implicit trust. Traditionally flat networks focus on preventing attacks from the outside but give attackers lots of latitude once the perimeter has been breached. Organisations need to consider an NGFW solution able to provide security beyond the edge by reducing the attack surface through network segmentation to prevent the lateral propagation of north-south threats and micro-segmentation to prevent east-west proliferation.

    In addition to dynamically segmenting the network to prevent lateral movement, an NGFW must also dynamically adjust levels of trust by monitoring behaviour through tools like user and entity behaviour analytics (UEBA). And it must be able to reduce or revoke trust if a user or device begins to behave suspiciously. It must also integrate with zero-trust access (ZTA) and zero-trust network access (ZTNA) solutions to control access to network resources, down to granular per-application segmentation. And it must also manage the proliferation of headless devices, like Internet of Things (IoT) or Industrial Internet of Things (IIoT), by seamlessly integrating with a network access control (NAC) solution to ensure that every device, application, and transaction is accounted for and secured.

    Hybrid Networks Need a Network Firewall Designed for Today’s Digital World.

    Hybrid networks require an NGFW designed to provide consistent protection, visibility, and control across even the most distributed and dynamic environments. This requires selecting a solution designed to operate at any edge, in any form factor, to seamlessly integrate networking and provide consistent policy enforcement, centralised policy orchestration, real-time intelligence sharing, and correlated threat response. By enabling security policies and enforcement to follow applications and workflows end to end, organisations can enjoy broad visibility and control across their continually changing networks while ensuring optimal user experience for today’s work-from-anywhere reality.

    1Gartner, “Forecast Analysis: Remote and Hybrid Workers, Worldwide,” Ranjit Atwal, et al., June 2, 2021. (P1).
    2 Kim Samra, “IBM Study: Security Response Planning on the Rise, But Containing Attacks Remains an Issue,” IBM, June 30, 2020.
    3 Gartner, “How the Shift From Firewall Appliances to Hybrid Cloud Firewalling Will Change Selection Criteria,” Aaron McQuaid, March 10, 2021. (P1)