Fournisseur de Services de Sécurité Managés (MSS) : comment faire le bon choix ?

Fournisseur de Services de Sécurité Managés (MSS) : comment faire le bon choix ?

Avec des centaines de fournisseurs potentiels et une grande quantité d’informations et d’arguments à prendre en compte, le processus d’appel d’offres pour engager le meilleur fournisseur de Services de Sécurité Managés (MSSP) n’est pas une tâche facile. Les professionnels, pour s’y retrouver, doivent cerner les éléments-clés à prendre en compte lors de l’évaluation de ceux-ci, comme l’explique Olivier Spielmann, VP des offres de Détection et Réponse Managées chez Kudelski Security.

Déterminez votre objectif principal

La première étape est de déterminer l’objectif premier de votre programme de sécurité ; et donc de votre appel d’offres. Vous intéressez-vous surtout à la mise en conformité de votre entreprise ou à sa protection vis-à-vis des cyberattaques ? La réalité du paysage cyber actuel est que la conformité et la sécurité sont des intentions bien différentes. Bien que la majorité des exigences réglementaires aient été adoptées dans l’espoir de renforcer la sécurité, celles-ci ne sont pas évolutives et trop génériques alors que l’ingéniosité des hackers, elle, ne cesse d’évoluer.

Concrètement, si vous ne recherchez que la conformité, choisissez le fournisseur le moins cher. Cependant, si vous souhaitez réduire votre exposition aux attaques actuelles, il est important de rechercher un fournisseur proposant un service axé sur la détection et la réponse aux attaques ; et cela dans des environnements multi technologiques – tels que les infrastructures sur site, les ressources cloud, les endpoints, les Systèmes de Contrôle Industriel (ICS) et les Technologies Opérationnelles (OT)) – car cette stratégie de sécurisation nécessite une visibilité sur l’ensemble de votre écosystème.

Favorisez la visibilité, facteur clé de l’amélioration des capacités de détection et de réponse

Aujourd’hui, les environnements informatiques sont caractérisés par des infrastructures de plus en plus complexes, des systèmes de plus en plus interconnectés et des surfaces d’attaque de plus en plus étendues. Afin d’obtenir une visibilité optimale à travers les plus importantes sources d’information, il est important de sélectionner un fournisseur capable d’anticiper les « angles morts » dans l’observation de vos systèmes, et qui dispose déjà de l’expérience de surveillance d’environnements similaires au vôtre.

N’hésitez donc pas à confier à un prestataire spécialisé le soin de procéder à une évaluation ponctuelle de votre MSSP. Cela vous permettra de déceler d’éventuelles lacunes, ainsi que les forces et faiblesses de votre service, tout en ayant pour but d’améliorer le système de surveillance. C’est également un changement d’état d’esprit qui doit être effectué dans ce domaine : passer d’un test d’intrusion – qui a pour unique but de démontrer les faiblesses d’une entreprise – à une activité qui vise à améliorer sa protection. Malgré le fait que l’activité soit similaire, le processus sous-jacent et l’approche sont radicalement différents.

Négocier la portée et le coût du contrat est toujours possible

Ne renoncez pas à d’emblée à une offre qui ne correspond pas à votre budget, d’autant plus si elle répond à vos besoins et s’intègre à votre pile technologique ; il y a toujours une certaine marge de manœuvre.

En effet, pour réduire le coût des services MDR, il est possible de restreindre la portée de la prestation. Les capacités les plus précieuses que les fournisseurs offrent sont axées sur la détection et la réponse. Il est ainsi possible de supprimer du contrat les activités tactiques de niveau inférieur (telles que la gestion des réinitialisations de mots de passe, la gestion des vulnérabilités ou la prise en charge d’une solution de gestion des identités et des accès (IAM)), tout en bénéficiant des meilleurs services offerts par le fournisseur.

Mais attention, la suppression des fonctions moins essentielles du périmètre d’actions d’un fournisseur ne doit pas entacher sa bonne visibilité de vos environnements. Une détection et une réponse efficaces aux cyberattaques reposent sur une visibilité complète, qu’il est crucial d’offrir aux prestataires choisis afin de limiter les erreurs et les manquements.

Actions internes ou externalisées : soyez stratégique

Certaines fonctions opérationnelles seront sans nul doute confiées à votre équipe interne IT ou chargée de la sécurité. Parfois moins coûteuse, cette solution est avantageuse car vos employés ont accès à des connaissances techniques sur votre entreprise ou votre environnement, ce qui les rendra plus efficaces qu’un prestataire externe. Malheureusement, le recrutement peut être extrêmement difficile, voire absolument impossible, pour certaines spécialisations. L’ingénierie de détection en est un bon exemple. Ce profil est en effet extrêmement demandé, et il est difficile de former quelqu’un pour effectuer cette tâche efficacement. L’évolution du marché tend vers des modèles opérationnels hybrides interne/externe qui tirent parti du meilleur des deux mondes.

Concentrez-vous sur les objectifs, et non sur la technologie utilisée

Le secteur de la cybersécurité progresse à grande vitesse. Il est facile de se laisser distraire par la nouveauté et les promesses des dernières technologies. En réalité, il n’y a pas de solution miracle et la technologie seule n’est pas la réponse. Plutôt que de chercher un fournisseur capable de prendre en charge les outils les plus récents, concentrez-vous sur ses performances, les objectifs proposés et l’adhérence à votre culture d’entreprise.

Pour cela, votre organisation doit connaître ses lacunes, autant en matière de visibilité, de détection et de réponse, que de formation, de politiques et de processus actuels en matière de cybersécurité.

Bien que l’achat d’outils de sécurité plus récents et plus performants n’améliore pas les résultats en soi, il se révèle parfois utile de moderniser sa pile technologique. Une nouvelle fois, la clé du succès est de se concentrer sur ses objectifs. Dans certains cas, vous pourrez obtenir de meilleurs résultats en tirant parti des systèmes déjà en place. C’est pourquoi il est nécessaire, lors de vos échanges avec les fournisseurs évalués, d’aborder clairement et honnêtement les questions suivantes : quelles technologies supportez-vous et pourquoi ? Et attention, « peu importe les technologies que vous utilisez, nous prenons tout en charge » n’est pas une réponse ! Aucun fournisseur de MDR digne de ce nom ne peut être à 100 % efficace sur toutes les technologies actuelles (SIEM ou plateforme cloud).

Original article featured here.

8 Tips for Choosing an MSSP

8 Tips for Choosing an MSSP

Using objective, evidence-based criteria to evaluate vendors is essential.

With hundreds of prospective providers and tons of marketing buzzwords to wade through, choosing the best managed security service providers (MSSPs) to effectively protect both your MSP business and your customers is no easy task. However, as C-suite leaders increasingly push back against security expenditures where there’s little or no proof that they mitigate real-world risks, finding objective, evidence-based criteria to evaluate vendors is essential.

To help navigate the complexities of the market—and better compare providers’ offerings—there are eight key considerations and tips to keep in mind when evaluating the best MSSPs for you and your clients.

1. Understand core objectives
The first issue to consider is the primary objectives for your security stack. Are your clients most concerned with achieving compliance or thwarting attackers? The unfortunate reality of the current threat landscape is that compliance and security are not equivalent concepts. Though most regulatory requirements were enacted in hopes of enhancing security, they’re static, and the audit process captures only a moment-in-time snapshot of your security posture. Meanwhile, attacker tactics and techniques are always changing, as is the technology environment. Simply put, if all your clients want is compliance, choose the cheapest solution for your stack.

If, however, a careful evaluation of your firm’s—and your customers’—business risks reveals that gaining security visibility and responding quickly to attacks is most valuable, look for the provider that can best achieve the objective of detecting and responding to attacks within these various environments.

2. Enhance visibility
An essential truth about today’s computing environments is that infrastructures are more diverse and distributed, systems are increasingly interconnected, and attack surfaces continue to expand. As a result, security visibility is harder than ever to maintain, yet without the correct security logs, data, and visibility, effective threat monitoring and detection is impossible.

Look for a provider that can eliminate blind spots where it matters most to achieve visibility by focusing on your detection objectives. These detection objectives should ideally be the outcome of a threat modeling exercise. Additionally, seek out a provider that offers visibility across multiple environments, including on-premises infrastructures, cloud resources, endpoints, industrial control systems (ICS) / operational technology (OT). You should validate the provider has experience monitoring environments like yours. They should also be able to leverage a formal framework or methodology (such as MITRE ATT&CK(link is external)) to ensure there are no major visibility gaps into attack techniques a lot of adversaries are likely leveraging.

Download our latest research “7 Key Things a Good RFP Should Cover — MSS and MDR” for more insight.

3. Negotiate contract scope and pricing
If a provider is a good fit in all ways but their cost, keep in mind that pricing is almost always negotiable. Don’t settle for a provider that can’t deliver the value and capabilities your MSP needs just because they’re more affordable.

One way to reduce the cost of a provider’s managed detection and response (MDR) services is to reduce the scope of engagement. For example, eliminating lower-level, tactical activities like identity and access management (IAM) services from a contract ensures you’ll get the best an MDR provider must offer: finding threat actors in your environment and responding on your behalf.

It’s also relatively easy to train someone in-house or hire a less-specialized provider to carry out commodity functions. In the current cybersecurity market, it’s more difficult to hire internal detection engineers and response playbook writers.

4. Partner with a single provider for mission-critical work
While removing less-than-essential functions from the scope of a provider’s responsibilities can be an effective cost-limiting measure, it shouldn’t be done in a way that limits visibility.

For example, if you have multiple security service providers with one vendor monitoring your environment, another monitoring your endpoint detection and response (EDR) tool, and another monitoring your security information and event management (SIEM) tool, visibility gaps are all but inevitable for all your providers.

In these “split brain” scenarios, none of your providers will be as effective as they could be. Cyberattacks involve multiple stages and tactics; to fully comprehend a sequence of events, security teams need to be able to understand what happened throughout your customer’s environment—endpoint, network traffic, Azure AD logs, etc.

5. Focus on outcomes
The way to achieve a better overall security posture is by doing the fundamentals consistently, not just relying on flashy new technology. Rather than looking for a provider that can support the trendiest toolsets, concentrate on outcomes. To make fact-based investments, you need to understand where your visibility and detection gaps are so that you can close them effectively.

Also, look for gaps in internal training, policies, and processes. An experienced provider can work closely as a partner and guide you toward greater security maturity by enhancing your fact-based understanding of strengths and weaknesses.

6. Replace legacy technologies if they don’t deliver on necessary outcomes
Although buying the latest and greatest security tools will not improve outcomes on their own, there are times when it makes sense to modernize your security stack. In some cases, you can’t achieve better outcomes just by leveraging technology that’s already in place.

Have an honest conversation with prospective MSSPs about which technologies they support and why.

There’s no way a high-quality MDR provider can be equally effective with every SIEM, EDR, or cloud security platform on the market today.

Technology sprawl affects all information security teams, including MDR providers and MSSPs. Learning each additional tool requires time, money, and training. Like everyone else, security providers must make tradeoffs about which technologies to prioritize. Any MDR provider who says they support every technology is either dishonest or ineffective.

7. Look for meaningful SLAs
Meaningless service-level agreements (SLAs) are all too common today. If your desired outcome is to be able to detect and respond to malicious activities quickly enough to prevent ransomware from spreading across your environment, does the number of “dedicated” resources assigned to your account matter?

I’ve seen organizations request SLAs such as “critical alerts must be triaged within five minutes, and low-criticality alerts within six hours.” How could your provider possibly validate that a new alert is critical without triaging it?

Sure, providers can look at the criticality of the technique detections are trying to find. However, waiting six hours to triage a low-severity detection could be detrimental. A small breadcrumb that triggers a low-severity alert can lead to the discovery of a seasoned and methodical threat actor.

Note that attackers also use MITRE ATT&CK to identify likely gaps in visibility or to build novel techniques not currently included in the knowledge base.

8. Engage key stakeholders
It’s important to manage your customer’s procurement process carefully. Decision makers often seek to achieve business objectives at the lowest cost possible and may not understand the nuanced differences between vendors or the desired security objectives.

Make sure all the key stakeholders thoroughly understand how well the provider can support outcomes that will meaningfully reduce business risk.

The original article was featured in Channel Pro Network.

7 Red Flags to Look for in Your MSSP Relationship

7 Red Flags to Look for in Your MSSP Relationship

The managed security service provider market is crowded with 5,000+ companies worldwide offering some degree of MSS. That’s good news and bad news for customers. Competition should drive quality of service up across the board. But it also presents a paradox of choice, and many customers find themselves with buyer’s remorse.

A good MSSP, however, is invaluable. The variety and volume of security technologies available create a web that becomes too complex and costly for the enterprise to manage and maintain itself. Complexity, after all, is the enemy of security.

What Is an MSSP, and What Is It Not?

Before we begin, it’s important to understand what you should expect from your MSSP.

At its most basic, a managed security services provider is an outsourced partner who monitors and manages security technology on behalf of the enterprise to aid in incident detection and response. MSS, however, can be much more than that. The right provider will understand the bigger security picture for the enterprise and be able to contextualize the threat, reduce time to detect the breach, and, ultimately, lessen its impact.

Most traditional MSSPs aren’t set up to achieve those outcomes, however. Instead, they’re comprised of bolted-on services primarily driven by sales opportunities. A customer purchases a large amount of technology and asks if they might also be able to manage that technology. Then another technology is purchased, and more services are created and sold.

The problem with this approach is it simply shifts the complexity to a different team. That team may have more technical knowledge, but the services are still siloed and independent from the total security strategy and ecosystem.

Understanding the differences in approaches is critical to the long-term success of your MSSP relationship. So how do you tell a good MSSP from a bad one? Here are seven red flags to look for.

Reduce complexity, reduce risk, and maximize your security investments. Learn more about our MSS here.

7 Signs It’s Time to Move on from Your MSSP

#1 Their portal has an ugly interface.

Forgive us for being vain, but the usability of the MSSP portal absolutely matters. The portal should be beautiful, easy-to-use, and, most importantly, provide value and context from the very first screen. Many portals today are outdated and not user friendly. If your MSSP has a portal, and you never log into it, that’s a problem.

#2 They are just an alert factory.

Is your MSSP simply “alerting” you to alerts? You deserve more! Your MSSP should be able to provide insight and context as to why that alert is or is not relevant to you. If the alerts you receive are generic and templatized, you’re essentially paying your MSSP to manage escalations.

#3 They can’t give you a unified view of incidents across environments.

In this day and age, providing management and visibility across environments—IT, OT, Cloud, etc.—is table stakes. If your MSSP can’t give you a unified view of incidents across environments, or if they can’t provide security visibility regardless of where your data resides, it’s time to move on.

#4 They say they do threat hunting, but can’t prove it.

Threat hunting has become a buzzword that MSSPs use to lure in prospective clients. But can they actually back it up? Threat hunting should not be abstract. In our case, we show clients exactly which threats we’ve detected and relevant incidents  right in their portal. This should be the norm, not the exception.

#5 They have restrictive SLAs and a nickel-and-dime attitude.

This one is pretty simple. If your MSSP is holding you to an SLA, or if their own SLAs are prohibitive, they do not have your best interest at heart. Similarly, if they charge for every extra hour or request outside your retainer, they’re loyalties lie with their bottom line, rather than your security wellbeing.

#6 They can’t give you real-time visibility into the service you’re paying for.

Do you know if the services you were promised are being delivered? If service was interrupted, would you be able to tell? If not, it’s time to look for a better provider.

#7 You’re only with them because they were easy to get through procurement.

Would you believe that often customers don’t actually choose their number one MSSP? It’s true! Customers often end up choosing the MSSP that’s best from a budget, procurement or MSA perspective, rather than the one that offers the best services.  With a service that you’ll interact with nearly every day, it’s important not to fall into the “procurement trap.”

Kudelski Security Recognized as Leader in The Forrester Wave™: Midsize MSSPs, Q3 2020

3 MSSP Requirements You Shouldn’t Compromise On

If you decide it’s time to let your MSSP go, it’s important not to repeat the same mistakes you have in the past. Here are three criteria to add to your checklist when selecting an MSSP.

Modern interfaces and collaboration tools. Today’s security engineers have been raised on mobile devices and chat apps. Streamlining the user experience and offering more real-time collaboration will ultimately lead to better client satisfaction.

Tailored, strategic service. An MSSP that customizes its services to your specific environment and is committed to your long-term success will ultimately be more successful than one that relies on a more transactional approach.

Honesty and transparency. Your MSSP will likely not be able to “do it all.” There may be areas where your team is stronger or where a technology vendor may be able to provide better service. Your MSSP should work with you to define and shape requirements rather than claim they can check all the boxes. 

The Office 365 Avenue of Approach

The Office 365 Avenue of Approach

Threat actors, advanced persistent threats, and simple cybercriminals are always looking for the latest way to get in or take advantage of potential victims. An avenue of approach is defined as a route of an attacking force leading to its objective. The latest and easiest avenue of approach is Office 365. Since this capability is relatively new and IT organizations have not put as much thought and expertise around defending this critical communications capability in the same ways they did with their on-premise Exchange infrastructure, the threat has been able to take advantage of this lack of attention.

Office 365 is complex and has many caveats without a lot of security guidance or documentation available. The initial vector remains to be primarily phishing. Although two-factor authentication has helped reduce phishing, there are many cases in the past several years where attackers phished the 2-factor code as easily as the normal credentials. There are even several open-source two-factor bypass frameworks that are being leveraged daily to compromise users. With all the available ways to continue to steal user credentials, the attackers continue to go after the O365 as a way to manipulate or execute social engineering to steal money.

In one scenario, an attacker gained access to an account on O365 and enabled send on behalf privileges, created administrator accounts, created inbox rules for certain individuals – all in attempts to hide malicious communication activity and spoofed emails. The attacker sent an email from a self-created email string with the response and forwards of legitimate company executives with instructions to wire funds.

In another scenario, attackers sent requests for payment with a PDF invoice that contained new, attacker-controlled, account information. All of these actions leveraged unauthorized access to the email environment. The activity went undetected for many weeks. The new norm for defenders must be to monitor and review activity, configuration changes, inbox rules, and account delegations. Hunting in real-time and watching not just for security events, but also suspicious or abnormal IT activity is a must for reducing the dwell time. Fraud and security teams must develop processes and playbooks for working together to combat this attacker technique.

So how do we impede or block the O365 avenue of approach? The playbooks must include what alerting is available by security teams and what use cases or non-security related activity a security and or fraud team may need to identify malicious activity. Ensuring there is a monitoring and hunting capability while doing configuration verification is simply a must. This includes a thorough review of current licensing and logging so that when an incident happens, administrators are not blind to attacker activity because logging was insufficient. An important report to review is the malware detections report. The ability to detect a security control failure and limit the impact of account compromises is paramount. Just like other systems, using multi-factor authentication for O365 helps protect the data and devices accessible by each individual, but is not the silver bullet. Limiting the number of global administrators and monitoring the activity of those administrator accounts identifies when the most valuable accounts are being used. Another good practice is turning on, consuming and eventing on mailbox auditing for all users allows for the visibility of unauthorized access of exchange online activity. Email is, of course, a normal phishing avenue of approach, so, understanding how your users within your O365 environment are being targeted by malware to then determine further mitigations or more aggressive malware defense actions is key.

Some other security actions are reviewing mailbox access by non-owners which identifies possible malicious activity and turning on Spam notifications. This allows you to see which accounts are blocked for sending spam, which is also an indication of an attacker using that account. Whatever actions you take, make sure there is a continuous periodic review. Never use a set it and forget it approach. Additionally, Microsoft has been rolling out more advanced security options for O365 within its Automated Investigations and Response (AIR) framework to include some Security playbooks for automation of opening investigations. The initial set of playbooks include User-reported Phish Message, URL Click verdict change, Malware ZAP, Phish ZAP, and email investigations.

O365 is complex and moving from on-premise exchange to O365 does not reduce your need for security activities and actions required to defend your environment. Attackers will continue to use this Avenue of Approach until we as security professionals force them to move to a different avenue in order to gain ground.  Making this lucrative objective a hardened target should be on everyone’s to-do list.

References

https://attack.mitre.org/software/S0018/

https://docs.microsoft.com/en-us/office365/securitycompliance/automated-investigation-response-office

Bei der Sicherheitsüberwachung ist die Visibilität entscheidend

Bei der Sicherheitsüberwachung ist die Visibilität entscheidend

Angesichts des hohen Tempos und der Komplexität bei der Transformation von Unternehmen sowie der ständig steigenden Sicherheitsbedrohungen für hybride Umgebungen wünschen sich IT- und Sicherheitsteams vertrauenswürdige Sicherheitspartner, die dabei helfen können, die Visibilität zu erhöhen, die Komplexität zu reduzieren und dem Fachkräftemangel entgegenzuwirken.

Olivier Spielmann, Director of EMEA Managed Security Services, Kudelski Security.

Millionen von Menschen sind von Datendiebstahl im grossen Stil betroffen. Cybersicherheit – die Abwehr dieser Bedrohungen – rückt deshalb überall zunehmend in den Mittelpunkt des Interesses. Zugleich steigt aber auch die Komplexität der Cyberbedrohungen, was die Gefahr für Daten und die Reputation der betroffenen Firmen auf eine neue Stufe hebt. Allein Unternehmen kosteten Cyberattacken im Jahr 2018 weltweit rund 1,5 Billionen US-Dollar. Gleichzeitig passen Organisationen ihre IT stetig den steigenden Erwartungen der Konsumenten an.

Netzwerkperimeter werden dabei immer weiter ausgehöhlt, um eine solche Transformation zu ermöglichen. Um die Sicherheit kritischer Firmendaten weiterhin gewährleisten zu können, müssen IT-Sicherheitsteams über eine unternehmensweite Visibilität verfügen. Dafür benötigen sie vertrauenswürdige Partner, die sie bei der komplexen Verwaltung von Cybersicherheitsprogrammen in Multi-Technologie-Umgebungen unterstützen und helfen, den Investitionswert zu maximieren.

Immer von einem Datendiebstahl ausgehen!

Die Frage ist nicht, ob oder wann ein Datendiebstahl erfolgen wird, sondern wie rasch eine Bedrohung erkannt werden kann, die bereits im Netzwerk ist. Die Geschäftsleitung involviert sich stärker, sie will die Gewissheit, dass das Unternehmen vor den aktuellen Bedrohungen geschützt ist. Dennoch bleiben die meisten Bedrohungen im Schnitt 101 Tage unerkannt. Ein höheres Mass an Informationen ist erforderlich – eine bessere Übersicht über Bedrohungen und Gegner, eine grössere kontextuelle Relevanz und ein dynamisches Verständnis in Bezug auf eine sich wandelnde Bedrohungslage.

Den traditionellen Lösungen von Managed Security Services Provider (MSSP) fehlen die fortschrittlichen Funktionen, die erforderlich sind, um fortschrittliche Gegner zu bekämpfen. Ein effektiver Ansatz für die Erkennung von Bedrohungen darf nicht linear sein, muss Visibilität generieren und die Ad-hoc-Bewegungen eines Angreifers im System widerspiegeln. Dies erfordert spezifische Fachkenntnisse und Fähigkeiten, die kontinuierlich aufgefrischt werden müssen, um immer einen Schritt voraus zu bleiben.

Ansatz Threat Hunting

Egal wie gut Technologie und Prozesse sind, Bedrohungen können dennoch unentdeckt bleiben. Eine fortschrittliche Sicherheitsabteilung erfordert spezialisierte Teams aus Threat Hunters, also Analysten mit der Denkweise eines Hackers, die ano­male Aktivitäten und Dateien analysieren, um unbekannte Bedrohungen aufzudecken. Da weltweit knapp drei Millionen Cybersicherheitsexperten fehlen, werden Unternehmen allerdings Mühe haben, die benötigten Talente zu rekrutieren.

Mit der Digitalisierung nimmt die Anzahl der Angriffsvektoren zu. Auch gibt es stetig mehr Plattformen und Anwendungen, die Daten sammeln, speichern und auswerten. Dies macht es schwieriger, die Risiken zu reduzieren und eine hohe Visibilität im gesamten Unternehmen aufrechtzuerhalten. Kritische Infrastrukturen sind für einen wirksamen Einsatz immer stärker vom Internet und von den IT-Umgebungen abhängig. Die Kombina­tion dieser Faktoren bedeutet für Sicherheitsteams eine komplexe Mission, für Angreifer neue Ziele und für Aufsichtsbehörden eine völlig neue Dimension.

Visibilität und Überwachung von Cloud-Plattformen: Laut Gartner werden 75 Prozent der Unternehmen bis 2020 ein Multi-Cloud- oder Hybrid-Cloud-Modell implementieren. Eine Migration in die Cloud mag zwar kurzfristig Zeit und Geld sparen. Jedoch ist der Einsatz der Cloud in Bezug auf langfristige Visibilität und Datensicherheit mit grossen Herausforderungen verbunden, insbesondere in hybriden Umgebungen.

Visibilität und Sicherheitsüberwachung in den Bereichen Operational Technologies (OT) und Industrial Control Systems (ICS): Netzwerke in OT und ICS stellen ein wachsendes Risiko dar. Böswillige Aktivitäten nehmen zu. Den Beweis dafür liefern die steigende Anzahl Bedrohungsaktivitäten von ICS-Angreifern und das Aufkommen von ICS-spezifischer Malware wie Triton oder Trisys. Berüchtigte Angriffe auf kritische Infrastrukturen, darunter Wasser- und Energieversorgungsunternehmen, zeigten, dass hier eine bessere Sicherheit erforderlich ist. Trotzdem haben viele Organisationen immer noch Mühe, die nötige Visibilität zu erreichen, um ihre industriellen Umgebungen wirksam zu überwachen.


In der Cloud verschwimmt die Grenze

Die Cloud macht viele Versprechen: schneller, kostengünstiger, einfacher. «Sicherer» hört man selten in dieser Aufzählung. Vor allem KMUs kann die Cloud zuweilen verunsichern. Olivier Spielmann, ­Director of EMEA Managed Security Services bei Kudelski Security, weiss Rat. Interview: Coen Kaat

Spielt es eine Rolle, ob ich meine Daten in der Schweiz oder in einer ausländischen Cloud speichere?

Olivier Spielmann: Nein, solange Sie nicht gegen die einschlägigen Vorschriften verstossen und einen guten Vertrag mit Ihrem Cloud-Anbieter haben. Falls Sie Cloud-Services zur Bereitstellung von Businessdienstleistungen nutzen, bleibt die Verantwortung bei Ihnen. Was sich ändert, wenn Ihre Daten in einem anderen Land gespeichert werden, sind die rechtlichen Vorgaben, die im Falle einer Datenpanne oder beim Schutz Ihrer Daten vor Suchvorgängen zur Anwendung kommen. Bei der Speicherung der Daten bei einem Cloud-Anbieter sollten Sie abklären, welche Gesetze gelten und ob diese ausreichend sind.

Die Cloud wird immer hybrider und vielfältiger. Wie erreicht man die für eine sichere Cloud-Umgebung erforderliche Transparenz?

In der Cloud verschwimmt die Grenze zwischen Datenverarbeitung und Datenspeicherung. Cloud-Services werden zwar wegen ihrer Flexibilität, Schnelligkeit und Benutzerfreundlichkeit geschätzt, können aber – gewollt oder ungewollt – zu einem weit offenen Portal zur Offenlegung von Daten werden, wodurch schon riesige Mengen an vertraulichen Informationen preisgegeben wurden. Risiken lassen sich durch die Schulung von Cloud-Benutzer-Teams, die richtige Architektur und Konfigura­tion von professionellen Cloud-Umgebungen sowie durch die Überwachung von Unternehmens-Clouds auf Konfigurationsfehler minimieren. Alternativ können Unternehmen die Möglichkeiten von Managed-Security-Service-Providern wie Kudelski Security nutzen. Wir überwachen Risiken und Konfigurationen rund um die Uhr und haben die Zeit zur Erkennung von Bedrohungen von durchschnittlich 78 Tagen in vielen Fällen auf wenige Stunden reduziert.

Welche neuen Herausforderungen stellt das IIoT für IT-Sicherheitsdienstleister dar?

IIoT-Umgebungen zu schützen ist nicht dasselbe wie der Schutz von IT-Umgebungen. Industrielle Systeme sind unterschiedlich aufgebaut, sind aber durch ihre Verbindung zu IT-Netzwerken nun ähnlichen Bedrohungen ausgesetzt. Sie bringen neue Risiken mit sich, die sich mit herkömmlichen IT-Sicherheitsmassnahmen nicht beheben lassen. So kann beispielsweise das Scannen eines Produktionssystems mit einem Schwachstellenscanner das System abschalten und damit den Fertigungsprozess stoppen. Darüber hinaus sind IT-Sicherheits-Kompetenzen und -lösungen nicht auf IIoT-Umgebungen ausgerichtet. Anbieter und Dienstleister müssen neue Lösungen bereitstellen, um diese neu exponierten Umgebungen kritischer Dienstleister – zum Beispiel in der Energiebranche – abzudecken. Unternehmen, die ihre Anlagen in einer IIoT-Umgebung schützen möchten, können sich an das Cyber Fusion Center von Kudelski Security wenden, das rund um die Uhr Beratung, Bedrohungsüberwachung, Threat Hunting und Störungsbehebung anbietet.

Wer bewacht die Wächter? Wie gewährleisten ­Cybersicherheitspartner ihre eigene Sicherheit?

Bei Kudelski Security fordern Kunden uns regelmässig auf, zu beweisen, dass wir robuste Sicherheitskontrollen und angemessene Security-Governance-Prozesse anwenden. Cybersicherheitspartner sollten selbst umsetzen, was sie predigen, indem sie auch in ihren eigenen Umgebungen tiefgreifende Sicherheitskontrollen, eine effiziente Bedrohungsüberwachung, Threat Hunting und Störungsbehebungssysteme implementieren.

Read the original article by clicking here.

Requirements to Action: Cyber Threat Intelligence

Requirements to Action: Cyber Threat Intelligence

“Military intelligence” is no oxymoron. I’m not a career intelligence professional, but I have worked with some of the best intel organizations and operations in the world, including cyber operations and U.S. military intelligence. So, when I need to assess cyber intelligence, I revert to the framework used in a military environment.

The essential basics of any intelligence operation, whatever the sector, cover requirements definition, collection, processing and exploitation, analysis and production and dissemination. So, what particular insights do you examine within this framework used by the best cyber intelligence organizations?

A critical part of any intelligence operation is determining the need. Just saying ‘I need cyber intelligence’ or ‘I am going to create cyber intelligence’ will get you nowhere. A consumer or producer of intelligence needs to understand what is required in order to not only build a collection platform which meets the needs but executes the required collection.  If you’re a cyber intelligence organization, the value of your production not only depends on your analysis but is just as dependent, if not more, on your collection.

Another aspect of your needs may be strategic and not just tactical. Strategic intelligence can help when building a network or security architectures or detection capabilities and hunting operations.   There are knowledge bases for threat techniques, such as the MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CKTM), which can be used to evaluate your defenses or detection capabilities. Some of the best organizations use and build their security operations and detection frameworks from these threat techniques. These organizations use strategic intelligence to protect against threats to things in their vertical, infrastructure or their architecture.

Another part of strategic intelligence is actor and intent. Although intent may be evident in some situations, APTs have a very different intent from a simple ransomware attack. Intent and attribution can be a specific requirement for government and law enforcement to meet their needs, but intent also can be useful in other sectors like critical infrastructure. Understanding the long-term goal or intent of intellectual property theft, denial of service or physical destruction within your sector can go a long way toward understanding your risks, your specific strategic intelligence requirements and the real-time tactical intelligence you require to mitigate those risks.

The size and/or scope of your collection platform capability will determine the size of your output. Single intelligence sources or implementing single-function processes like scraping the web for malicious content or links are valuable but deliver limited intelligence with specific applications. If you only collect, process and analyze malware, it stands to reason that you will only produce malware intelligence. Collection capabilities really come from the ability to acquire unique data. Companies execute collection with various techniques, media and locations. Incident response collects data. Security products collect data. Web and darknet scraping collect data. Intrusion and Network analysis collects data. Hunting collects data. The best intelligence organizations are multi-faceted, so they can fuse together all the intelligence collected from different platforms.

Size and scope of collection are analogous to your own internal network collection and processing. Think about your network Security Information and Event Management System (SIEM). Your SIEM scales in value with more data sources (collection platform) and better correlation (processing) within the platform. If you have one data source, firewalls, for instance, you get collection and correlation from only firewalls. But if you have servers, endpoint detection capabilities, email gateway logs as well as firewalls providing data that you can correlate the information you receive from these multiple sources. When it comes to intelligence collection, companies who have a large platform or multiple platforms provide different intelligence than a provider who scrapes the dark web for specific attributes. Both can be valuable but again this goes back to your need and requirements.   The main point to remember: not all intelligence providers are created equal and one big differentiator is the quality of their collection platforms.

The ability to process raw data plays a significant role in an intelligence provider’s ability to produce real-time intelligence. The best intelligence organizations have developed two important capabilities: vast collection and big data analytics. Using, storing and executing complex analytics on large amounts of data is challenging. The future is now when it comes to using artificial intelligence such as machine learning to support operations. The key to success is figuring out which providers are just using “AI” as a buzzword.  Data, without good analytics, only yields piles of data with no actionable outcome. The larger and more diverse the data types and structures, the better your data storage and your ability to perform analytics must be.  If you understand your provider’s ability to conduct analytics on their collection, you are another step closer to ROI on intelligence.

The goal of intelligence analysis is to figure out what will happen next. Great providers understand they must assess what is happening now and why it’s happening. Intelligence activities include trying to determine the attacker tactics, techniques and procedures. Some attackers use botnets, malware, ransomware. Others use phishing, metasploit or file-less attacks. All these techniques and the tactics of code writing, timing, sequence, targeting, and infrastructure used, need to be collected to find and attribute the most sophisticated threats.

The best nation-state actors develop techniques to look like other nation states. Finding advanced persistent threats (APT) take an enormous amount of data combed through by the best analytics fast enough to find the needle in a field on haystacks.  Understanding your provider’s analysis capabilities is very different from knowing their collection methods, analytics and production capabilities. Good analysis comes from years of experience working to get in the mind of the threat actors, to understand their motivation and the goals of those threats. When assessing analysis, look for experience and historic achievements as well as a good methodology for using what they collect to reach conclusions on your requirements.

In some ways, understanding how you will consume threat intelligence or how it will be provided determines your requirements. Understanding how intel is disseminated is key: Are there automated feeds? Do I get an email? Do I read it on a portal? Are indicators of compromise provided? Is it a list of exploits being used against the newest vulnerabilities? How is it structured to be used by my security tools like direct SIEM ingestion?

In its simplest form, the intelligence needs to be actionable by security staff or security tools. In other words, have an actual effect on your defenses. Knowing the Chinese hacked the Office of Personnel Management (OPM), the Russians hacked the DNC, or the latest botnet is spreading across America may be good to know, but how does that help your security staff change your security posture?

What of that is actionable? Does your security team or provider get actionable intelligence and how do they make it useful? Do they have a way to translate data, information and intelligence into a useful defense scheme or execute real-time targeted hunting in your unique environment based on your atmospherics, architectures, vulnerabilities and priorities? How many times have you seen the intel provider send you an email with links to other web articles? Having an intelligence feed because its required by regulation, maybe checking the box, but you must figure out how to use that feed to the max extent possible. How does crawling the web help my situation? Situational awareness about threats is one thing, but actionable intelligence is what reduces risk, finds threats and stops breaches.

Even the best intelligence-producing organizations are producing for a specific need. Know what your needs are, so you can make sure you choose one that gives you actionable intelligence for your particular needs – tactical or strategic. The current landscape for cyber intelligence is vast and confusing. Providers will give you the intelligence they gain based on their own collection, processing, analysis and production capabilities.

Article originally appeared in SC Magazine. Read it here.