Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • News

    Why Every Company Needs A SOC…

    Historically, the security operations centre (SOC) was needed only by the largest corporations and was a particularly heavyweight function. These days, however, more and more organisations see the need for a SOC so that they can detect and respond to threats in real time – and they look substantially different today than in the past.

    That’s because, in today’s world, everybody’s a target. Malicious actors and rogue nation-states can launch large numbers of attacks in no time at all, putting small organisations just as much at risk as large ones. Even organisations that aren’t targeted directly can suffer as collateral damage in a larger attack or as a route into a third party. For small organisations, the cost of a breach could be in the millions, so protection is vital.

    The SOC doesn’t have to be a huge undertaking. These days, a modern SOC can be delivered by a Managed Security Services Provider (MSSP) using tools such as  next-gen SIEMs (Security Information and Event Management) and EDR’s (endpoint detect and response). Increasingly, the most forward-looking organisations are integrating their SOC with their network operations centre (NOC). The resulting SecOps will be at the cutting edge over the next few years. This article explains the journey necessary to get there.

    What is a SOC and why do you need one?

    Asked to imagine a typical SOC, most people will picture a physical facility with people at banks of computers, facing a wall of screens filled with network and system data. The sort of complex, expensive facility reserved for a tier-one bank, government organisations or NASA.

    A SOC is a facility where security staff defend against breaches and identify and mitigate security risks. The analysts and security specialists staffing the SOC monitor everything from governance, risk and compliance (GRC) systems to intrusion prevention and detection systems to next-generation firewalls.

    Although SOCs were once large and expensive, the proliferation of the cloud and services supplied by third parties have made the technology more affordable. Just as security becomes a more widespread concern, the SOC has become more accessible. Organisations of all sizes are at risk today and therefore need to implement better security measures.

    The SOC is no longer necessary for just the regulated sectors or those handling sensitive data. Helping to increase accessibility is the fact that a SOC no longer needs to be a physical facility. These days, the SOC can be virtual and its staff remote. Some organisations set up a managed or hybrid SOC, combining in-house people and tools with expertise from a managed service provider.

    SIEM: The tech that pulls your SOCs up

    Every SOC faces challenges, and two notable ones are visibility and noise. First, a centralised SOC might not have visibility across the organisation. Some endpoints might not be connected to the SOC, for example, encrypted data might be inaccessible and so might data from third parties. On the other hand, the data that does come in can be overwhelming. Security analysts can spend large amounts of time dealing with false positives, and the sheer amount of data can make it easy to miss actual alerts.

    SIEM tooling can deal with both problems by filtering data to produce actionable insights across security tools, endpoints, cloud services and even SaaS applications.

    Next-generation SIEM uses machine learning and advanced analytics to sift through huge amounts of data, reducing false positives and lowering alert fatigue. That frees analysts to spend more time on more pressing or complex threats. The number of sources from which next-gen SIEMs gather data and the intelligent processing they apply means that they detect incidents that less advanced systems miss, such as insider threats and data ex-filtration. They can also automate tasks, such as finding unused credentials for employees who have left the organisation or quarantining malware in a sandbox. The SIEM develops a smart baseline for what normal network activity looks like, which means it identifies anomalies more quickly.

    How could you benefit from a SIEM?

     

    The road to SecOps

    Of course, having advanced tools like this in place is no use if organisational structure stops them from being effective. The security team was once viewed as an obstacle by operations – and in some organisations, it might still be. While operations are focused on up-time and performance, security can be often seen as slowing things down. This is the wrong approach, and attitudes are changing.

    Increasingly, we are seeing that, at an organisational level, security is seen as an integral requirement like up-time or performance. It’s no longer an afterthought and security considerations are becoming more baked in rather than added on at the end of a project. Analysts communicate with Ops about threats and incidents, while Ops can use the SOC for advice and guidance. For DevOps organisations, security can be involved even earlier.

    The resulting SecOps (or DevSecOps) environment is more proactive and, with both teams working together, they can diagnose and address problems much more quickly.

    Security has gone beyond simply installing the right tools and has become part of the modern trend towards entirely new approaches that require new skills. For many organisations, especially smaller ones, the rate of change is too fast for them to train or hire people with the necessary skills. They might not even be able to justify a security hire, despite the essential need to keep the organisation safe.

    What does a next generation SOC look like?

    Not all SOCs are equal and when looking to a SOC provider you need to select one that is built using the right people, has mature processes, is aligned with next generation technologies and can deliver capabilities such as rapid detection and response, user risk detection and complex advanced threat detection.

    The answer is to find a third party that can handle this for you. Managed services providers can deliver the entire SOC for you or fill specific gaps in your coverage. This means that someone is always focused on securing the cloud, leaving you to focus on what you do best.

    Ward Solutions delivers a next generation SOC capability that addresses the needs of all clients from small and medium sized enterprises to large multinational and government agencies. Using advanced SIEM and EDR tools our 24×7 SOC delivers rapid detection, speedy response detecting and reacting to those internal and external threats that are so prevalent today.

    For more information, view our security services here. If you have any specific queries, get in touch with our expert team today.

    News

    Pat Larkin’s opening statement to Houses of the Oireachtas,…

    Pat Larkin spoke to the Houses of the Oireachtas committee on Transport and Communications to address the cyber security risks to Ireland arising from the war in the Ukraine yesterday. After listing the risks Ward advised our client of, Pat took the opportunity again to appeal to the committee for “a much more comprehensive, robust, better-resourced, highly innovative national cyber security strategy, integrated as part of our national security strategy to protect Ireland.

    You can watch him address the Oireachtas committee in this video:

    Or read his opening statement below.

    Chairperson, Committee Members, it is my pleasure to attend, give an opening statement and answer any questions you may have today.

    The last time we were here, you asked contributors about the emerging trends we saw in the cyber realm, affecting our clients and what was required to mitigate such threats. This last hearing took place in the ominous shadow of the HSE cyber-attack. Since then cyber-warfare threats have escalated in a manner and in a timeframe, which has blindsided the majority.

    On foot of the Ukraine invasion, Ward Solutions notified our clients in our situational security advisories, of what we believe to be significantly increased risks:

    •  Increased criminal activity capitalising on emotive curiosity arising from the war.
    •  Increased cyber militia activity from both global and local activists, attacking Russia, Ukraine or Western countries with commensurate direct or collateral damage and the associated problems with attribution and blame.
    • Increased Nation state activity responding to current geo political objectives. For example cyber actions as part of hybrid warfare, malicious reaction to sanctions and counter strikes to actual or perceived nation state cyber activity.
    • Failure of risk transference mechanisms, such as cyber insurance, arising from policy exclusions for cyber events, originating from Nation State activities or acts of war.
    • Attacks and disruption to near stream and downstream supply chains of national and global critical national infrastructure (CNI) providers such as finance, health, utilities, telecoms, cloud/SaaS, transportation etc.
    • The lack of capacity issue for already stretched cyber service providers to support wide scale attacks.
    • Accelerated segregation (“cyber-balkanisation”) of the Internet.

    We continue to advise our clients on actions that should be undertaken, based on urgently revising risk assessment, mitigation and security operation plans. This encompasses increasing awareness, increasing security controls, performing basic and advanced cyber security tasks better, testing and rehearsing incident response, disaster recovery. We have advised our clients of the need to maintain a hyper-vigilant security posture for the long term, planning their programs and resource accordingly.

    Out of the tragedy and adversity of the Ukraine invasion, where Ireland is not politically neutral and previously the HSE cyber-attack, where Ireland was at that time in a politically neutral state – we can now see that neither aligned, nor non-aligned status offers us effective protection from nation state, militia or criminal cyber-attacks.

    On a daily basis, Ward Solutions continues to deal with ever growing operationally and financially crippling cyber-criminal activity against our clients, regardless of the current geo-political situation.

    Once again, I am appealing to this committee and to anyone that will listen, advocating the need for a more comprehensive, robust, better-resourced, highly innovative national cyber security strategy, integrated as part of our national security strategy to protect Ireland. We have started the journey and made some inroads, but we are nowhere near the levels of protection required for this decade and the rate at which the threats are developing. Time is of the essence. We have seen malevolent nation state activity for over 15 years. Ireland has been hit both directly and indirectly. National cyber security strategy, practice, capacity, resources, research and capability is not something that you can switch on in days and weeks in response to a specific crisis. It requires deliberate planning and constant adaptation to extract short and long-term success. This strategy is needed to protect our society, citizens, public, private services and our prosperity. If well executed, it will also bring very significant economic benefit to Ireland – the direct cyber security market estimated to be worth $270 BN by 2026. There is a significant digital sector, which is heavily cyber security dependent. An effective National Cyber Security strategy offers multiple levels of pay back not only funding the strategy, but also returning real profits in terms of investment, jobs, export revenue, corporate taxes from the direct cyber security sector and from the cyber security dependent sectors.

    The state’s role in this strategy should be that of leader, coordinator, enabler, incubator and accelerator.

    I am also a board member of Cyber Ireland, whose chairperson and cluster manager presented to you during 2021. Cyber Ireland have been steadily working to coordinate the triple helix of Industry, Government and Academia in order to make Ireland a Cyber Security Global leader, over the last 4 years. As part of our work, Cyber Ireland recently commissioned an international expert study of the Cyber Security sector in Ireland and will be launching this study and an accompanying sectoral policy paper in May 2022. Both will be submitted to this committee. We believe these will be invaluable to your considerations on Ireland’s cyber security strategy.

    Thank you for the opportunity to make this statement today.

    News

    Five Mistakes To Avoid When Securing a Hybrid Network

    Most organisations today now operate on a hybrid network. According to Gartner, the recent shift to a remote workforce has had a lasting impact on networks. “Through 2024, organisations will be forced to bring forward digital business transformation plans by at least five years as a survival plan to adapt to a post-COVID-19 world that involves permanently higher adoption of remote work and digital touch-points.”1

    However, today’s hybrid networks make centralised visibility and control increasingly difficult to achieve, especially when an organisation does not have a central security strategy in place. Instead, organisations have deployed an average of more than 45 security tools across their network, most from different vendors. And each incident they respond to requires coordination across 19 different solutions. Such complexity inevitably leads to poor visibility, limited control, and exploitable security gaps.2

    Consolidation and integration of networking and security are the best strategies for addressing such overly complex environments. Deploying a common next-generation firewall (NGFW) platform as the backbone of a unified security strategy enables end-to-end visibility, ease of management and control, and consistent enforcement across the network. But selecting the right solution can be daunting, and there are several critical mistakes IT leaders need to avoid.

    Five Common Mistakes When Securing Hybrid Networks
    Mistake 1—Over-rotating to a cloud-based solution. Some organisations are considering replacing their traditional security with a secure access service edge (SASE) solution. However, few organisations have a cloud-only environment in place. The reality is, most have—and will continue to own and operate—a hybrid network. Over-pivoting to a cloud-only security strategy ignores the needs of those users working on-premises in local campuses.

    According to Gartner, “Classic data center edge firewall designs are not obsolete and must be maintained in support of traditional inbound data flow patterns and residual outbound connections from internal users that remain on-site in campus environments or at large branches.”3

    Mistake 2—Ignoring the importance of the on-premises data center. For a variety of reasons, many organisations simply can’t move critical services from the data center to the cloud. But many of its applications need to remain available for external customers and corporate users, reinforcing the importance of traditional, on-premises firewalls.

    The Gartner report confirms this approach, as well as acknowledges challenges related to cloud provider security solutions. “A significant minority of organisations consider these offerings to be immature when compared to third party vendor solutions and sometimes deploy network virtual appliance (NVA)  versions of these third-party solutions directly in public cloud IaaS instances.” “Private and public cloud operators offer native solutions for firewall, WAF, distributed denial of service (DDoS) and ADC.”4,5

    Hybrid networks need a security solution designed to operate natively in any environment—protecting all edges consistently, seeing and sharing threat intelligence across the network, and delivering coordinated security enforcement anywhere. That starts with a common network firewall platform deployed at every network edge: campus, data center, branch, private and public clouds, and as a cloud-based service for remote and mobile workers.

    Mistake 3—The “Best-of-Breed” myth. There is a mistaken belief that a best-of-breed approach provides better security at the edge. Instead, such an approach usually leads to product sprawl, resulting in an overly complex network and isolated security architectures that can’t effectively share threat intelligence. This defeats the very purpose of building a strong security posture— point solutions can never provide the same level of visibility and security as those designed to work together. Only integrated security ecosystems, built around the premise of sharing actionable threat intelligence, can provide robust, coordinated, and timely responses to cyber events.

    A unified system is always more secure than the sum of its components. For example, how would a best-of-breed approach handle the case of a user with a compliant laptop who then inserts an unauthorised USB thumb drive? Most isolated network security devices have no way to detect or respond. But an endpoint detection and response (EDR) solution designed to collaborate with other security systems can inform the NGFW about this policy violation, which can then provide policy enforcement, such as isolating the device or removing it from the network. This is only possible with a security ecosystem
    approach built around a common security platform, where actionable threat intelligence is shared across all security devices, and policy can be enforced wherever it is most effective.

    Mistake 4—Not thinking holistically. Evolving hybrid architectures expand the attack surface, reducing visibility and increasing risks. Compounding the problem further, the volume of encrypted traffic is estimated to soon reach 95%.5 However, most network firewalls are unable to inspect encrypted traffic while maintaining the performance levels today’s applications require. So how do you secure a network when you only have real visibility into 5% of your traffic? IT leaders need to choose an NGFW solution that can operate at scale across the network without getting bogged down with compute-intensive operations like secure sockets layer (SSL) decryption, threat detection, and automated remediation.
    This begins with a solution designed to support the latest encryption standards, like TLS 1.3, while ensuring existing TLS 1.2-based communications are not broken. Beyond visibility, the real challenge in future-proofing your security is selecting a solution able to learn about the state of dynamically changing resources scattered across the network and then adapt in real time. This is especially challenging when your security strategy needs to include multi-cloud. Not considering how various clouds are built and
    configured can pose a nightmare for normalising security policy across different cloud providers. Therefore, reasonable care must be taken to select an NGFW solution capable of learning about the ever-changing state of private and public cloud resources and then delivering consistent end-to-end security across this hybrid IT architecture for a strong and consistent security posture.

    Mistake 5—The risk of implicit trust. Traditionally flat networks focus on preventing attacks from the outside but give attackers lots of latitude once the perimeter has been breached. Organisations need to consider an NGFW solution able to provide security beyond the edge by reducing the attack surface through network segmentation to prevent the lateral propagation of north-south threats and micro-segmentation to prevent east-west proliferation.

    In addition to dynamically segmenting the network to prevent lateral movement, an NGFW must also dynamically adjust levels of trust by monitoring behaviour through tools like user and entity behaviour analytics (UEBA). And it must be able to reduce or revoke trust if a user or device begins to behave suspiciously. It must also integrate with zero-trust access (ZTA) and zero-trust network access (ZTNA) solutions to control access to network resources, down to granular per-application segmentation. And it must also manage the proliferation of headless devices, like Internet of Things (IoT) or Industrial Internet of Things (IIoT), by seamlessly integrating with a network access control (NAC) solution to ensure that every device, application, and transaction is accounted for and secured.

    Hybrid Networks Need a Network Firewall Designed for Today’s Digital World.

    Hybrid networks require an NGFW designed to provide consistent protection, visibility, and control across even the most distributed and dynamic environments. This requires selecting a solution designed to operate at any edge, in any form factor, to seamlessly integrate networking and provide consistent policy enforcement, centralised policy orchestration, real-time intelligence sharing, and correlated threat response. By enabling security policies and enforcement to follow applications and workflows end to end, organisations can enjoy broad visibility and control across their continually changing networks while ensuring optimal user experience for today’s work-from-anywhere reality.

    1Gartner, “Forecast Analysis: Remote and Hybrid Workers, Worldwide,” Ranjit Atwal, et al., June 2, 2021. (P1).
    2 Kim Samra, “IBM Study: Security Response Planning on the Rise, But Containing Attacks Remains an Issue,” IBM, June 30, 2020.
    3 Gartner, “How the Shift From Firewall Appliances to Hybrid Cloud Firewalling Will Change Selection Criteria,” Aaron McQuaid, March 10, 2021. (P1)

    News

    The top 6 things CISO’s should be doing to…

    The Ukraine War in concert with Russia’s long-standing status as a malevolent cyber nation state actor and an ambivalent host for cyber criminals means that organisations face significantly increased cyber risks from direct and indirect cyber activity. It is highly likely that the current covert relatively lower grade nation state cyber activity will switch to overt high intensity cyber activity as the war and sanctions escalate. Organisations should remember the collateral damage from Russia’s last cyber playbook in Crimea with NotPetya is estimated to have cost the global economy over $10BN.  Cyber-criminal activity is already looking to exploit the high level of interest and uncertainty about the war. Hacktivists are lining up as both loosely and tightly aligned groups of cyber militia on both sides attacking, Ukraine, Russia and the West.

    To protect their organisations Ward Solutions recommends CISO’s should channel their efforts in the following 6 major areas:

    Optimising your human firewalls – the human firewall from an organisation’s executive, IT admins to accounts payable clerk are consistently their greatest weakness when poorly engaged and an organisations greatest strength and defence of last resort when hyper vigilant and educated. Consistently Ward see organisations best of breed security control technologies defeated by relatively simple social engineering, phishing or other people based, targeted attacks. Targeted, relevant awareness, education is now more important than ever to ensure that your people are best educated and hyper-defensively engaged. In our experience segmenting your messages, activities and audiences into relevant groupings such as board, executive, management, technical, operational, finance and supply chain with relevant messaging, tactics, encouraging collaboration, sharing, transparency and lesson learned for each group offers better results in terms of sustainable security effectiveness.

    Updating your risk registers and remediation plans – now is the time to rapidly update and revise your enterprise risk register with new or revised risks, likelihoods, impact and remediation based on current circumstances and the environment. Risk transference mechanisms such as cyber insurance may now be pleading exemptions due to acts of war and nation state events. At a minimum CISOs need to check what cover if any applies. If insurance exemptions apply, then CISO need to inform their boards and risk committees and rethink with the organisation how these risks now need to be addressed.

    Expanding the scope of their supply chain risk assessments to include a robust review of CNI impact – now is the time to revise and consider the risks and impact to your organisation from your close-in supply chain such as equipment, raw material and general service providers. CISOs do need to revise and consider the impact to their organisation of significantly higher likelihood of attacks, disruption, outages of critical national infrastructure (CNI) locally, regionally and globally to providers for services such as power, water, telecoms, transportation, healthcare, cloud, media/communications to their organisation and their supply chain as the war and sanctions escalates.

    Reducing your circle of friends, acquaintances, levels of access and trust. Now is the time to consider geo fencing and blocking of default inbound and outbound communications from your systems and networks not just affected regions but any regions that you have no cause to do business or strategically communicate with. In the past this may have caused some limited disruption to end users, inconvenience and may not have been politically correct.  However, extraordinary times require extraordinary measures. CISOs should also consider implementing rules and controls and enhanced security between your key suppliers, customers and partners only, effectively dramatically closing your networks and implementing enhanced security such as VPN’s email security such a DKIM, DMARC IBE etc. and enhanced and adaptive authentication such as MFA etc. Internally you also need to review levels of access that both technical and non-technical people have to systems, networks etc. and consider reducing the scope to minimum required rights with increased levels of validation and authentication for access, change etc.

    Shields up and hunt likely threat scenarios – CISOs should also consider increasing levels of monitoring, altering, triage and response to that they can reduce their exposure time. Their organisation will need to be tooled up to respond and investigate these heightened levels of alerting and monitoring as otherwise this simply becomes dead noise. Organisation with high exposure to targeted nation state attack e.g. critical national infrastructure providers should assume that they are compromised, model likely threat scenarios including threat scenarios based on the Russian hybrid warfare playbook in Ukraine and conduct some targeted threat hunting for e.g. wiper software used to attack Ukraine institutions at the begging of the current war and other relevant threat scenarios.

    Get your organisation into the Incident Response Cyber Gym. CISOs should be updating their incident response plans immediately. Stacks of policies and procedures are useless unless the people tasked with decision-making are fit and have the muscle memory of what actions to take and when. CISO’s can run table top exercises on likely incident scenarios now to train and build the required muscle memory of the key people in your incident response plans. CISO’s should also consider testing and rehearsing their disaster recovery and business continuity plans now.

    Steeling their organisation for the long game. It is unlikely that this crisis will deescalate any time soon. Arguably, the Geopolitical balance has shifted permanently and the direct and covert weaponisation of Cyber is here for the long term.  CISO’s would do well to ensure that their organisations are ready to sustain this heightened level of risk, remediation and incident response into the long term. CISO’s workload is already high, so CISOS may need to build capacity into their teams governance, risk and security operations teams to help protect and steer their organisation into this new order.  As we know cyber skilled resources have been in short supply for the last 5 years. CISO should innovate quickly to bring right-minded people from partners or other disciplines and parts of their organisations into their teams and bring them up to speed quickly.

     

     

    Ward Solutions is a full service, full security lifecycle provider. If you don’t have the right manpower, tools and expertise then consider partnering with a Security consultancy and managed cloud security service provider with the knowledge and skills to help supply or augment your CISO, Security engineering and security operations resources. Talk to us today to see how we can help.

    News

    Ward Solutions advisory increased cyber risks arising from war…

    Ward Solutions advisory increased cyber risks arising from war in Ukraine.

    Situation

    Previous state backed, criminal and cyber militia based cyber operations from the Eastern Europe region have already caused significant disruption to Irish and European organisations over the last decade. Ireland has already posted a strong diplomatic response to the war in Ukraine and seems set to participate as part of international sanctions. Ireland has an active high profile role in the United Nations as part of the UN Security Council.  Ireland hosts significant amount of global cloud and social media vendor services and data in data centres on our island. Ireland is a significant part of the transcontinental internet fabric with strategic fibre optical cables originating, terminating or transiting via our coastline and island. Thus Ireland, Irish Government, Irish FDI and indigenous based organisations have a relatively high profile in the geo-political response and may suffer direct or indirect cyber related fallout from this war. Ward Solutions are therefore advising that there is a significantly increased cyber risk to organisations, consumers and citizens from:

    • Increased criminal activity looking to capitalise on peoples fear, emotion and news seeking arising from the war.
    • Increased cyber militia activity from activists either looking to attack Russia, Ukraine and other former USSR states or looking to attack Western countries and commensurate direct or collateral damage arising.
    • Increase Nation state activity in response to current geo political objectives, malicious reaction to sanctions, counter strikes to actual or perceived nation state cyber activity
    • Cyber Insurers have recently moved to provide exclusions in their policies for cyber events arising from Nation State activities or acts of war. There is a risk that organisations assume that they are insured for all cyber incidents – when in fact such exclusions may apply from events arising in current circumstances.

    Aside from the direct risk to your own organisations, we recommend that your organisation consider the potential impact of the increased probability of attacks and disruption to national and global critical national infrastructure (CNI) providers such as

    • power
    • telecom
    • water
    • cloud/SaaS
    • finance
    • healthcare

    Recommendations

    Wards primary recommendation in light of the current situation are as follows:

    Generate increased awareness across your organisation of the potential increased and additional risks from board level to end user.

    Reassess the risks, your risk register and your mitigation strategies, if appropriate, based on the new geopolitical situation and increased or additional risks we have identified in this advisory

    Check your cyber insurance cover, limits and exclusions.

    Further reduce the likelihood of a damaging cyber event to your organisation. Assuming, you already have normal best practice cyber security recommendations in place, consider these measures in addition:

    • Consider geo fencing or blocking GeoIP (inbound and outbound communications) with regions that you don’t regularly or normally communicate with, in particular from Russia, Ukraine, former USSR states, China, North Korea, Iran – but also other states and regions.
    • Consider reducing thresholds on levels of privilege and access to the minimum required
    • Secure your Active Directory according to best practice guidelines- https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory
    • Ensure that your vulnerability scanning and patching are as up to date per vendor and best practice frameworks, as is practical.
    • Implement multi-factor authentication (MFA) on all remote access and cloud based service.
    • Disable all ports and protocols not essential for business purposes
    • Stay up to date with latest threat intelligence, national cyber security recommendations https://www.ncsc.gov.ie/

    Take steps to quickly detect any potential intrusions – assuming you have active security monitoring in place:

    • Consider implementing increase thresholds for alerting and monitoring on higher priority systems and services. Only do so if you can respond to and appropriately assess the increased volumes of alerting.
    • Allocate additional resources to monitoring, auditing, analysing and triaging alerts, incidents
    • Confirm the levels of coverage, levels of update and retest the effectiveness of policies and configurations on your endpoint and gateway anti-virus, anti-malware technologies. Consider augmenting any legacy signature based technologies with next generation AI/ML technologies that offer protect, detect and remediation capabilities in the event of endpoint compromise.

    Be ready to respond effectively to cyber incidents when they occur

    • Revise your crisis response team and update your incident response plans and playbooks to make sure they are current, relevant and incorporate the additional risks identified above.
    • Consider exercising the incident response team in a tabletop exercise to rehearse your roles, responsibilities and play books

    Increase your organisations resilience

    • Revise your backup and disaster recovery plans in light of the new and increased risks identified above. Plan for worst case scenarios
    • Test your backup and recovery plans
    • Be aware of recovery times and plan for business operations in the event of significant times to recover
    • Reassess the location of backup and recovery services and vendors in light of likely geo political fallout. Consider moving to locations or vendors less likely to be impacted.
    • Prioritise finite resources to focus on business critical services first.
    • There is a shortage of cyber security resources globally and capable incident response providers. If you need to source additional services, we recommend putting place service contracts, service levels agreements in advance and not waiting for an incident to occur before trying to source such services, as they are unlikely to be available at short notice.

     

    Review your supply chain risk

    • Review any suppliers to determine whether they have critical risk or exposure to Russia, Ukraine or Eastern Europe generally.
    • Review any suppliers to determine whether they, their products, services may be subject to undue influence from Nation state, in particular Russia and thus at risk of compromise of integrity, privacy, continuity of supply or used as a possible means of ingress to your or your customers networks, systems, data.
    • Review your suppliers to determine if they or their operations are at particular risk or targeting by Nation State activity.
    • Consider mitigation solutions to address any significant risks arising from the above, including:
      • putting in place alternative suppliers, services
      • asking providers to change location of operations
      • asking suppliers to demonstrate their contingency or disaster recovery plans

    Ward Solutions anticipates that the current situation and its risks are likely to exist, develop, fluctuate and continue into the medium term.  Any strategies or measures that you adopt will need to be sustained in this timeline.

     

    How Can Ward Help?

    For Managed Service customers, the Ward Support team will be reviewing individual environments and making recommendations on appropriate patching for all supported devices.

    For all other customers, if you would like additional information or would like support in assessing and protecting your environment, please contact support@ward.ie or your account manager, as appropriate.

    Further Reading:

    https://www.ncsc.gov.ie/

    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/best-practices-for-securing-active-directory

     

    News

    Case Study: The Aviva Stadium

    The Aviva is renowned as a world class International Stadium where a variety of events including soccer, rugby, concerts, and business conferences are hosted.

    A spokesperson fro the Aviva said: “We make extensive use of information technology to support our operations across the stadium. These include ticketing, CCTV, IPTV, broadcasting access control, lighting, Office applications, power and fire. We know we face the threat of cyber attacks just like any other organisation. These could be in the form of a phishing attack or ransomware or fraud, and we realise that we could be at risk during one of our international events.”

    The cyber-security threat facing stadium operators is very real and in some ways very similar to try to get to any organisation. Although a stadium would have its own specific technologies and applications. When we at Ward Solutions first engaged with the Aviva Stadium. It was clear they had put in place a strong cyber defence strategy, but also recognised that they needed to strengthen their preventive controls.

    They turned to our security experts at Ward Solutions and our IBM Q-Radar offering because they wanted a managed service provider who could investigate security event data from various different sources and analyse it and provide them with the 24/7 monitoring capability.

    At Ward Solutions, we are a leading cyber-security provider, specialising in managed security services. We’ve been an IBM expert partner for over 10 years specialising in their Q-Radar products and services. For Aviva Stadium, we’ve put in an extended threat detection and response solution based on the Q-Radar platform, whereby we source security data from a range of devices everywhere from endpoint to cloud. We enrich this with threat intelligence and volume data as well. That allows us to build those use cases to detect and respond to cyber-security threats that they may be facing.

    Cyber-security is something that the Aviva Stadium take very seriously and they are very conscious of the threat. In particular the threat for high profile business such as their own. They engaged Ward solutions in conjunction with IBM Q-Radar to assist in managing the cyber threat.

    Aviva Spokesperson: “It’s something that’s very much on our agenda, and it’s very important to our business, and we’re very happy with the service that we’ve received.”

    News

    The Rising Threat of Ransomware: Top 10 Tips for…

    The risk of a cyber security attack on your business has never been greater. Massive changes in working practices over the past couple of years have moved the security goalposts. With staff working from home, employers have been forced to bring in new cloud-based productivity tools virtually overnight. 

    This momentous upheaval has seen changes in technology use at breakneck speed, allowing little or no time to consider the full implications for security. As a result, companies have become far more vulnerable to attack. 

    At the same time, the attack model has changed. Individual hackers, whose sole aim is to cause disruption, are no longer the biggest threat. They have been superseded by organised gangs of criminals out for financial gain. This has led to a huge surge in ransomware attacks that are both highly sophisticated and highly destructive.  

    But what exactly is ransomware and what can you do to keep it at bay? 

    In this post, you’ll learn just that. 

    We’ll show you how to reduce the risk of a ransomware incident before looking at how you can minimise the impact of an attack in the event it does happen.

    What Is Ransomware?

    Ransomware is a specific type of malicious software that denies a victim access to their data and other IT resources until they pay the attacker a ransom. By far the most common type of attack works by encrypting data and withholding the encryption key needed to decrypt it. 

    However, other methods include distributed denial-of-service (DDoS) attacks, where a hacker floods your servers with spurious requests to connect to your services, overwhelming resources and making it impossible for your systems to function normally. They will then send you a message demanding a ransom to end the attack. 

    Another form of ransomware is doxware, where an attacker threatens to expose sensitive data, which could severely harm an organisation or individual. 

    No-one is immune to ransomware – with targets ranging from individuals and small businesses right through to large-scale enterprises and public institutions.  

    Phishing emails, which contain malicious hyperlinks or attachments, are the most widely used method of initiating an attack. Employee negligence and poor user practices are also widely exploited by ransomware attacks. 

    Should I Pay the Ransom?

    The short answer is no. Ransomware payments aren’t the best use of IT budgets, company capital or insurance funds. But it can seem like the only, or even the most cost-effective option for companies who are caught out – criminals wouldn’t be pursuing ransomware to make money if not. 

    You must remember that you’re dealing with criminals, and by paying, you’re proving their business model and encouraging further attacks.  

    Even if you do pay, there’s no guarantee you’ll get your data back. Criminals can easily demand more money to release data they know is sensitive or high-value. 

    Finally, depending on the country you’re based, it may be illegal to pay a ransom. There’s an ongoing debate around this and what governments should or shouldn’t do to support/ protect organisations affected by cybercrime. 

    Ransomware Protection Measures

    The following are the most important first steps any company, whatever the size, should be taking to minimise the risk of a successful ransomware attack. 

    1. Use Endpoint Detection and Response Software (EDR) 

    EDR is an advanced form of threat protection, which is often confused with antivirus software. However, antivirus products are only generally designed to protect known threats, whereas EDR is able to detect and respond to many new forms of attack as and when they happen. 

    EDR works by collecting data from workstations and other endpoints, and using that information to detect the signs of malicious behaviour.  

    Since the sudden shift towards remote working, EDR has become increasingly more important, as hackers seize the opportunity to exploit weaknesses in endpoint devices to get their foot in the door. 

    2. Follow the Principle of Least Privilege (PoLP) 

    The PoLP is an approach to IT security whereby you grant each user the minimum level of access to the data and resources they need to perform their role. For example, a member of staff may need to access personal data as part of their duties but doesn’t need to change anyone’s personal details. You should therefore grant them permission to read such data but not to modify it. 

    The PoLP can help lower the risk of a ransomware attack through social engineering techniques such as phishing emails. Because, if a hacker manages to steal an employee’s login credentials, it doesn’t necessarily mean they’ll have sufficient privileges to launch an attack. 

    3. Implement a Strong Password Policy 

    Password files are favourite targets for hackers. Although the passwords contained within password files are hashed, which makes them unintelligible, attackers have a number of tricks up their sleeve to crack them. However, the longer and more complex your passwords are, the harder they are to crack. 

    So it’s essential you enforce strong passwords by imposing a minimum length and requiring at least one number, uppercase letter, lowercase letter and non-alphanumeric character. That way, in the event someone stole your passwords, it would be very difficult for the perpetrator to crack them. 

    You should also rotate passwords as part of a robust password policy. In other words, you should prompt users to change their passwords periodically. This effectively limits the time attackers have to crack your passwords and make of use them. 

    4. Enable Multifactor Authentication (MFA) 

    If your systems support MFA, where users must go through an extra verification step such as entering a one-off code sent to their phone, you should enable it as soon as possible. 

    MFA acts as a layer of defence by putting up another barrier for an attacker to overcome to get into your systems. 

    In addition to one-time codes via SMS, other forms of MFA include: 

    • authenticator apps for desktops and mobile phones 
    • physical U2F security keys, which connect via Bluetooth or plug into your USB port 
    • login confirmation codes delivered to your email address 
    • biometric authentication, such as fingerprint, facial and voice recognition 

    5. Keep Software Up to Date 

    Software updates and patches contain fixes to vulnerabilities that attackers can exploit at any time. So you should apply them to your software and operating systems as soon as they become available. 

    But always remember to take backups before installing updates so you can quickly recover if you encounter issues such as a system crash or loss of critical functionality. 

    In cases where you cannot tolerate any downtime, you may need to administer updates in a test environment first in order to check for any potential problems before rolling out to your live systems. 

    6. Raise Security Awareness 

    According to joint research by Stanford University and email security provider Tessian, human error was the root cause of nearly 90% of all security incidents. The study also revealed that the younger generation were more vulnerable to phishing attacks – with 25% saying they’d clicked on a phishing link compared with just 8% of employees over the age of 51.

    Your users are the weakest link in the security of your systems. So it pays to nurture a culture of security within your business.  

    Enrol employees on a security awareness course and back it up with your own advice about security best practices. If you periodically remind them of everyday risks, such as sharing removable media, clicking on malicious links and using public Wi-Fi services, you’ll be far less vulnerable to a ransomware attack. 

    Business Continuity and Disaster Recovery (BCDR) Measures 

    In addition to robust security procedures and processes, you should also have measures in place to get your business back on its feet as quickly as possible in the event of a successful attack. 

    This is what business continuity and disaster recovery (BCDR) sets out to achieve. 

    Whatever the nature of the disruption, whether through a ransomware attack, power cut, hardware failure, human error or unforeseen adverse event, BCDR will help ensure rapid recovery of IT systems and mission-critical data with minimal disruption and cost to your business. 

    The following steps are integral to a well-designed BCDR plan. 

    7. Follow the 3-2-1 Backup Rule 

    You should never just rely on a single backup copy of your data. 

    Restores can fail. Not only that but more advanced ransomware attacks also target your backups. 

    To ensure adequate protection you should follow the 3-2-1 backup rule whereby you maintain two local copies, your production data and a backup copy on a different medium, and another copy stored to an offsite service. 

    The local backup will be immediately available for simple and fast recovery. However, it will also be more vulnerable to attack. 

    The offsite backup, on the other hand, will be air-gapped from your on-premises systems. Hackers will therefore find it more difficult to attack, as they’ll likely need additional access credentials and also supplementary network information to locate it. This will be particularly so if you use a cloud backup service. 

    8. Take Immutable Backups 

    An immutable backup is a copy of your data that cannot be modified, encrypted or deleted. It uses locking technology that prevents anyone, including users with admin privileges, from making such changes until the end of a specified retention period. 

    Consequently, you can be confident you can always recover from a ransomware attack or any other type of data protection incident. 

    Immutable backups solutions are generally based on storage drives that use the WORM (write once read many) format. They are available as both on-premises appliances and cloud-based offerings. 

    9. Maintain Backup Hygiene 

    It could be some time between the moment an attacker first breaches your system and the point at which they actually trigger their attack. 

    During this period your backups will have also been infected. So make sure your backup system doesn’t just take copies of your data but also scans them for malware. That way, you can be sure they’re clean and safe to use whenever you need them. 

    And don’t forget to test your restore system on a regular basis, as you want to be sure it works properly when you need it and that backups are free from corruption or other problems that could prevent recovery. 

    10. Draw Up an Incident Response Plan 

    Recovery from a ransomware attack can be a huge undertaking, as you get services securely up and running while carefully purging them of all footprints left by an attack. 

    As part of your response, you may need to perform detailed forensic analysis to establish the full facts of the incident. If the attack carries a threat to the privacy rights of individuals then it’s likely you’ll need to report the crime to both the National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO). 

    In fact, you’ll have a lot of systematic steps to follow. 

    So it’s important to draw up an incident response plan so you’re properly equipped to deal with an incident. This should prioritise the recovery process. 

    For example, authentication services should be near the top of your list so users can immediately log back in once other services return. You should also prioritise internal email servers so staff can communicate with customers and each other as soon as possible.

    Be Prepared

    The best defence for any organisation is to be prepared for a ransomware attack. 

    Review your security. Tighten up your security. Put backup and recovery processes in place. 

    And if you don’t have the right manpower, tools and expertise then consider partnering with a managed cloud service provider with the knowledge and skills to help you. Talk to us today to see how we can help – we have a range of security experts well-versed in preventing, detecting and recovering from ransomware. Plus, we’re a friendly bunch who are always up for a chat, so why not kick things off right away?

    If you think you’re at risk, take action today. Because one thing is for sure.

    If you don’t take all these measures before an attack, you’ll definitely be doing so afterwards.

    News

    Viruses

    We are all moved by recent ransomware attack in Ireland and the same as with COVID we are all scared and don’t know what to think and we may be panicking a bit. Cyber Viruses and Human Viruses have some similarities and can be tackled in the same ways. We learned how to take on COVID so we are here to teach you how to take on a ransomware attack.

    We need to think the same way as they advised us when COVID started spreading.  We all know the guidelines to stop the spread of COVID:

    1. Stay calm

    2. Wash your hands regularly 

    3. Exercise regularly 

    4. Maintain the distance and healthy balanced diet 

    5. Wear masks

    What we need to do with ransomware 

    1. Stay calm

    2. Scan your network regularly 

    3. Test your Disaster recovery plans and security incidents plans regularly 

    4. Maintain your network e.g. firewalls, server, users security audits, patching, refresh if old kit , regular backups

    5. Regular reboots health checks to make sure you maintain the healthy status of your system 

    6. Look at the SIEM, vulnerability management thread detection 

    7. Protect your machines with solutions like Cyclance, McAfee, Fortinet, EMS, Forticlients 

    If you get infected with COVID, we have been given guidelines to limit the damage and stop the spread. Again there are similarities in the response needed:

    1. Stay calm

    2. Isolate

    3. Call your gp

    3. Get tested

    4. Seek help if unable to breathe 

    And now lets compare these tips to a Ransomware malware attack

    1. Stay calm

    2. Isolate your network environment from the internet 

    3. Call  your support teams

    4. Inspect test all your machines to see what the damage is :what got infected 

    5. Seek help from security expert to help you handle the situation 

    What we are all missing 

    1. Stay calm

    2. Plan

    3. Do

    4. Check

    5. Act

    6. Educate your employees neighbours your VIPs clients regularly on mistakes we all make

    We all need to learn to wear masks

    Now it is time to look at masks for your Environment 

    Talk to our ward sales team on how we can help you

    News

    Using Ward Solutions BAS Service to Identify Missing or…

    Using Ward Solutions BAS Service

    to Identify Missing or Misconfigured Security Logs

    The Challenge:
    SIEM platforms rely on the accuracy, quality, and timeliness of logs to get threat detection notifications. It’s not easy to keep track of logs. Configuration problems, software flaws, expired licenses, outdated APIs, and other causes might cause log agents and collecting software to fail. The complexity, scale, and traffic of the networks can also stifle data flow.

    The commonly adopted log validation technique nowadays is largely based on detecting abnormalities from pre-defined traffic data. This method could not map traffic with harmful content or pinpoint the source of log issues in multifunctional security measures. The ability to validate logs reduces the efficacy of Security Operations Centers (SOCs) and may make it more difficult to respond to warnings and events on time.

    Technical Use Case:
    Ward Solutions and our partner Picus Detection Analytics aids in the identification of security events that have been identified or prevented by security measures but whose logs are not visible in SIEM platforms. By proactively detecting such flaws and maintaining a healthy log system, you can guarantee that:

    • There are no alerting gaps caused by undiscovered security events created by genuine attackers
    • Regulatory log collecting obligations are not broken.

    Suppose no event logs are found in the SIEM after an attack. In that case, it means that one of the following scenarios took place:

    Option 1: On the attack vector, all applicable security controls failed to identify the attack’s TTPs. As a result, no-log is created (please refer to the “Enhance your logging to have better visibility use case).

    Option 2: The defences identify attack TTPs, but the logging options aren’t enabled, or the delivery method isn’t working

    Option 3: Logging and distribution methods may be operational. However, log delivery may be delayed due to a setting or a network-related issue.

    Option 4: : Logs may be delivered to SIEMs but as it does not contain the right level of detail, it is not picked by Picus Detection Analytics as “log exists”.

    This use case is to identify the situations described in Options 2, 3, and 4.

    Picus Detection Analytics Overview

    Ward Solutions and our partner Picus Detection Analytics queries SIEM platforms to look for the logs of the events generated by the IT infrastructure as a result of Picus threat emulations. Based on this query, on the Picus user interface, the journey of a threat is shown with an end to end view. This view (image 1), in addition to the attack history and description information, contains:

     

     

    • Start and end time of the attack
    • Log status
    • Log delivery time if the log is
    • Delivered
    • Alert status
    • Prevention status

     

     

    Findings related to the full attack spectrum are also listed and users can narrow down the results applying advanced filtering options (image 2). These options are:

    • Severity
    • Prevention results
    • Log Source
    • Integration Device
    • Alert Status

    You may already have sophisticated security logging and monitoring solutions. Their effectiveness is only as good as the logging sources that they capture, analyse, alert and report on. It’s necessary to proactively and regularly validate that you have all appropriate log sources provided in a timely fashion to detect suspicious or malevolent activity in your security infrastructure.

    Use Ward Solution and our partner PICUS Security Detection Analytics platform to ensure:

    • Initial Log validation e.g. post a SIEM deployment or post a significant network or infrastructure deployment, upgrade or change
    • Ongoing log validation – continuous validation to enure ongoing logging and monitoring effectiveness
    • Ad Hoc log validation – in response to an event – e.g. an incident that was not alerted appropriately

    Contact Ward Solutions today to identify missing or misconfigured security logs:

    News

    Exciting New Development for Ward Solutions and our Customers

    Exciting News!
    Ward Solutions Limited has been acquired by Ekco, effective immediately

    Ward Solutions is one of the most well-established, and well-respected information security consultancies and security managed service providers in the country has been acquired by the Ekco group www.ek.co, effective immediately. Over the course of 22 years, the company has built an extensive and high-profile client portfolio, stretching across Ireland and the UK.

    Ward’s service portfolio includes the full cyber security lifecycle from governance and compliance strategy to pen testing, cloud security, managed security and incident response.

    Commenting on the deal, Pat Larkin, CEO of Ward Solutions said:

    “There is a very strong vision for Ekco that we want to be part of and which is consistent with our customer sweet spot.  When a customer has a crisis, they want a trusted partner who can work through that crisis by helping them recover and get their data back online.

    “Together with Ekco, we can continue to build loyalty to our customers and our people.  We can accelerate growth and leverage our resources to drive greater customer value and broader market reach.”

    Steve MacNicholas, CEO of Ekco Ireland said: “A key component of our growth strategy was to acquire a specialist organisation completely focused on cybersecurity. Having Ward as part of Ekco presents an immediate opportunity to further evolve Ekco’s value proposition and offer a wider range of highly complementary and in-demand security services to our customers and partners.”

    Ekco co-founder, Eoin Blacklock added: “The security and integrity of our customers’ data in the cloud is our primary objective. As the only pure cloud provider in Ireland, Ekco can now provide the full stack of Cyber Security Services in house.”