IT security is becoming one of the most critical areas of focus for every organisation. The landscape has changed, and IT security is as vital to the overall security of your business as the lock on your office door. Industrial espionage, sabotage and cyber theft are no longer something for spy movies. They can and do affect every business.
Ivanti is a company that has been built on a platform of increasing user productivity while reducing IT security risk. The security risk side of that equation is becoming increasingly important to all organisations. We managed to get the views of Amber Boehm, Ivanti’s Manager of Product Marketing, to get a better understanding of how security is affecting businesses and how Ivanti is helping to tackle IT security risk.
Amber’s insight is detailed and compelling. It includes best practice on effective defence and also reviews why Ivanti's "Unified IT" approach adds real benefits to its security capability.
CSA: Earlier this year, Singapore Health was targeted and 1.5 million records exposed. In your experience (more generally speaking), what are some of the ways cybercriminals can use to get access to data like this? What technologies are available to mitigate these threats?
Amber: Given the “generally speaking” qualifier, I won’t go into all the specifics of this case. Instead, I’ll touch on a couple of points which dovetail nicely into a discussion of the most valuable tips for rapidly improving an organisation’s security posture to better protect the enterprise as a whole.
Cyber attacks globally are evolving both in intent and sophistication. SamSam is a prime example. SamSam hackers will break into and survey a victim's network before deploying and running the ransomware. They'll also change their tactics during attacks. If one approach doesn't work, they'll try another and another.
Malware increasingly has many different means to enter an organisation and spread throughout the network. That’s why you need a multi-layered security strategy in place to defend against these—one that prioritises the most likely vectors for attack.
For example, would-be attackers love to exploit any potential endpoint vulnerability. According to Forrester, we are “standing on a precipice where 58% of enterprise organisations suffered a breach at least once in the past year, and over 41% of those external breaches exploited some manner of software vulnerability.” SingHealth’s attackers, for example, were able to breach a user’s workstation that was running a version of Microsoft Outlook not patched against this exploit. The SMB exploits that brought us WannaCry, NotPetya, and the SamSam attack on Atlanta are also prime examples. And Equifax too fell victim to a software vulnerability—in that case in a third-party application. You can patch against these exploits, but you also need to defend yourself against the many other risks you may face. Attackers use other tools to move across networks quickly, like the open source exploitation tool Mimikatz, which can extract cached network administrator credentials out of a machine’s running memory and use those to commandeer other computers. And another example would be brute-force attacks against weak passwords on accounts with access to vulnerable port connections.
What you should be setting your sights—and your potentially scarce resources—on are these attack vectors and the security controls that are best equipped to deal with them.
Research and case studies from the Center for Internet Security (CIS) show that configuring IT systems in compliance with the top 5 (of 20) CIS recommended controls is an effective defence against the most common cyber-attacks, accounting for 85 percent of today’s cyber threats. Do just these five things and you can protect yourself from the majority of attacks you could face.
Inventory and control of hardware assets—because you can’t protect or defend against what you don’t know is out there
Inventory and control of software assets—which includes application control
Continuous vulnerability management—including patch management
Controlled use of administrative privileges
Secure configuration of hardware and software—As the CIS notes, default configurations for the OS and apps are geared to ease-of-deployment and ease-of-use, not security. What you are looking to do, is to maintain a set of minimum standards for your configs. You can pore through the checklists to give you ideas, but let’s tie this to what we’ve discussed today. For example, to help stave off attacks like SamSam you can turn off RDP if you don’t need it. You can also set a lockout policy to limit password guessing attacks. After the WannaCry hit, it was also recommended that IT disables the SMB v1 service.
Much of what you do in cyber-security is an 80/20 effort. You can get 80 per cent of what you need by implementing 20 percent of the framework. As you try to nail down the remaining 20 percent of risk and exposure, you begin spending a lot more time, effort, and money.
The CIS framework is built much the same way. The top 5 controls—25 per cent of the framework—deliver layers of defence that, when implemented effectively, can mitigate about 85 percent of cyber threats.
CSA: We see that computing power and intelligence is increasingly moving to the edge, with IoT accelerating this even more. Why does this increase security risk?
Amber: At this time, IoT devices just haven't been built with baked-in security controls or deployed with security in mind. They have hard-coded default credentials, for example, and they aren't segmented from the network.
Flip all of that around and you have the beginnings of a strategy to combat attacks. You should also deploy security patches as they become available, manage the identities of IoT devices carefully, utilise encryption for communications between devices, and monitor the traffic to and from IoT devices to establish a baseline of behaviour.
I mention patching, but it’s important to note that IoT devices can be quite hard if not impossible to patch, and all the more so if you’re seeking automation to simplify the process. It is also worth noting that, with increasing concerns about the security of infrastructure/utilities, Industrial IoT is something to keep an eye on in particular.
CSA: We see Ivanti talking about endpoint application control. Can you explain exactly what you mean by this and why companies should be concerned about this?
Amber: Regardless of how or where a user accesses their desktop, it’s essential they receive only the authorised apps they need to be productive and that they can’t introduce unauthorised apps. It only takes one user to visit the wrong site or install the wrong app via email to compromise an entire organisation’s security.
So, what does Ivanti mean by the term “application control”? Primarily, we’re referring to maintaining a whitelist of applications approved for execution.
While traditional whitelisting can work in some cases, the reality is that many companies have tried and failed to implement it. Discovery can be an exhaustive process, and once implemented, the whitelist needs to be constantly maintained and updated. Whitelisting also adds to application cost of ownership. Each user request to add a new application to the list, a version upgrade, or even a minor application update requires increased administration.
Some solutions also cause a substantial performance impact to the system as applications need to be evaluated to ensure they have not been modified or renamed to impersonate the whitelisted file. Today’s users must be enabled to do their jobs quickly and effectively, with rapid access to all the applications they need to make that happen. Unfortunately, the frequency with which new apps are introduced into our environments is not compatible with traditional whitelisting methods or user productivity.
Modern application control relies on policies and trust rather than lists—providing authorised access to applications, services, and components without making IT manage extensive lists manually and without constraining users.
CSA: Ivanti is more than a security company. Your mission seems to be to unify IT. Is there a danger this means you will not focus on your security solutions in the same way pure security vendors do?
Amber: On the contrary: It makes our security solutions that much stronger. As an example, let’s look back at the first two CIS best practice controls—inventory and control of hardware and software. You can have all the other tools recommended in your security arsenal, but without a complete picture of the organisation's assets and a means to tie that information into your prevention, detection, and remediation policies, you can't use those effectively to protect or defend against everything in the environment. Are all systems running business-critical applications reducing admin privileges, for example? Are all kiosks and other systems exposed to the public locked down from an application and device control standpoint?
Our asset management solutions provide the insight into your environment you need to get the most from your security solutions. In addition, we can use that information to take automated, immediate action on discovered threats.
It’s not limited to asset management, either. From a holistic security perspective, the organisation’s end goal should be to discover and manage all hardware and software, swiftly pinpoint security concerns across the enterprise, and empower the service desk to track these incidents effectively and IT to tackle them quickly with automated security controls which have been proven most effective against modern cyber attacks today.
Imagine how reporting, communication, and response time would improve if data and processes were shared between tools and teams. Responding to and containing the threats that do get through, for example: If there were ever a scenario that warranted bringing teams and tools together to automate processes, this is it. Here's how it might play out in a more unified IT organisation:
Once malicious code is detected in the environment, you could isolate that endpoint from the network instantly and automatically. Then, responding from a trusted console, with a simple mouse click you could remote control into the machine to gain insight into its state, then instigate a process to reimage it, automatically reinstalling the user’s settings and applications and restoring all backed-up documents. While the endpoint is reimaging, you could even use that device’s state information to quickly scan the environment for other vulnerable devices and immediately update them against the threat. Voilà, you’re done and back to focusing on core business goals.