The Weakest Link

Published by: Alastair Broom on March 10, 2017 in Security

As Logicalis’ Chief Security Technology Officer I’m often asked to comment on cyber security issues. Usually the request relates to specific areas such as ransomware or socially engineered attacks. In this article I’m taking a more holistic look at IT security.

Such a holistic approach to security is, generally, sorely lacking. This is a serious matter, with cyber criminals constantly looking for the weak links in organisations’ security, constantly testing the fence to find the easiest place to get through. So, let’s take a look at the state of enterprise IT security in early 2017, using the technology, processes and people model.

Technology

A brief, high-level look at the security market is all it takes to show that there are vast numbers of point products out there – ‘silver bullet’ solutions designed to take out specific threats. There is, however, little in terms of an ecosystem supporting a defence-in-depth architecture. Integration of and co-operation between the various disparate components is , although growing, typically weak or non-existent.

We’ve seen customers with more than 60 products deployed, from over 40 vendors, each intended to address a specific security issue. Having such a large number of products itself presents significant security challenges, though. All these products combined have their own vulnerability: support and manintenance. Managing them and keeping them updated generates significant workload, and any mistakes or unresolved issues can easily become new weak points in the organisation’s security.

The situation has been exacerbated by the rapidly increasing popularity of Cloud and Open Source software. Both trends make market entry significantly simpler, allowing new players to quickly and easily offer new solutions, targeting whichever threat happens to be making a big noise at the moment.

Just as poor integration between security products is an issue, so is lack of integration between the components on which they are built. Through weak coding or failure to make use of hardware security features – Intel’s hardware-level Software Guards Extensions (SGX) encryption technology is a good example – security holes are left open, waiting to be exploited.

The good news on the technology front is that we are seeing the early stages of the development of protocols, such as STIX, TAXII and CybOX, allowing different vendors’ products to interact and share standardised threat information. The big security vendors have been promoting the idea of threat information sharing and subsequent action for a while, but only within their own product ecosystems. It’s time for a broader playing field!

Processes

IT security is one of the most important issues facing today’s enterprise, yet, while any self-respecting board will feature directors with responsibility for sales, marketing, operations and finance, few enterprises have a board level CISO.

Similarly few organisations have a comprehensive and thoroughly considered security strategy in place, or proper security processes and policies suitable for today’s threat landscape and ICT usage patterns. A number of industry frameworks exist: ISO 27001, Cyber Essentials, NIST to name but a few; and yet very few organisations adopt these beyond the bare minimum to meet regulatory requirements.

Most organisations spend considerable sums on security technology, but without the right security strategy in place, and user behaviour in line with the right processes and policies, they remain at risk of serious breaches.

People

The hard truth is that some 60% of breaches are down to user error. Recent research obtiained through Freedom of Information requests found that 62% reported to the ICO are down to humans basically getting it wrong. People make poor password choices, use insecure public (and private!) WiFi, and use public Cloud storage and similar services without taking the necessary security precautions. They do not follow, or indeed even know, corporate data classification and usage policies. The list, of course, goes on.

Training has a part to play here, to increase users’ awareness of the importance of security, as well as the behaviours they need to adopt (and discard) to stay secure. However, there will come a point at which the law of diminishing returns kicks in: we all make mistakes – even the most careful, well trained of us.

We need to explore, discover and devise new ways in which technology can help, by removing the human element, where possible and desirable, and by limiting and swiftly rectifying the damage done when human error occurs. Furthermore, we need to leverage ever improving machine learning and artificial intelligence software to help augment human capability.

Enterprises need to work with specialists that can help them understand the nature of the threats they face, and the weak links in their defences that offer miscreants easy ways in. That means closely examining all aspects of their security from each of the technology, processes and people perspectives, to identify actual and potential weaknesses. Then robust, practical, fit-for-purpose security architectures and policies can be built.

For an outline of how this can work, take a look at Logicalis’ three-step methodology here or email us security@uk.logicalis.com to discuss your cyber security needs.

Leave a Reply Cancel reply

You must be logged in to post a comment.

WRITTEN BY Alastair Broom

Alastair Broom is Security Practice Lead for Logicalis UK where he is responsible for managing the UK Security Practice, defining the security strategy and roadmap and helping the Logicalis client base address their security challenges.

Alastair has held a number of senior Product Marketing and Product Management positions throughout his career and has lived through the evolution of the threat and regulatory landscape, helping customers protect their networks, data and brand.

Prior to Logicalis, Alastair was Security Line of Business Director at Dimension Data and managed the product & services portfolio at Integralis/NTT Com Security.

He has written several published articles/opinion pieces on a range of security related topics and has a degree in Electrical Engineering from the University of Nottingham.

All posts

Related
Most Recent
Most Popular

Showcasing IoT and security at Cisco Live Barcelona

Richard Simmons
January 25, 2019

If you’re heading to Cisco Live, make sure you visit the Logicalis booth (S6) to meet our Cisco, security and IoT experts and find out how we can help you enhance business agility through digital transformation.

Cisco Live EMEA takes place between 28 January and 1 February at the Fira Gran Via in Barcelona, and we’re exhibiting in the ‘World of Solutions’ as well as presenting during the Cybersecurity Partner Day. This annual customer conference aims to inspire IT leaders and champions of digital transformation. It presents a unique opportunity to acquire cutting-edge knowledge and skills on the technology that is already in use, and those that we’ll rely on in the future through meetings with, and presentations by Cisco experts and partners and unparalleled networking opportunities. And that’s where we come in

Logicalis has a long history and strong relationship with Cisco. We’re one of only six Global Gold Partners and in November last year we scooped 14 Partner Summit awards across multiple territories and categories.

Meet us in Barcelona

We’ll be on stand S6 in the ‘World of Solutions’ for the whole week, so feel free to pop by for a chat with one of the team, or to view one of two demonstrations.

Digital Network Architecture – a roadmap to digitisation
Find out how we integrate Cisco software defined access with industrial networking and IoT solution
Predictive threat analytics – automated detection and response
Discover how we integrate Cisco Stealthwatch with IBM QRadar to provide full context and rich visibility into security information and event management (SIEM) applications.

David Angulo, Security BDM Consultant from our team in Spain will also be discussing integrating Cisco’s Behavioural Analytics Technology Stealthwatch with IBM’s SIEM QRadar during the Cybersecurity Partner Day on January 28 at our booth at 4pm.

Plenty of ways to keep in touch if you can’t make it to Barcelona!

To keep up to date with all our activities make sure you follow us on social media.

Twitter – follow the UK team @LogicalisUK and the Spanish team @LogicalisES
LinkedIn – UK team and Spanish team.
The hashtags to look out for are #LogicalisatCLEUR and #CLEUR

Cisco will be live steaming a lot of the show, so if you want to feel like you’re there and watch in real time visit CiscoLive.com/emea or YouTube.

Category: News

Investing in IT to defend London’s public transport infrastructure

Alastair Broom
January 18, 2019

We spoke to Paul Graziano, Cyber Security Compliance Manager at Transport for London (TFL), about his job to defend the UK’s largest public transport network through innovative approaches.

The transport system is part of our critical national infrastructure – how do you see the cyber threat against this evolving?

I think cyber security within critical national infrastructure is becoming an increasingly complex task. A common security challenge is that many of the systems and devices we rely on were built when security wasn’t really an issue. They were designed for only a few people to have access to them. Now, more and more modern industrial control systems are being connected by IT Infrastructure, which is of course a positive thing.

However this means we don’t design ourselves into a position where we have to break in security to protect residency devices, which is what we’re currently working on. Instead of having security by design, we need to put the monitoring around these systems, so we know what users are accessing, know what they’re doing, as well as the network monitoring around these devices too.

What can we do to protect our critical infrastructure against attack

There’s no simple answer to this. In some ways, what we’re trying to do now is use a framework we’ve adopted in Information Technology (IT) to protect Operational Technologies (OT) which involves a security strategy. Security needs to start right from the beginning of the procurement of new systems and IT needs to make sure any new systems meet our security requirements.

I think we need to assume that we will be compromised. As long as the Security Operations team have that visibility, we will be able to respond to any incidents if need be and they’ll also need to be able to pull the plug in worst case scenarios.

A lot of work has been done within the government to help us out. The Centre for Protection of National Infrastructure (CPNI), a UK government body, released a number of frameworks for industrial control systems. They believe we should structure our industrial control systems to make them secure and deploy frameworks around them to achieve that.

What are your thoughts on the value of threat intelligence and and security analytics in the fight against cybercrime?

Both are extremely important and a vital part of Security Operations. Threat intelligence is a necessity as we need to understand what the new threats are and how that could morph into an attack on TFL.

Security analytics is just as important because to protect your network you need to have good visibility over it and you can only really achieve that through security log analytics. To do this you need to have the capability to sort logs from a range of sources and correlate these for suspicious activity. This enables you to benchmark it in order to understand what normal looks like and then you can look out for anomalies.

Will the Internet of Things change the way you address cyber crime?

Absolutely. Up until recently, the increasing number of devices being connected to the internet were mainly from the commercial side, but now it is entering the business side too. Every connected device is a potential target for botnet activities because they are not inherently secure, so they’re easily targeted and taken over as part of a larger attack. This is a very difficult problem to solve and we can’t be isolated as a business in dealing with it, there needs to be a consolidated effort.

How are you using virtualisation to transform your business?

TFL are hugely into virtualisation. A really good example of this would be TFL.gov.uk, our public facing API that’s used for TFL’s journey planner, which powers applications like Citymapper too.

In terms of its impact on our business, it has changed the way in which we think about new projects and new applications. Previously we had to rack up a new server every time we started a project. Now we can rapidly develop, build and test prototypes for new applications at very little cost. It gives us a lot of flexibility as we can scale up pretty much automatically when we need to, which we would never have been in a position to do before virtualisation.

There is a renewal aspect to it too, that if configured correctly, it’s relatively simple to spin up a new server if your prime one goes down. So there are many great benefits to virtualisation.

What other technologies would you suggest adopting in the fight against cyber-crime?

My idea is not so much a technology, but an awareness strategy. If you look at the number of the high profile attacks over the last year, a lot of them started with simple phishing attacks. Our spam filters will never be able to spot the first email from a newly setup phishing campaign and they’re purposefully designed to do that. One of the only ways to protect against this is to ensure our users are sufficiently trained to detect suspicious emails. I think improving communication with employees and making them aware of the impact an attack could potentially have, is vital.

In terms of actual technology, I think privileged identity access management is also key to a security team. It’s important to understand who has access to the most critical parts of your business as during a compromised attack, hackers will look for the business’ ‘crown jewels’.

One of the technologies that the industry is looking at more widely is called ‘deceptive security technology’, this is essentially a very old security component called a ‘honeypot’. A honeypot is a system that is built to be insecure and placed in a public part of your network. By doing so, you can see who finds it and what they do to it. This enables you to understand what sort of attacks are being targeted at it, providing a wider picture of the threat landscape. It is essentially a piece of proactive threat intelligence to find out if people are attacking parts of your network.

Thank you very much for answering all of our questions Paul and we wish you a fruitful career at TFL.

Category: Security

CIOs and the data security dilemma

Alastair Broom
January 2, 2019

With high profile breaches for the likes of Facebook, British Airways and Marriott fresh in the mind, it’s no surprise to see a backlash against the companies that hold our data and a new impetus to take back control. But how are CIOs tackling the information security challenge, and what do we expect the future to hold?

Assessing the threat

According to more than 840 CIOs that we interviewed for the sixth edition of the annual Logicalis Global CIO Survey, the role of the CIO is in flux. A traditional focus on “keeping the lights on” has seemingly given way to more strategic activities around service and product innovation as organisations take to the cloud and expand their IT estate. Despite all this, security continues to dominate CIO’s time and attention, with 93% saying that they devote between 10% and 50% of their time to information security – with 54% spending at least 30% of their time on it.

CIOs are right to remain vigilant, as all evidence points to the fact that threats are definitely increasing. We’re seeing no sign that external threats such as malware, ransomware, crypto-jacking and phishing are going anywhere, especially because it’s become even easier for the bad guys to launch these type of attacks. They’re low cost and have the potential to reach either massive or highly targeted audiences.

One trend that has emerged from the survey is that CIOs are now far more focused on the human dimension of cyber risk than before. Whilst the 2017 report cited external threats as the clear focus, this year’s findings saw lack of staff awareness and mistakes as a concern for more than half (56%) of CIOs, while 39% are concerned about malicious insiders. The human dimension is interesting, and we’d certainly say that people and process should always be the place to start. This attitude doesn’t particularly bear out in what we’ve seen before, however, as technology tends to take precedence over training.

The expansion of the IT footprint and the ever evolving threat landscape have clear implications for security, and most CIOs signal that they are moving away from a purely defensive footing to one of cyber resilience, which brings together defence with detection and recovery. More than a third (37%) of CIOs say their organisation now adopts a resilience-based information security footing. This stance will be aided by some element of automation within the process, as the rate at which threats are accelerating is outpacing our ability to develop skills. AI represents an opportunity to keep pace, particularly when it comes to threat detection and response. We’d expect developments in this area to focus on the ‘response’ part of this process, although it will require something of a cultural leap to allow technology to make decisions for us.

The value of data

Data breaches were cited as a concern by 54% of CIOs, demonstrating how CIOs are attuned to the broader debate around data privacy and management. Despite measures introduced this year, it’s still very difficult to understand and manage data permissions, for both consumers and the businesses that own their data, and there’s a lot more that needs to be done to clean up the ethics around this.

According to our CIO sample, the impact of GDPR has fallen far short of the dire predictions with nearly three quarters (71%) saying that GDPR passing into law has had no impact on their organisation at all. Based on what we heard from customers, GDPR was significantly overplayed and organisations became apathetic long before the May deadline. Faced by business trying to sell them solutions to address their GDPR requirements, a lack of understanding of what their liability was and a misconception that they were too small to be significant, fed-up businesses appear to have opted for a view that “we only need to be as good as our neighbour”.

It would be wrong to suggest that GDPR in, and of itself, had no effect. Rather that most organisations did a great job of implementation, as those with longer memories will recall from Y2K. The Logicalis Global CIO Survey also assessed the cost of GDPR compliance and, again, the reality fell well short of the hype. Though the average investment of up to £25,000 is not insignificant, it suggests that the process was well and efficiently handled.

So what happens now?

Even though the fines for non-compliance are considerable, we’d expect the biggest financial impact in a post GDPR world to be seen in class-action lawsuits arising as a result of data breaches. The huge numbers of customers affected by these large data breaches make this inevitable. But this also has the potential to be hijacked by ‘ambulance-chasers’, and our survey found that 6% of CIOs have already been targeted by opportunists seeking to profit from non-compliance. So expect those PPI and whiplash calls on your phone to be replaced by an automated voice asking about the data breach that compromised your personal information.

We’re certainly at the point now where data breaches should be viewed as ‘when’ and not ‘if’. We’d expect organisations to be increasingly turning to encryption as a way to minimise the impact when a breach does happen, a trend that has been slow to date because of the costs associated. Perhaps the threat of users removing their personal data, and a greater understanding of its value to the business world will be the catalyst this needs.

Category: Security

CIO SURVEY 2019-2020: CIOS ARE BECOMING ARCHITECTS OF BUSINESS CHANGE

Regina Bluman
January 15, 2020

The first report in our four-part series from the 7^th Logicalis Global CIO Survey, ‘The Changing Role of the CIO’, discovered that digital transformations are driving major changes for CIOs. As well as managing the IT infrastructure, they are now also expected to contribute to the business by supporting business initiatives and revenue growth.

As the inexorable tide of digital transformation sweeps through industries across the world, the traditional role of the CIO as a technologist is markedly shifting as companies seek to harness new digital technologies to drive the business forward. Today, CIOs are expected to look beyond technology and consider it within the context of enhancing business strategy and growing revenue, which is clearly a significant change.

When we launched our first CIO Survey seven years ago, it was noted that CIOs were devoting the majority (70%) of their time to the day-to-day management of technology, compared to just over a third (33%) in 2019.

The findings strongly suggest that the CIO role is now becoming one which encompasses broader executive responsibility. It is no longer the endpoint of a career path; rather the role is becoming one which is very much about driving business success.

Our results complement findings from IDC (IDC FutureScapes 2020, The Future Enterprise: Technology, Leadership and Value presentation 11 December 2019). IDC suggests that CIOs are now being measured, in descending order, on business alignment, cost management, risk management, customer satisfaction and revenue management.

Our survey discovered that 43% of CIOs are being measured on their contribution to revenue growth. In 2018 we asked the same question and the figure was 35%. This focus on contribution to revenue growth is supported by the fact that a significant number (74%) of CIOs say reshaping their organisations’ customers experience has become a more significant benchmark of their performance.

This shift is being driven by the urge to digitally transform operations, placing greater emphasis on building a tech foundation on cloud computing, and reducing reliance on user-owned hardware. The requirement to transform is also increasing reliance on subscription-based cloud services, as CIOs seek to unlock competitive advantage and improve operational efficiency.

As business responsibility increases, nearly all (80%) of CIOs are spending more time on building and operating digital platforms and operating models, while over half (67%) have also experienced growth in supporting business initiatives.

The Logicalis findings reflect the wider global trend towards digital transformation and how this is reshaping the role of the CIO, which is also mirrored in the IDC presentation mentioned above. IDC says that 80% of CEOs are under pressure to execute a successful digital transformation, hence, as our research illustrates, traditional business responsibilities are cascading down to CIOs.

Key CIO findings

35% of CIOs spend less time on the day-to-day management of IT than they did in previous years
55% of CIOs are measured on their success of IT cost reductions, compared to 61% in 2018
CIOs spend 25% of their time on information and security compliance
51% of CIOs have increased their time spent on innovation
Nearly half of respondents (47%) cite increased revenue and business growth as their priority in the next 12 months

To find out more about how CIOs are being tasked with greater business responsibility, and conflicting pressures, including meeting the demands of cybersecurity, compliance, business continuity and other large-scale projects, download the first part of the global survey here.

Category: Information Insights / IOT, News

Software Defined WAN: The great starting point

Chris Gabriel
November 21, 2019

Why SD-WAN is a great starting point for your Edge to Application Digital Platform transformation.

‘Every journey starts with a first step,’ is probably the most overused saying when planning any major transformation, personal or business.

For many IT leaders, the joke ‘What’s the best way to get to digital transformation? Well, if I were you, I wouldn’t start from here’” is probably a more realistic response to the opportunity and challenges of adopting new digital-native platforms.

In most of the meetings I have had with CIOs and IT Directors in the last six months, there is acknowledgement that the adoption of adaptable digital-native networks, data centre, cloud and security platforms is a priority. But, taking the first step from where they currently are presents a major shift, not just in technology, but in skills, operating models, organisation changes, and the recognition that unless they can maximise the value of this new investment, the business will once again become disillusioned with the promise versus the reality of yet another platform investment.

So where do you start? How do you get some immediate value from the shift to digital-native platforms without causing immediate disruption and potentially creating a false start that stops further progress?

SD-WAN is likely the simplest and most effective way to put a toe in the digital platform world.

If there was an award for the least loved digital asset, then I think most CIO’s would have the acceptance speech for their WAN written in ten minutes. Who really loves their static and difficult to optimise and change existing WAN service?

That’s possibly why IDC[i] forecasted 40% compound growth up to 2022, as companies asses which parts of their core infrastructure platforms need a bit of a digital boost, the WAN is a great place to start. And for those organisations shifting business workloads to the cloud, especially desktop, the reliability, performance, optimisation and capability of their connectivity between users, sites and cloud services is fundamental to their overall cloud strategy.

The immediate impact of an SD-WAN upgrade to your user’s digital experience can demonstrate the benefits of then moving to further SDX upgrades to the LAN, Data Centre and Cloud environments. If software defined is that good, then give us more.

It also enables the IT team to become familiar with some of the capabilities that software defined technologies have such as automation, service optimisation and trouble shooting advancements, that can then be transferred into the next SD project.

And for most organisations SD-WAN as a Service is the easiest and most effective way of jumping on the bus and getting moving. However, ensuring the provider is using the technology in a progressive way, has understood that the benefits of SD-WAN need to be externalised to customers, who need to be able to drive the features and functionality to benefit their users is key. What’s the point in buying into an adaptable digital network if all the value is kept by the provider?

So, if you can find the right partner then firing up your digital platform strategy with SD-WAN could be the first step in a journey your business will thank you for taking them on. Because you have to start somewhere….

Logicalis is proud to have partnered with ngena The Shared Network to provide progressive global SD-WAN services based on Cisco Viptela technology.

[i] IDC SD-WAN Infrastructure Forecast – https://www.idc.com/getdoc.jsp?containerId=US44182618

Category: Hybrid IT

Meet us at Smart Factory Expo

Team Logicalis
November 4, 2019

We’re excited to be talking about all things IoT at Europe’s best digital manufacturing show. Join us on 13 and 14 November at Exhibition Centre Liverpool for the Smart Factory Expo.

Organised by The Manufacturer magazine and part of Digital Manufacturing week 2019 Smart Factory Expo promises to showcase transformational manufacturing technologies and game- changing innovation from over 150 cutting-edge exhibitors – including us!

How we’re aiming to inspire you

Meet the team from Logicalis at stand E20 to see how we can support you in driving value from your existing environment through services such as condition monitoring, while also designing and building the foundations of a connected factory to support future growth.
– Wednesday 13 November 09:00 – 17:00 and Thursday 14 November 09:00 – 16:00 on stand E20

Hear Thomas Kugelmeier, a Client Solution Executive at Logicalis, specialising in industrial networking, explain how combing OT and IT to build a converged plant environment can enable true business transformation.
– Wednesday 13 November at 14.30 in the Smart Factory Theatre

Hear Richard Simmons, our Head of European Centre of Excellence for IoT, discuss how manufactures can deliver real business value from a connected factory.
– Thursday 14 November at 11.00 in the Digital Transformation Theatre

Read Richard Simmons’ thoughts on digital factories and the journey to industry 4.0.

Sound good? We can’t wait to see you in Liverpool, register now and pre-book your meeting with our expert IoT team.

Category: Information Insights / IOT

The idea of the ‘runaway brain’

Fanni Vig
January 16, 2017

A friend of mine recently introduced me to the idea of the ‘runaway brain’ – a theory first published in 1993 outlining the uniqueness of human evolution. We take a look into how artificial intelligence is developing into something comparable to the human brain and the potential caveats that concern us as human-beings. The theory considers how humans have created a complex culture by continually challenging their brains, leading to the development of more complex intellect throughout human ev...

Category: Automation, Collaboration, Security

CIO SURVEY 2019-2020: CIOS ARE BECOMING ARCHITECTS OF BUSINESS CHANGE

Regina Bluman
January 15, 2020

The first report in our four-part series from the 7th Logicalis Global CIO Survey, ‘The Changing Role of the CIO’, discovered that digital transformations are driving major changes for CIOs. As well as managing the IT infrastructure, they are now also expected to contribute to the business by supporting business initiatives and revenue growth. As the inexorable tide of digital transformation sweeps through industries across the world, the traditional role of the CIO as a technologist is mark...

Category: Information Insights / IOT, News

Red Pill or Blue Pill?

Alastair Broom
December 13, 2016

Morpheus, in one of the most iconic scenes of the Matrix trilogies said, "You take the blue pill, the story ends. You wake up in your bed and believe whatever you want to believe. You take the red pill, you stay in Wonderland, and I show you how deep the rabbit-hole goes." Let me ask you something, what about taking decisions like the one offered by Morpheus based on additional information that can be used to evaluated better the two options? Would that influence Neo to change his mind on the...

Category: Collaboration, IT Service Management

Categories

Digitally Speaking

Latest Tweets