Keys to Security Monitoring for IT, OT & Cloud
Business transformation is happening at a rapid pace and becoming more complex, while the threats IT and security teams face are also increasing in sophistication. As a result, these teams are looking for trusted partners who can help them increase visibility of their threats (as well as their threat detection gaps), reduce complexity, and address critical talent shortages.
In this article:
- The Business Impact of Digital Transformation
- Challenging the Status Quo
- Detect Faster, Respond Efficiently
- Threat Hunting Approach
- Commonly Asked Questions about IT, OT, & Cloud Security
Table of contents
The Business Impact of Digital Transformation
Large-scale breaches have impacted millions of people. Ransomware, malware, denial of service attacks, and phishing scams were once fringe subjects. Now, they have captured public interest, impacted the bottom line, and earned the attention of leaders in public and private institutions around the globe. The increasing sophistication of threats has taken the risks of data and reputational loss to new heights – costing companies an estimated $1.5 trillion worldwide in 2018 alone.
At the same time, organizations’ computing environments are rapidly transforming to deliver business outcomes for modern consumers in the modern world. Network perimeters continue to erode to enable this transformation. They now include mobile devices, cloud applications and platforms, operational technologies (OT) such as sensors and controls, and industrial IoT devices (IIoT).
In order to produce these business outcomes while protecting critical assets, data, and reputation, IT security teams need visibility across the enterprise stack. They require trusted cybersecurity partners who can help them reduce the complexity of managing cybersecurity programs in multi-technology environments while maximizing the value of their investments
Challenging the Status Quo: Every Organization Should Assume Breach
It’s a cliché, but it’s true: the question is not if or when security will be breached – it is how quickly you can identify and mitigate a threat that’s already inside your organization. Executive boards are more involved and looking for reassurance that the business is resilient against the most current events.
To deliver the expected results, threat detection, containment, and remediation must be rapid and effective. However, currently, most threats go undetected for an average of 101 days. A deeper level of intelligence is needed:
- superior visibility into threats and adversaries,
- greater contextual relevance,
- and a dynamic understanding of an evolving threat landscape.
Detect Faster, Respond Efficiently
Solutions from traditional Managed Security Services Providers (MSSPs) lack the advanced capabilities required to combat advanced adversaries. An effective approach to threat detection needs to provide visibility and be non-linear, imitating the ad-hoc way an attacker moves through an environment.
This requires specific skills and capabilities that should be continuously updated to stay ahead of the curve and detect and respond more rapidly to attacks. Such capabilities require a new way of monitoring and detection, one that combines:
- expert analysts,
- threat detection frameworks,
- and intelligence sharing.
Threat Hunting Approach
However good the technology and processes are, threats can still get through the net. The most advanced managed security requires dedicated teams of threat hunters. Threat hunters are analysts that use the mindset of a hacker to investigate and research anomalous behavior, activity, and files in order to unearth unknown threats. With an international shortage of cybersecurity professionals close to 3 million worldwide, companies will have difficulty recruiting this talent directly.
Don’t Stop at Traditional IT Security Monitoring
Regardless of the environment – cloud, IT, or OT – it needs visibility and appropriate protection.
Attack vectors are expanding with digital transformations, making it harder to reduce risk and maintain accurate visibility across the enterprise. The number of new platforms and applications collecting, storing and mining data is on the rise. Critical infrastructure is becoming more reliant on the Internet and IT environments to operate effectively. This combination provides security teams with a complex mission, attackers with new targets, and regulators with a new scope.
Visibility and Security Monitoring for Cloud Platforms
According to Gartner, 75 percent of businesses will use a multi-cloud or hybrid cloud model for their businesses by 2020. Migrating to the cloud may save time and money in the short term, but it can present long-term data visibility and security challenges, especially in hybrid environments. Businesses need a way of monitoring, detecting and responding to threats regardless of where their data is stored.
Visibility and Security Monitoring for Operational Technologies & Industrial Systems Controls
Operational Technology (OT) and Industrial Control Systems (ICS) networks represent a growing risk. Malicious activity is increasing, as evidenced by the growth in threat activity from ICS attack groups and the emergence of ICS-specific malware, such as Triton or Trisys. Prominent breaches in critical infrastructures, including water and energy utilities, have highlighted the need for better security. Nevertheless, many organizations still struggle to have the visibility needed to monitor their industrial environments effectively.
Protecting businesses against sophisticated cyberattacks is an ongoing process for IT and security teams. Most organizations opt to work with a trusted cybersecurity partner given the complex business drivers, threat landscape, and IT talent shortage they are dealing with. Such partners can bring the critical visibility, solutions, resources, and intelligence needed to minimize these risks.
Is my data safe in the cloud? Or would it be safer on premise?
Information security relies on data confidentiality, integrity and availability. With proper security controls, all three aspects can be protected on-premise or in the cloud. Equally, all three can fail in the cloud or on-premise as well. Transition to the cloud means that solution responsibility is divided. Some parts are delegated to a third party while others remain the company’s responsibility (e.g. data accountability).
Information security relies on data confidentiality, integrity, and availability. With proper security controls, all three aspects can be protected on-premise or in the cloud. Equally, all three can fail in the cloud or on-premise.
Transition to the cloud means that solution responsibility is divided. Some parts are delegated to a third party while others remain the company’s responsibility (e.g. data accountability).
One key action is to adapt the security architecture design of your solution to the target environment (cloud vs. on-premise) and support it with a solid contractual base. A cloud solution can’t be designed as an on-premise solution. It’s very different for several reasons such as data ubiquity and elasticity.
Today, data breaches of cloud environments are mainly due to human configuration errors that expose unprotected data to the Internet.
The widest risk of cloud environment usage for storing company data can be addressed by:
- Properly designing a secure cloud architecture that addresses confidentiality, availability and integrity aspects
- Performing due diligence on the cloud provider
- Putting in place a solid service contract
Whatever the stage of your cloud journey, Kudelski Security has services and solutions to support you – including cloud design, due diligence, security monitoring, and incident response in the cloud.
Does it really make a difference whether I keep my data in Switzerland or in a foreign cloud?
No, it doesn’t matter as long as you don’t infringe the relevant regulations and you have a strong contract in place with your cloud provider. If you use the cloud to deliver business services, accountability remains your responsibility.
What does change when your data is stored in another country is the regulation enacted in case of a breach or to protect your data against a search. When storing the data at a cloud provider, the client should find out which governing laws apply and assess whether they are adequate.
The cloud is becoming more hybrid and varied. How does one maintain the visibility needed for a secure environment?
The cloud is completely blurring the borders of data processing and storage. While appreciated for their flexibility, speed, and ease of use, cloud services can become a freeway for voluntary or involuntary data exposure. Vast amounts of confidential data have been exposed as a result.
Risks can be addressed by:
- training cloud user teams
- properly architecturing and configuring cloud professional environments
- monitoring company clouds for configuration errors
Alternatively, companies can use the capabilities of Managed Security Service providers, like Kudelski Security. We monitor risks and configuration 24/7 and have reduced threat detection time from the average of 78 days to a few hours, in many cases.
What new challenges does the IIoT create for IT security providers?
Protecting IIoT environments is not the same as protecting IT environments. Industrial systems are built differently yet are now exposed to similar threats through their connection to IT networks. Industrial systems present new threats that can’t be handled by standard IT security measures. For example, scanning an industrial system with a vulnerability scanner may shut it down, stopping the manufacturing process.
In addition, IT security skills and solutions aren’t adapted to IIoT environments. Vendors and service providers need to offer new solutions to cover these newly exposed environments of critical service providers, e.g. energy.
Kudelski Security’s Cyber Fusion Center can support companies looking to protect their assets in an IIoT environment. The Cyber Fusion Center offers advisory, threat monitoring, hunting, and incident response around the clock.
Who watches the watchmen? How do these cybersecurity partners keep themselves safe?
At Kudelski Security, clients regularly challenge us to demonstrate that we are applying robust security controls and appropriate security governance processes. Cybersecurity partners should always practice what they preach by applying defense-in-depth security controls, threat monitoring and hunting, and incident response to their own environments.