Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • News

    The top 6 things CISO’s should be doing to…

    The Ukraine War in concert with Russia’s long-standing status as a malevolent cyber nation state actor and an ambivalent host for cyber criminals means that organisations face significantly increased cyber risks from direct and indirect cyber activity. It is highly likely that the current covert relatively lower grade nation state cyber activity will switch to overt high intensity cyber activity as the war and sanctions escalate. Organisations should remember the collateral damage from Russia’s last cyber playbook in Crimea with NotPetya is estimated to have cost the global economy over $10BN.  Cyber-criminal activity is already looking to exploit the high level of interest and uncertainty about the war. Hacktivists are lining up as both loosely and tightly aligned groups of cyber militia on both sides attacking, Ukraine, Russia and the West.

    To protect their organisations Ward Solutions recommends CISO’s should channel their efforts in the following 6 major areas:

    Optimising your human firewalls – the human firewall from an organisation’s executive, IT admins to accounts payable clerk are consistently their greatest weakness when poorly engaged and an organisations greatest strength and defence of last resort when hyper vigilant and educated. Consistently Ward see organisations best of breed security control technologies defeated by relatively simple social engineering, phishing or other people based, targeted attacks. Targeted, relevant awareness, education is now more important than ever to ensure that your people are best educated and hyper-defensively engaged. In our experience segmenting your messages, activities and audiences into relevant groupings such as board, executive, management, technical, operational, finance and supply chain with relevant messaging, tactics, encouraging collaboration, sharing, transparency and lesson learned for each group offers better results in terms of sustainable security effectiveness.

    Updating your risk registers and remediation plans – now is the time to rapidly update and revise your enterprise risk register with new or revised risks, likelihoods, impact and remediation based on current circumstances and the environment. Risk transference mechanisms such as cyber insurance may now be pleading exemptions due to acts of war and nation state events. At a minimum CISOs need to check what cover if any applies. If insurance exemptions apply, then CISO need to inform their boards and risk committees and rethink with the organisation how these risks now need to be addressed.

    Expanding the scope of their supply chain risk assessments to include a robust review of CNI impact – now is the time to revise and consider the risks and impact to your organisation from your close-in supply chain such as equipment, raw material and general service providers. CISOs do need to revise and consider the impact to their organisation of significantly higher likelihood of attacks, disruption, outages of critical national infrastructure (CNI) locally, regionally and globally to providers for services such as power, water, telecoms, transportation, healthcare, cloud, media/communications to their organisation and their supply chain as the war and sanctions escalates.

    Reducing your circle of friends, acquaintances, levels of access and trust. Now is the time to consider geo fencing and blocking of default inbound and outbound communications from your systems and networks not just affected regions but any regions that you have no cause to do business or strategically communicate with. In the past this may have caused some limited disruption to end users, inconvenience and may not have been politically correct.  However, extraordinary times require extraordinary measures. CISOs should also consider implementing rules and controls and enhanced security between your key suppliers, customers and partners only, effectively dramatically closing your networks and implementing enhanced security such as VPN’s email security such a DKIM, DMARC IBE etc. and enhanced and adaptive authentication such as MFA etc. Internally you also need to review levels of access that both technical and non-technical people have to systems, networks etc. and consider reducing the scope to minimum required rights with increased levels of validation and authentication for access, change etc.

    Shields up and hunt likely threat scenarios – CISOs should also consider increasing levels of monitoring, altering, triage and response to that they can reduce their exposure time. Their organisation will need to be tooled up to respond and investigate these heightened levels of alerting and monitoring as otherwise this simply becomes dead noise. Organisation with high exposure to targeted nation state attack e.g. critical national infrastructure providers should assume that they are compromised, model likely threat scenarios including threat scenarios based on the Russian hybrid warfare playbook in Ukraine and conduct some targeted threat hunting for e.g. wiper software used to attack Ukraine institutions at the begging of the current war and other relevant threat scenarios.

    Get your organisation into the Incident Response Cyber Gym. CISOs should be updating their incident response plans immediately. Stacks of policies and procedures are useless unless the people tasked with decision-making are fit and have the muscle memory of what actions to take and when. CISO’s can run table top exercises on likely incident scenarios now to train and build the required muscle memory of the key people in your incident response plans. CISO’s should also consider testing and rehearsing their disaster recovery and business continuity plans now.

    Steeling their organisation for the long game. It is unlikely that this crisis will deescalate any time soon. Arguably, the Geopolitical balance has shifted permanently and the direct and covert weaponisation of Cyber is here for the long term.  CISO’s would do well to ensure that their organisations are ready to sustain this heightened level of risk, remediation and incident response into the long term. CISO’s workload is already high, so CISOS may need to build capacity into their teams governance, risk and security operations teams to help protect and steer their organisation into this new order.  As we know cyber skilled resources have been in short supply for the last 5 years. CISO should innovate quickly to bring right-minded people from partners or other disciplines and parts of their organisations into their teams and bring them up to speed quickly.

     

     

    Ward Solutions is a full service, full security lifecycle provider. If you don’t have the right manpower, tools and expertise then consider partnering with a Security consultancy and managed cloud security service provider with the knowledge and skills to help supply or augment your CISO, Security engineering and security operations resources. Talk to us today to see how we can help.

    News

    Ward Solutions advisory increased cyber risks arising from war…

    Ward Solutions advisory increased cyber risks arising from war in Ukraine.

    Situation

    Previous state backed, criminal and cyber militia based cyber operations from the Eastern Europe region have already caused significant disruption to Irish and European organisations over the last decade. Ireland has already posted a strong diplomatic response to the war in Ukraine and seems set to participate as part of international sanctions. Ireland has an active high profile role in the United Nations as part of the UN Security Council.  Ireland hosts significant amount of global cloud and social media vendor services and data in data centres on our island. Ireland is a significant part of the transcontinental internet fabric with strategic fibre optical cables originating, terminating or transiting via our coastline and island. Thus Ireland, Irish Government, Irish FDI and indigenous based organisations have a relatively high profile in the geo-political response and may suffer direct or indirect cyber related fallout from this war. Ward Solutions are therefore advising that there is a significantly increased cyber risk to organisations, consumers and citizens from:

    • Increased criminal activity looking to capitalise on peoples fear, emotion and news seeking arising from the war.
    • Increased cyber militia activity from activists either looking to attack Russia, Ukraine and other former USSR states or looking to attack Western countries and commensurate direct or collateral damage arising.
    • Increase Nation state activity in response to current geo political objectives, malicious reaction to sanctions, counter strikes to actual or perceived nation state cyber activity
    • Cyber Insurers have recently moved to provide exclusions in their policies for cyber events arising from Nation State activities or acts of war. There is a risk that organisations assume that they are insured for all cyber incidents – when in fact such exclusions may apply from events arising in current circumstances.

    Aside from the direct risk to your own organisations, we recommend that your organisation consider the potential impact of the increased probability of attacks and disruption to national and global critical national infrastructure (CNI) providers such as

    • power
    • telecom
    • water
    • cloud/SaaS
    • finance
    • healthcare

    Recommendations

    Wards primary recommendation in light of the current situation are as follows:

    Generate increased awareness across your organisation of the potential increased and additional risks from board level to end user.

    Reassess the risks, your risk register and your mitigation strategies, if appropriate, based on the new geopolitical situation and increased or additional risks we have identified in this advisory

    Check your cyber insurance cover, limits and exclusions.

    Further reduce the likelihood of a damaging cyber event to your organisation. Assuming, you already have normal best practice cyber security recommendations in place, consider these measures in addition:

    • Consider geo fencing or blocking GeoIP (inbound and outbound communications) with regions that you don’t regularly or normally communicate with, in particular from Russia, Ukraine, former USSR states, China, North Korea, Iran – but also other states and regions.
    • Consider reducing thresholds on levels of privilege and access to the minimum required
    • Secure your Active Directory according to best practice guidelines- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
    • Ensure that your vulnerability scanning and patching are as up to date per vendor and best practice frameworks, as is practical.
    • Implement multi-factor authentication (MFA) on all remote access and cloud based service.
    • Disable all ports and protocols not essential for business purposes
    • Stay up to date with latest threat intelligence, national cyber security recommendations https://www.ncsc.gov.ie/

    Take steps to quickly detect any potential intrusions – assuming you have active security monitoring in place:

    • Consider implementing increase thresholds for alerting and monitoring on higher priority systems and services. Only do so if you can respond to and appropriately assess the increased volumes of alerting.
    • Allocate additional resources to monitoring, auditing, analysing and triaging alerts, incidents
    • Confirm the levels of coverage, levels of update and retest the effectiveness of policies and configurations on your endpoint and gateway anti-virus, anti-malware technologies. Consider augmenting any legacy signature based technologies with next generation AI/ML technologies that offer protect, detect and remediation capabilities in the event of endpoint compromise.

    Be ready to respond effectively to cyber incidents when they occur

    • Revise your crisis response team and update your incident response plans and playbooks to make sure they are current, relevant and incorporate the additional risks identified above.
    • Consider exercising the incident response team in a tabletop exercise to rehearse your roles, responsibilities and play books

    Increase your organisations resilience

    • Revise your backup and disaster recovery plans in light of the new and increased risks identified above. Plan for worst case scenarios
    • Test your backup and recovery plans
    • Be aware of recovery times and plan for business operations in the event of significant times to recover
    • Reassess the location of backup and recovery services and vendors in light of likely geo political fallout. Consider moving to locations or vendors less likely to be impacted.
    • Prioritise finite resources to focus on business critical services first.
    • There is a shortage of cyber security resources globally and capable incident response providers. If you need to source additional services, we recommend putting place service contracts, service levels agreements in advance and not waiting for an incident to occur before trying to source such services, as they are unlikely to be available at short notice.

     

    Review your supply chain risk

    • Review any suppliers to determine whether they have critical risk or exposure to Russia, Ukraine or Eastern Europe generally.
    • Review any suppliers to determine whether they, their products, services may be subject to undue influence from Nation state, in particular Russia and thus at risk of compromise of integrity, privacy, continuity of supply or used as a possible means of ingress to your or your customers networks, systems, data.
    • Review your suppliers to determine if they or their operations are at particular risk or targeting by Nation State activity.
    • Consider mitigation solutions to address any significant risks arising from the above, including:
      • putting in place alternative suppliers, services
      • asking providers to change location of operations
      • asking suppliers to demonstrate their contingency or disaster recovery plans

    Ward Solutions anticipates that the current situation and its risks are likely to exist, develop, fluctuate and continue into the medium term.  Any strategies or measures that you adopt will need to be sustained in this timeline.

     

    How Can Ward Help?

    For Managed Service customers, the Ward Support team will be reviewing individual environments and making recommendations on appropriate patching for all supported devices.

    For all other customers, if you would like additional information or would like support in assessing and protecting your environment, please contact support@ward.ie or your account manager, as appropriate.

    Further Reading:

    https://www.ncsc.gov.ie/

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

     

    News

    Case Study: The Aviva Stadium

    The Aviva is renowned as a world class International Stadium where a variety of events including soccer, rugby, concerts, and business conferences are hosted.

    A spokesperson fro the Aviva said: “We make extensive use of information technology to support our operations across the stadium. These include ticketing, CCTV, IPTV, broadcasting access control, lighting, Office applications, power and fire. We know we face the threat of cyber attacks just like any other organisation. These could be in the form of a phishing attack or ransomware or fraud, and we realise that we could be at risk during one of our international events.”

    The cyber-security threat facing stadium operators is very real and in some ways very similar to try to get to any organisation. Although a stadium would have its own specific technologies and applications. When we at Ward Solutions first engaged with the Aviva Stadium. It was clear they had put in place a strong cyber defence strategy, but also recognised that they needed to strengthen their preventive controls.

    They turned to our security experts at Ward Solutions and our IBM Q-Radar offering because they wanted a managed service provider who could investigate security event data from various different sources and analyse it and provide them with the 24/7 monitoring capability.

    At Ward Solutions, we are a leading cyber-security provider, specialising in managed security services. We’ve been an IBM expert partner for over 10 years specialising in their Q-Radar products and services. For Aviva Stadium, we’ve put in an extended threat detection and response solution based on the Q-Radar platform, whereby we source security data from a range of devices everywhere from endpoint to cloud. We enrich this with threat intelligence and volume data as well. That allows us to build those use cases to detect and respond to cyber-security threats that they may be facing.

    Cyber-security is something that the Aviva Stadium take very seriously and they are very conscious of the threat. In particular the threat for high profile business such as their own. They engaged Ward solutions in conjunction with IBM Q-Radar to assist in managing the cyber threat.

    Aviva Spokesperson: “It’s something that’s very much on our agenda, and it’s very important to our business, and we’re very happy with the service that we’ve received.”

    News

    The Rising Threat of Ransomware: Top 10 Tips for…

    The risk of a cyber security attack on your business has never been greater. Massive changes in working practices over the past couple of years have moved the security goalposts. With staff working from home, employers have been forced to bring in new cloud-based productivity tools virtually overnight. 

    This momentous upheaval has seen changes in technology use at breakneck speed, allowing little or no time to consider the full implications for security. As a result, companies have become far more vulnerable to attack. 

    At the same time, the attack model has changed. Individual hackers, whose sole aim is to cause disruption, are no longer the biggest threat. They have been superseded by organised gangs of criminals out for financial gain. This has led to a huge surge in ransomware attacks that are both highly sophisticated and highly destructive.  

    But what exactly is ransomware and what can you do to keep it at bay? 

    In this post, you’ll learn just that. 

    We’ll show you how to reduce the risk of a ransomware incident before looking at how you can minimise the impact of an attack in the event it does happen.

    What Is Ransomware?

    Ransomware is a specific type of malicious software that denies a victim access to their data and other IT resources until they pay the attacker a ransom. By far the most common type of attack works by encrypting data and withholding the encryption key needed to decrypt it. 

    However, other methods include distributed denial-of-service (DDoS) attacks, where a hacker floods your servers with spurious requests to connect to your services, overwhelming resources and making it impossible for your systems to function normally. They will then send you a message demanding a ransom to end the attack. 

    Another form of ransomware is doxware, where an attacker threatens to expose sensitive data, which could severely harm an organisation or individual. 

    No-one is immune to ransomware – with targets ranging from individuals and small businesses right through to large-scale enterprises and public institutions.  

    Phishing emails, which contain malicious hyperlinks or attachments, are the most widely used method of initiating an attack. Employee negligence and poor user practices are also widely exploited by ransomware attacks. 

    Should I Pay the Ransom?

    The short answer is no. Ransomware payments aren’t the best use of IT budgets, company capital or insurance funds. But it can seem like the only, or even the most cost-effective option for companies who are caught out – criminals wouldn’t be pursuing ransomware to make money if not. 

    You must remember that you’re dealing with criminals, and by paying, you’re proving their business model and encouraging further attacks.  

    Even if you do pay, there’s no guarantee you’ll get your data back. Criminals can easily demand more money to release data they know is sensitive or high-value. 

    Finally, depending on the country you’re based, it may be illegal to pay a ransom. There’s an ongoing debate around this and what governments should or shouldn’t do to support/ protect organisations affected by cybercrime. 

    Ransomware Protection Measures

    The following are the most important first steps any company, whatever the size, should be taking to minimise the risk of a successful ransomware attack. 

    1. Use Endpoint Detection and Response Software (EDR) 

    EDR is an advanced form of threat protection, which is often confused with antivirus software. However, antivirus products are only generally designed to protect known threats, whereas EDR is able to detect and respond to many new forms of attack as and when they happen. 

    EDR works by collecting data from workstations and other endpoints, and using that information to detect the signs of malicious behaviour.  

    Since the sudden shift towards remote working, EDR has become increasingly more important, as hackers seize the opportunity to exploit weaknesses in endpoint devices to get their foot in the door. 

    2. Follow the Principle of Least Privilege (PoLP) 

    The PoLP is an approach to IT security whereby you grant each user the minimum level of access to the data and resources they need to perform their role. For example, a member of staff may need to access personal data as part of their duties but doesn’t need to change anyone’s personal details. You should therefore grant them permission to read such data but not to modify it. 

    The PoLP can help lower the risk of a ransomware attack through social engineering techniques such as phishing emails. Because, if a hacker manages to steal an employee’s login credentials, it doesn’t necessarily mean they’ll have sufficient privileges to launch an attack. 

    3. Implement a Strong Password Policy 

    Password files are favourite targets for hackers. Although the passwords contained within password files are hashed, which makes them unintelligible, attackers have a number of tricks up their sleeve to crack them. However, the longer and more complex your passwords are, the harder they are to crack. 

    So it’s essential you enforce strong passwords by imposing a minimum length and requiring at least one number, uppercase letter, lowercase letter and non-alphanumeric character. That way, in the event someone stole your passwords, it would be very difficult for the perpetrator to crack them. 

    You should also rotate passwords as part of a robust password policy. In other words, you should prompt users to change their passwords periodically. This effectively limits the time attackers have to crack your passwords and make of use them. 

    4. Enable Multifactor Authentication (MFA) 

    If your systems support MFA, where users must go through an extra verification step such as entering a one-off code sent to their phone, you should enable it as soon as possible. 

    MFA acts as a layer of defence by putting up another barrier for an attacker to overcome to get into your systems. 

    In addition to one-time codes via SMS, other forms of MFA include: 

    • authenticator apps for desktops and mobile phones 
    • physical U2F security keys, which connect via Bluetooth or plug into your USB port 
    • login confirmation codes delivered to your email address 
    • biometric authentication, such as fingerprint, facial and voice recognition 

    5. Keep Software Up to Date 

    Software updates and patches contain fixes to vulnerabilities that attackers can exploit at any time. So you should apply them to your software and operating systems as soon as they become available. 

    But always remember to take backups before installing updates so you can quickly recover if you encounter issues such as a system crash or loss of critical functionality. 

    In cases where you cannot tolerate any downtime, you may need to administer updates in a test environment first in order to check for any potential problems before rolling out to your live systems. 

    6. Raise Security Awareness 

    According to joint research by Stanford University and email security provider Tessian, human error was the root cause of nearly 90% of all security incidents. The study also revealed that the younger generation were more vulnerable to phishing attacks – with 25% saying they’d clicked on a phishing link compared with just 8% of employees over the age of 51.

    Your users are the weakest link in the security of your systems. So it pays to nurture a culture of security within your business.  

    Enrol employees on a security awareness course and back it up with your own advice about security best practices. If you periodically remind them of everyday risks, such as sharing removable media, clicking on malicious links and using public Wi-Fi services, you’ll be far less vulnerable to a ransomware attack. 

    Business Continuity and Disaster Recovery (BCDR) Measures 

    In addition to robust security procedures and processes, you should also have measures in place to get your business back on its feet as quickly as possible in the event of a successful attack. 

    This is what business continuity and disaster recovery (BCDR) sets out to achieve. 

    Whatever the nature of the disruption, whether through a ransomware attack, power cut, hardware failure, human error or unforeseen adverse event, BCDR will help ensure rapid recovery of IT systems and mission-critical data with minimal disruption and cost to your business. 

    The following steps are integral to a well-designed BCDR plan. 

    7. Follow the 3-2-1 Backup Rule 

    You should never just rely on a single backup copy of your data. 

    Restores can fail. Not only that but more advanced ransomware attacks also target your backups. 

    To ensure adequate protection you should follow the 3-2-1 backup rule whereby you maintain two local copies, your production data and a backup copy on a different medium, and another copy stored to an offsite service. 

    The local backup will be immediately available for simple and fast recovery. However, it will also be more vulnerable to attack. 

    The offsite backup, on the other hand, will be air-gapped from your on-premises systems. Hackers will therefore find it more difficult to attack, as they’ll likely need additional access credentials and also supplementary network information to locate it. This will be particularly so if you use a cloud backup service. 

    8. Take Immutable Backups 

    An immutable backup is a copy of your data that cannot be modified, encrypted or deleted. It uses locking technology that prevents anyone, including users with admin privileges, from making such changes until the end of a specified retention period. 

    Consequently, you can be confident you can always recover from a ransomware attack or any other type of data protection incident. 

    Immutable backups solutions are generally based on storage drives that use the WORM (write once read many) format. They are available as both on-premises appliances and cloud-based offerings. 

    9. Maintain Backup Hygiene 

    It could be some time between the moment an attacker first breaches your system and the point at which they actually trigger their attack. 

    During this period your backups will have also been infected. So make sure your backup system doesn’t just take copies of your data but also scans them for malware. That way, you can be sure they’re clean and safe to use whenever you need them. 

    And don’t forget to test your restore system on a regular basis, as you want to be sure it works properly when you need it and that backups are free from corruption or other problems that could prevent recovery. 

    10. Draw Up an Incident Response Plan 

    Recovery from a ransomware attack can be a huge undertaking, as you get services securely up and running while carefully purging them of all footprints left by an attack. 

    As part of your response, you may need to perform detailed forensic analysis to establish the full facts of the incident. If the attack carries a threat to the privacy rights of individuals then it’s likely you’ll need to report the crime to both the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO). 

    In fact, you’ll have a lot of systematic steps to follow. 

    So it’s important to draw up an incident response plan so you’re properly equipped to deal with an incident. This should prioritise the recovery process. 

    For example, authentication services should be near the top of your list so users can immediately log back in once other services return. You should also prioritise internal email servers so staff can communicate with customers and each other as soon as possible.

    Be Prepared

    The best defence for any organisation is to be prepared for a ransomware attack. 

    Review your security. Tighten up your security. Put backup and recovery processes in place. 

    And if you don’t have the right manpower, tools and expertise then consider partnering with a managed cloud service provider with the knowledge and skills to help you. Talk to us today to see how we can help – we have a range of security experts well-versed in preventing, detecting and recovering from ransomware. Plus, we’re a friendly bunch who are always up for a chat, so why not kick things off right away?

    If you think you’re at risk, take action today. Because one thing is for sure.

    If you don’t take all these measures before an attack, you’ll definitely be doing so afterwards.

    News

    Viruses

    We are all moved by recent ransomware attack in Ireland and the same as with COVID we are all scared and don’t know what to think and we may be panicking a bit. Cyber Viruses and Human Viruses have some similarities and can be tackled in the same ways. We learned how to take on COVID so we are here to teach you how to take on a ransomware attack.

    We need to think the same way as they advised us when COVID started spreading.  We all know the guidelines to stop the spread of COVID:

    1. Stay calm

    2. Wash your hands regularly 

    3. Exercise regularly 

    4. Maintain the distance and healthy balanced diet 

    5. Wear masks

    What we need to do with ransomware 

    1. Stay calm

    2. Scan your network regularly 

    3. Test your Disaster recovery plans and security incidents plans regularly 

    4. Maintain your network e.g. firewalls, server, users security audits, patching, refresh if old kit , regular backups

    5. Regular reboots health checks to make sure you maintain the healthy status of your system 

    6. Look at the SIEM, vulnerability management thread detection 

    7. Protect your machines with solutions like Cyclance, McAfee, Fortinet, EMS, Forticlients 

    If you get infected with COVID, we have been given guidelines to limit the damage and stop the spread. Again there are similarities in the response needed:

    1. Stay calm

    2. Isolate

    3. Call your gp

    3. Get tested

    4. Seek help if unable to breathe 

    And now lets compare these tips to a Ransomware malware attack

    1. Stay calm

    2. Isolate your network environment from the internet 

    3. Call  your support teams

    4. Inspect test all your machines to see what the damage is :what got infected 

    5. Seek help from security expert to help you handle the situation 

    What we are all missing 

    1. Stay calm

    2. Plan

    3. Do

    4. Check

    5. Act

    6. Educate your employees neighbours your VIPs clients regularly on mistakes we all make

    We all need to learn to wear masks

    Now it is time to look at masks for your Environment 

    Talk to our ward sales team on how we can help you

    News

    Using Ward Solutions BAS Service to Identify Missing or…

    Using Ward Solutions BAS Service

    to Identify Missing or Misconfigured Security Logs

    The Challenge:
    SIEM platforms rely on the accuracy, quality, and timeliness of logs to get threat detection notifications. It’s not easy to keep track of logs. Configuration problems, software flaws, expired licenses, outdated APIs, and other causes might cause log agents and collecting software to fail. The complexity, scale, and traffic of the networks can also stifle data flow.

    The commonly adopted log validation technique nowadays is largely based on detecting abnormalities from pre-defined traffic data. This method could not map traffic with harmful content or pinpoint the source of log issues in multifunctional security measures. The ability to validate logs reduces the efficacy of Security Operations Centers (SOCs) and may make it more difficult to respond to warnings and events on time.

    Technical Use Case:
    Ward Solutions and our partner Picus Detection Analytics aids in the identification of security events that have been identified or prevented by security measures but whose logs are not visible in SIEM platforms. By proactively detecting such flaws and maintaining a healthy log system, you can guarantee that:

    • There are no alerting gaps caused by undiscovered security events created by genuine attackers
    • Regulatory log collecting obligations are not broken.

    Suppose no event logs are found in the SIEM after an attack. In that case, it means that one of the following scenarios took place:

    Option 1: On the attack vector, all applicable security controls failed to identify the attack’s TTPs. As a result, no-log is created (please refer to the “Enhance your logging to have better visibility use case).

    Option 2: The defences identify attack TTPs, but the logging options aren’t enabled, or the delivery method isn’t working

    Option 3: Logging and distribution methods may be operational. However, log delivery may be delayed due to a setting or a network-related issue.

    Option 4: : Logs may be delivered to SIEMs but as it does not contain the right level of detail, it is not picked by Picus Detection Analytics as “log exists”.

    This use case is to identify the situations described in Options 2, 3, and 4.

    Picus Detection Analytics Overview

    Ward Solutions and our partner Picus Detection Analytics queries SIEM platforms to look for the logs of the events generated by the IT infrastructure as a result of Picus threat emulations. Based on this query, on the Picus user interface, the journey of a threat is shown with an end to end view. This view (image 1), in addition to the attack history and description information, contains:

     

     

    • Start and end time of the attack
    • Log status
    • Log delivery time if the log is
    • Delivered
    • Alert status
    • Prevention status

     

     

    Findings related to the full attack spectrum are also listed and users can narrow down the results applying advanced filtering options (image 2). These options are:

    • Severity
    • Prevention results
    • Log Source
    • Integration Device
    • Alert Status

    You may already have sophisticated security logging and monitoring solutions. Their effectiveness is only as good as the logging sources that they capture, analyse, alert and report on. It’s necessary to proactively and regularly validate that you have all appropriate log sources provided in a timely fashion to detect suspicious or malevolent activity in your security infrastructure.

    Use Ward Solution and our partner PICUS Security Detection Analytics platform to ensure:

    • Initial Log validation e.g. post a SIEM deployment or post a significant network or infrastructure deployment, upgrade or change
    • Ongoing log validation – continuous validation to enure ongoing logging and monitoring effectiveness
    • Ad Hoc log validation – in response to an event – e.g. an incident that was not alerted appropriately

    Contact Ward Solutions today to identify missing or misconfigured security logs:

    News

    Exciting New Development for Ward Solutions and our Customers

    Exciting News!
    Ward Solutions Limited has been acquired by Ekco, effective immediately

    Ward Solutions is one of the most well-established, and well-respected information security consultancies and security managed service providers in the country has been acquired by the Ekco group www.ek.co, effective immediately. Over the course of 22 years, the company has built an extensive and high-profile client portfolio, stretching across Ireland and the UK.

    Ward’s service portfolio includes the full cyber security lifecycle from governance and compliance strategy to pen testing, cloud security, managed security and incident response.

    Commenting on the deal, Pat Larkin, CEO of Ward Solutions said:

    “There is a very strong vision for Ekco that we want to be part of and which is consistent with our customer sweet spot.  When a customer has a crisis, they want a trusted partner who can work through that crisis by helping them recover and get their data back online.

    “Together with Ekco, we can continue to build loyalty to our customers and our people.  We can accelerate growth and leverage our resources to drive greater customer value and broader market reach.”

    Steve MacNicholas, CEO of Ekco Ireland said: “A key component of our growth strategy was to acquire a specialist organisation completely focused on cybersecurity. Having Ward as part of Ekco presents an immediate opportunity to further evolve Ekco’s value proposition and offer a wider range of highly complementary and in-demand security services to our customers and partners.”

    Ekco co-founder, Eoin Blacklock added: “The security and integrity of our customers’ data in the cloud is our primary objective. As the only pure cloud provider in Ireland, Ekco can now provide the full stack of Cyber Security Services in house.”

     

    News

    Ward Solutions – Helping you to Optimise your Threat…

    Ward Solutions – Helping you to Optimise your Threat Hunting Efficiency and Effectiveness

    Threat hunting, also known as cyberthreat hunting, is a proactive approach to identifying previously unknown, or ongoing non-remediated threats, within an organization’s network.

    In other words, threat hunting is the practice of looking through the network, endpoints, and datasets to hunt malicious, suspicious, or risky activities that have evaded detection by existing tools in order to neutralise or remove them and prevent them from getting in in the future.

    How threat hunting works

    Threat hunters are extremely qualified, experienced cybersecurity professionals who establish or require a hypothesis, examine the environment by searching for all accessible evidence to support their theory, and finally form an opinion that may verify or deny the hypothesis. 

    New intelligence, deviation from a baseline measure, a newly recognized TTP, an alarm from detection technologies like SIEM or EDR, or another sign in the network or the external environment are used to build hypotheses. Therefore we need to help ensure that whatever limited resources are available we need to help these resources to deliver valuable work as efficiently and effectively as possible.

    The following are some examples of hunting hypotheses:

    • In my connection, there might be APT29-related activities.
    • The Sunburst malware was initially published in April of last year. There might be some occurrences from April in our network that are relevant.
    • It’s possible that our terminals were used to visit this malicious URL.
    • Some of our hosting apps may have visited this rogue IP address.
    • A new Trickbot malware strain has been discovered in the wild. This new variation may already be in our database.

    What problems does Ward Solutions Detection Analytics (DA) address?                         

    -Choosing and developing the right hypothesis

    What is the best hypothesis to start with or try next? This choice is based on several factors, both external and internal, to the database server. Changes in the threat landscape, the latest knowledge on a breach that occurred elsewhere, suspicious activity such as a file discovered for the first time, changes in the database server, and other factors might all play a part in triggering a search. Such triggers are plentiful, but security analysts who can conduct hunting and their time are in short supply. With a high alternative cost, coming up with the most applicable hypothesis is a big issue. 

    -Data Accessibility

    No matter how skilled or experienced a threat hunter may be, they must rely on the data possible to find signs of a threat. Security analysts will be unable to conclude or provide a false-negative result if detection technologies such as SIEMs and EDRs do not include the relevant data or the logs do not have the requisite degree of information.

     How does Ward Solutions Detection Analytics help?

    Ward solutions delivers a breach attack simulation service in partnership with PICUS Security. PICUS Security toolset has a very sophisticated complete security control validation platform. This platform and Wards Service helps an organisation to identify the capacity, capabilities and limitations or weaknesses in an organisation’s security infrastructure. It also builds a baseline of their infrastructure security. Any low set baseline could indicate a network segment where malicious content or activity may be hiding or operating from. 

    Threat samples in the Picus Library are presented with their unique identifiers, such as the file name, MD5, or SHA256 hash information. More importantly, the information provided on attack campaigns contains all TTPs as mapped to MITRE ATT&CK. Using this rich threat information provided for more than ten thousand advanced threat samples, saving threat hunters from significant preparation time and can trace the indicators with precision and speed, thus making them more efficient and effective.

    Ward Solutions Detection Analytics aids in the maintenance of a strong log base and infrastructure. Ward Solutions Detection Analytics enables SOC teams to have a well-scoped and threat-aware log base on SIEMs and EDRs continually updated to reflect changes in the hostile landscape and technological infrastructure. This surveillance is crucial because security analysts rely on the information provided to them.

    Blue Team Content generated by Picus provides insight on TTPs used by adversaries. Adversaries change indicators of compromises (IoCs) frequently.

    To do successful and well-defined threat hunting, security analysts must go beyond IoCs and get a thorough understanding of TTPs, which represent the real nature of hostile actions. However, evaluating and creating queries based on TTPs takes a significant amount of time and work.

    Security analysts may acquire the TTP context simpler thanks to detection content created by Picus Labs’ specialized Blue Team Engineers. Detection Engineers develop, test, and verify:

     

    • SIGMA, a generic and open signature format for SIEM products,
    • Vendor-specific rules for SIEMs, IBM QRadar, Splunk, Micro Focus ArcSight, and the EDR VMware Carbon Black. This coverage continually widens. 

    Security analysts may get TTP knowledge from Sigma and vendor-specific rules, which saves time and effort by helping them to quickly grasp the opponents’ game strategy.

     

    Contact Ward Solutions Today to See How We Can Help You Conduct Efficient and Effective Threat Hunting:

     

    News

    Using Breach Attack Simulation to make your SIEM more…

    Security Information and Event Management (SIEM) is an important tool for reducing cyber risk. Enterprises have been investing substantial sums to SIEM solutions in both capital and operating budget lines for the past 15 years. Despite this, year after year, industry studies indicate that SIEM users are dissatisfied with their investments.

    SIEM solutions have been criticized for being difficult to handle, loud, and slow in detecting cyberattacks. Some of the problems are alleviated by concepts such as “intelligence-driven SOC,” “orchestration and automation,” and “managed SIEM,” but they miss the mark of assuring reliable, efficient, and prompt recognition rate.

    Proactive Validation: Only Sensible Way

    Proactive validation is the only certain approach to use SIEM platforms efficiently.                        Obtaining constant, consistent, and ad-hoc validation skills based on genuine cyber-attack emulations aids in the identification of holes in SIEM operations and opens up numerous possibilities for preventing real attacks.

    Enterprise-grade Breach and Attack Simulation (BAS) Platforms take adversary emulation to another level from this perspective. BAS platforms: 

    • Can use threat-centric analytics to identify detection gaps at the adversary behavior level;
    • They can automate and thus diversify emulation to thousands of scenarios;
    • They can provide detection and prevention content for immediate risk mitigation;
    • And they can make purple teaming a repeatable capability.

    BAS Empowered SIEM

    SIEM Powered by BAS is one of Gartner’s top eight technological trends for 2021. Enterprises should consider the use cases that BAS systems provide for increasing SIEM efficiency and return on investment. A BAS-enabled SIEM platform may be used by a wide range of users, including CIOs, CISOs, SOC managers, security analysts, and compliance teams, to construct resilient networks.

    In 2005, SIEM technology was designated as a new category, and much has happened in the realms of IT and cybersecurity since then. Networks are now larger, more interconnected, and more versatile. As a result, criminal actors take benefit of what these descriptors imply: more flexibility, the potential for greater effect, and expanded attack surface. Despite the fact that SIEM technology have advanced substantially, not every element of how SIEMs are used today meets the problems that current networks and business dynamics provide.

    SIEMs are Underutilized

    SIEMs aren’t being used to their full potential. The SANS report “Common and Best Practices for Security Operations Centers: Results of the 2019 Survey4” investigates how pleased users are with their technologies as they relate to the NIST Cybersecurity Framework areas of identification, protection, detection, response, and recovery. . In the identification category, the survey shows that only 22% of SIEM users are very satisfied, while 25.8% are not satisfied. In the detection category, these numbers are 20.5% and 34.8%, respectively:

     

    A study5 by Ponemon Institute supports the findings of the SANS survey. Even though organizations’ first choice is a SIEM technology to detect malicious activities, on average 25% of those detections are false positives, and 55% of alerts triggered by detections are not attended to.

    Because the amount of alerts is so large, many SOCs just delete the alert backlog at the end of each day to have a fresh start in the morning.

    En Route to Efficiency

    SIEM systems are the most popular detection solution for a variety of reasons. SIEMs are known for their speed in delivering findings. SIEM solutions gather and analyse data in a way that no other detection technology can. Advanced analytics capabilities are unrivaled by SIEMs. Maintaining high efficiency on this -expensive but necessary- equipment is a critical component of combating sophisticated cyber assaults. The question of how to get there, on the other hand, remains unanswered. There are several obstacles that SOC teams must overcome in order to achieve and maintain SIEM efficacy.

    CHALLENGES IN OPERATIONALIZING SIEMS EFFECTIVELY

    In the discussion of SIEM efficacy -or rather inefficacy-, three fundamental challenges put a strain on SIEM capabilities. Extensively debated SOC problems of false positives, alert noise, missing detections, long dwell time, and other issues that are related to the SIEM efficacy are the symptoms of not combating these three challenges effectively in the first place.

     

    1) The Large Volume of Data Modern Networks Generate

    Regardless of how advanced a SIEM technology may be, it fundamentally relies on the scope and quality of data it collects and processes. Even though “the more log, the better” sounds like a reasonable proposition, the massive volume of data modern networks generate today requires SOC teams to handle log management more creatively and selectively.

    2) Ever-Changing Adversarial and Internal Environments

    Data sets and detection rules on SIEMs are susceptible to being out of date due to the rapid changes happening in networks and the adversarial landscape. Each new application, network and user device may mean a new vulnerability and data source at the same time. New attack techniques and threats may also require new data sources to be ingested to detect them.

    3) Lack of Skill Set and Security Analysts

    While SIEMs heavily rely on human power for planning, setting processes and successful execution, Gartner ranks “SIEM expertise” among the most difficult to find skill sets in its 2020 IT Skills Roadmap report7.

    Assigning right priorities to alerts, managing log sources, quick and effective detection engineering, improving processes, ensuring collaboration between junior and senior team members and other key SIEM tasks require the right level of expertise to be in place. Organizations need to find ways to empower SIEM users by ways of training, automation, and taking a proactive approach to preempting repetitive tasks.

    Contact Ward Solutions to discuss how our Breach Attack Simulation services can help validate your current SIEM and to improve your SIEM effectiveness:

     

    News

    5 Requirements of Modern Cyber Testing Solutions

    Security testing should be the north star of successful security leadership, not simply a nice-to-have. On the other hand, our security validation tool should inform you in real-time if your security controls can withstand the most advanced contemporary attacks if either your existing investments are generating ROI and where you need to direct the organization next.

    Given the rapidity with which new attack strategies and tactics emerge, this is a lot of strain, which is why the security validation market is evolving fast. Today’s security testing methods range from vulnerability scanning to more advanced approaches like Breach and Attack Simulation (BAS), and practitioners frequently utilize frameworks like MITRE ATT&CK to help them get the job done.

    What, on the other hand, makes a good security testing solution? We’ve put up a list of five must-haves for CISOs when putting together a contemporary, threat-centric security validation program to help them navigate this fast-changing industry.

    Requirement 1: Ability to utilize imminent advanced threats

    One of the most difficult aspects of security testing is that new cyber threats emerge regularly. They utilize a broad range of complex strategies and techniques to accomplish their objectives. This covers tactics that are meant to avoid detection.

    As a result, standard vulnerability scanning solutions will assist security professionals in getting insight on new security risks as they are identified (which may or may not be exploited in the next wave of assaults). Still, they will lack the crucial context of what attackers are up to “in the wild.” They help security teams discover prospective “victims” in their organizations, but that’s not the same as responding to established enemy behavior patterns.

    Organizations may use red team activities to align their validation with real-world circumstances. On the other hand, red team testing is resource-intensive and time-consuming; therefore, it won’t meet our second major requirement: 24x7x365 preparedness on its own.

    Requirement 2: 24x7x365 validation

    In the world of cybersecurity, the enemy never sleeps. According to a 2020 Accenture research, new threats emerge at such a rapid pace that security stakeholders view it as a “continuous fight” to keep ahead of them.

    Red team exercises, which may take weeks or even months to design and execute, cannot provide the kind of round-the-clock threat preparedness that security teams require to thrive in this environment. While they play an important role in evaluating security measures against the most sophisticated approaches, companies will need to go elsewhere for continuous security validation 24 hours a day, seven days a week, 365 days a year.

    Requirement 3: Assessing existing control capabilities

    It may seem self-evident, but an effective security testing solution must account for the whole spectrum of security measures currently in place in a company’s IT infrastructure, no matter how sophisticated or multifarious. Security validation tools will struggle to give important information on the importance of individual security vulnerabilities and their priority if they can’t analyze current control capabilities.

    Requirement 4: Immediate mitigation

    In some cases, security validation tools will reveal security flaws that must be rectified immediately. As a result, we believe it’s critical that a successful security testing solution alerts security teams to areas of danger and provides them with the knowledge they need to mitigate those risks in minutes. This may include a thorough to-do list of mitigating ideas in some situations.

    Requirement 5: Enable team communication and collaboration

    Finally, a successful security testing solution must address the complete spectrum of risks, possible victims in the organization, current control capabilities, and the many diverse roles, departments, and personnel that must be engaged in reacting to security risk.

    Every security executive understands that getting security and business stakeholders to communicate and collaborate is easier said than done. Effective validation should enable all stakeholders to see and grasp the intricate links between threats, risks, mitigation action, and ROI safety and engage the whole team to work together for the same goal.

    Ward Solutions offers a comprehensive set of cyber testing services. If you are interested in any of the testing services described in this blog then please contact: