As cloud computing and unmanaged endpoints continue to gain traction, it is a foregone conclusion that information security technical controls must become more virtual – that is to say, software-based. Rapidly disappearing are the days of physical perimeters and hardwired network architectures.
One of Cloud Security Alliance’s most promising research projects, Software Defined Perimeter (SDP), looks to accelerate the implementation of virtual controls to make organizations more secure without losing the agility cloud and mobility offer. SDP is inspired by the military’s classified, “need to know” network access model. SDP provides the blueprint for an on-demand, point-of-use security perimeter with a tremendous number of interesting security use cases.
The linked slide deck is a presentation about SDP from Kirk House, who is an SDP Working Group leader as well as Global Director, Enterprise Architecture at The Coca Cola Company. Kirk’s presentation provides an enterprise view of how we need to rethink security with SDP. By starting with zero trust, the ability to achieve application segmentation, eliminate a wide variety of intermediate attack vectors and achieve greater overall security is compelling.
Software Defined Perimeter is coming to you soon, and I hope you will take the time to learn more about it.
Jim Reavis, Co-founder and CEO, Cloud Security Alliance
Gartner’s June 2016 article, “Use These Five Backup and Recovery Best Practices to Protect Against Ransomware,” outlines five steps for mitigating the threat and/or risk of being hit with ransomware. I will spare you the market stats and dollar figures intended to scare you into taking action now. If you have an affinity for ransomware horror stories, click here, here, here, or even here.
Or let’s spend time looking at Gartner’s best practices to determine if you believe we are a legit provider of ransomware protection. Heads-up: when it comes to ransomware, one-third of our customers recover from ransomware using our endpoint backup + restore software, so Code42 customers represent.
Gartner Step 1: Form a single crisis management team Typically, a crisis management team consists of only the customer’s employees, but Code42 does have a virtual seat at this table. Each and every day Code42 system engineers, IT staff, product managers, developers, professional services and customer support staff meet to discuss and address issues raised by our customers. This response team works together to solve customer problems so customers can effectively conduct internal risk assessments and respond to incidents that threaten the health of their endpoint data.
Gartner Step 2: Implement endpoint backup This IS our responsibility, and we are the best at it, so say our customers. Including one senior IT manager who said, “CrashPlan gives me immense confidence as an IT manager. Case in point: an executive was traveling to Switzerland for a big presentation and had his laptop stolen en route. He was able to go to an Apple store, purchase a new machine, install CrashPlan, sign in and restore his files in time for the presentation. And we won the business. I was able to talk him through this on a five-minute phone call. It does not get better than that.” (Click here to read the entire review.*) Or instead of reading through all the reviews and case studies, we can cut to the chase and simply answer the question: Why are we the best? Because we deliver what matters most to enterprise customers—from end users to admins to executives.
It just works. Code42 works continuously to back up your data no matter the device, no matter the network. In fact, 7/10 IT admins consider themselves more productive after deploying Code42, which translates to more time focused on projects that are more strategic and rewarding.
It scales bigger and faster than any other enterprise endpoint backup solution.
Service and support is “stellar,” according to our customers. But don’t take our word for that,take theirs.
Gartner Step 3: Identify network storage locations and servers vulnerable to ransomware encryption Yes, you need to protect your servers, but let’s get to the point: or rather, let’s start at the endpoint where 95% of ransomware attacks originate. Server backup wasn’t designed to restore data to endpoints.
Gartner Step 4: Develop appropriate RPOs and backup cadences for network storage and servers We choose to focus on the source of attack where we are the best at meeting recovery point objectives (RPO) and backup cadences. Our backup frequency is 15 minutes by default, configurable down to one minute; whereas our competitor’s default backup frequency is every four hours, configurable down to five minutes. The more frequent the backup cadence, the better the protection against data loss. Gartner’s “Five Backup and Recovery Best Practices to Protect Against Ransomware,” advises, “The primary goal is to leverage newer backup methodologies to achieve more frequent recovery points…The goal here is backing up more often.” This is not just a server and network-storage best practice, it’s an endpoint best practice too.
Gartner Step 5: Create reporting notifications for change volume anomalies Step five centers on endpoint backup reporting capabilities. Here Code42 is resoundingly on point. In the first half of 2016, in the 5 series release of Code42 CrashPlan, a reporting web app that makes it easy to assess when users are not backing up frequently enough—putting your RPO in jeopardy. In addition, the ability to securely index and search user data archives helps security and IT teams find and identify malicious files through MD5 hash, keyword or metadata searches. Combine indexing and searching capabilities with web reporting capabilities to identify anomalies at the individual, department or group-level.
*Gartner Peer Insights reviews constitute the subjective opinions of individual end-users based on their own experiences, and do not represent the views of Gartner or its affiliates.
Mark Wojtasiak, Director of Product Marketing, Code42
COBIT 5’s Seven Phases of the Implementation Life Cycle have been “posterized” into a free download that illustrates the framework’s program management, change enablement and continual improvement life cycle.
The poster is part of the COBIT 5 framework for the governance and management of enterprise IT, which is highly valued by commercial, not-for-profit and public-sector organizations. Enterprise executives, IT professionals and business consultants depend on its globally accepted principles, practices, analytical tools and models to drive business value from trusted information and technology. Among the more popular elements from COBIT® 5 are the diagrams illustrating important practical concepts.
The July COBIT 5 poster centers on the Seven Phases of the Implementation Life Cycle diagram. The seven phases include:
Phase 1—What Are the Drivers? Which identifies current change drivers and creates at executive management levels a desire to change that is then expressed in an outline of a business case. Phase 2—Where Are We Now? Which aligns IT-related objectives with enterprise strategies and risk, and prioritizes the most important enterprise goals, IT-related goals and processes. Phase 3—Where Do We Want To Be? Which sets a target for improvement followed by a gap analysis to identify potential solutions. Some solutions will be quick wins and others more challenging, long-term tasks. Phase 4—What Needs To Be Done? Which plans feasible and practical solutions by defining projects supported by justifiable business cases and developing a change plan for implementation. Phase 5—How Do We Get There? Which provides for the implementation of the proposed solutions into day-to-day practices and the establishment of measures and monitoring systems to ensure that business alignment is achieved and performance can be measured. Phase 6—Did We Get There? Which focuses on sustainable transition of the improved governance and management practices into normal business operations and monitoring achievement of the improvements using the performance metrics and expected benefits. Phase 7—How Do We Keep the Momentum Going? Which reviews the overall success of the initiative, identifies further governance or management requirements and reinforces the need for continual improvement. It also prioritizes further opportunities to improve GEIT.
COBIT® 5 – The Seven Phases of the Implementation Life Cycle View Full Size PDF
Previous COBIT 5 posters of the month include:
June 2016: COBIT 5—Summary of Process Capability Model
May 2016: COBIT 5—Process Reference Model
April 2016: COBIT 5—Governance and Management Key Areas
March 2016: COBIT 5—Enterprise Enablers
February 2016: Roles, Activities and Relationships
January 2016: Goals Cascade
December 2015: Governance Objective: Value Creation
November 2015: COBIT 5 Principles
It’s no doubt cybersecurity provides longevity to a business and can help differentiate it from its competitors – for both good and not so good reasons. Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses and customers alike.
As we have seen, though, the threat landscape is not abating and it will continue to evolve. Our cyber adversaries are becoming more sophisticated, sharing tools, exploits and attack methods, and automating their processes. In doing so, they have achieved a clear competitive advantage in cyberspace and are eroding trust in today’s digital age.
This new challenging reality is true for Australian organisations, as it is for global businesses alike. The Australian government is taking important steps to help raise its cyber resilience and approach to cybersecurity with the release of the Cyber Security Strategy in April 2016. As Australian Prime Minister Malcom Turnbull has said, “the Australian Government has a duty to protect our nation from cyber attack and to ensure that we can defend our interests in cyberspace. We must safeguard against criminality, espionage, sabotage, and unfair competition online.”
Australia’s Cyber Security Strategy has five main themes:
A national, cyber public-private partnership
Strong cyber defences (including cyberthreat information sharing)
Global responsibility and influence
Growth and innovation
A “cyber smart nation”
These are laudable goals, but if we aspire to put an end to the breaches we read about in the headlines almost daily, a partnership is needed to achieve these.
One key way for industry to play a valuable role is to participate in voluntary cyberthreat information sharing. Operationalising threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks.
What Is Meant by Cyberthreat Information Sharing?
Cyberthreat information sharing is the sharing of information about threats and incidents so that all entities can better protect and defend their networks. The information in question is generally technical in nature, such as bot command-and-control servers, malware samples, malware analysis results, and indicators of compromise. In short, it is about sharing attack information. What’s most critical is to learn about the kinds of actors targeting organisations, the tools they have available, and the tactics they employ – all to help organisations to prevent attacks and defend their networks more effectively.
What to Share and How
First, let’s define the attributes of what should be shared:
Threat Indicators: forensic artefacts that describe the attacker’s methodology.
Adversary’s Campaign Plan: a collection of threat indicators for each link in the cyberattack lifecycle attributed to a specific adversary group.
Context: additional non-campaign plan intelligence about an adversary group that is helpful for organisations to understand the adversary. This includes things like motivation, country of origin, and typical targets.
Adversary Dossier: campaign plans + context: a collection of threat indicators attributed to a specific adversary campaign or playbook (campaign plans), plus any additional context about the adversary group.
Our mission should be to share all of the above but, most importantly, an adversary group dossier. Doing so will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary.
The information itself is important – but it must be actionable. This means that it must arrive in as close to real time as possible. As we have observed in some of the largest breaches, the best resourced security teams cannot scale manual responses to automated threats — only through automating prevention and detection can organisations be fast enough to adequately secure networks. Thus, government and industry must collaboratively build a robust, automated information sharing architecture, capable of turning threat indicators into widely distributed security protections in near-real time.
Resistance to Sharing and Other Barriers to Success
Increasing cyberthreat information sharing in our country is easier said than done, for a number of reasons. First, there is apprehension amongst organisations that information sharing could negatively impact them. Many feel that that by sharing information that could be classified as sensitive and privileged, they would be giving the upper hand to their competitors. This sentiment from the business community is valid and should be acknowledged. But, as noted above, we should focus on sharing attack information – not information on who has been breached.
Some of the other challenges and perceived barriers to greater cyberthreat information sharing that will need to be addressed are:
Privacy: Laws should not unduly prohibit the sharing of personal information that is necessary to identify and prevent attacks. At the same time, the Australian government should ensure that there are responsible privacy protections in place related to cyberthreat information sharing.
Trust among private sector competitors: Some organisations consider cyberthreat information to be their own proprietary intellectual property (IP) and do not want to share it. We need to reverse this notion. The more we continue to treat this information as IP, and the more we keep it in silos within our own organisations, the greater opportunity the adversary has to strike again. Adversaries share tools, exploits and attack methods – so should we. Everyone should have access to the same body of threat information and collaborate to quickly translate it into security controls to use within their own organisations and their collective customer base.
Antitrust concerns: There is a fear among some companies that sharing threat information between organisations makes them vulnerable to antitrust violations. The Australian government should clarify that cybersecurity threat information voluntarily shared, or received, by a private entity with another private entity is exempt from antitrust laws.
Over-classification: The government, in some instances, may “over-classify” cyberthreat information it receives from both internal and external sources. It takes a significant effort —and valuable time — to declassify that same information to share with private companies and the public at large.
Where to Go From Here
We urge the Australian government as well as industry to quickly put into action the recommendations for greater cyberthreat information sharing as laid out in the new Cyber Security Strategy. Cybersecurity threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary. Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combating our adversaries with technological weapons that have no ammunition.
We’re proud to announce that LabyREnth, the Unit 42 Capture the Flag (CTF) challenge, is open to the public and ready to test your malware analysis and reverse engineering skills. You’ll have until 11:59pm on August 14th, 2016 to run through more than 25 challenges built by some of the industries best threat researchers and security engineers.
Whether you are an experienced threat researcher looking to win renown or a student just getting started, there are challenges that are built to surprise and hopefully show you something new. You’ll also have the opportunity to win part of $16,000 of rewards if you’re among the first to complete the tracks. The CTF is open worldwide, including for Palo Alto Networks partners, please refer to the official rules for more eligibility.
These challenges bring together amazing learning opportunities for all levels across the security industry, all with serious prizes. Our goal is to drive threat intelligence education by sharing challenges based the daily life of our engineers, helping improve skills and develop the next generation of analysts.
Watch the @unit42_intel Twitter and #labyREnth hashtag for updates and winners.
