Risk Management in the Real World: Today, Tomorrow and Beyond
By Steve Tcherchian
2018 was another troubling year in the cybersecurity world. We saw a repeat of last year’s data breaches on a larger scale. Google, Toyota, Facebook, Under Armour, LifeLock, Air Canada, Blue Cross and many, many more fell victim to some sort of compromise. Hardly a week went by where we weren’t reading about a new mega breach. Even the popular online video game, Fortnite, was hacked and children’s personal data was found for sale on the dark web. No one was off limits. It’s to the point where we’ve become numb to the news; we shrug it off and move on. But as consumers, we should be concerned with the lackluster cybersecurity practices companies have in place. It’s clearly not protecting our data.
A ZDNet article recently mentioned “Researchers at security firm Positive Technologies, tested 33 websites and services using its proprietary application inspector and found that banking and financial institutions were “the most vulnerable” to getting hacked.”
Companies spend billions on security each year, yet why is this still an issue? It’s almost 2019 and still most applications are horribly insecure and security best practices are not followed. Applications are designed for functionality, not security because security is seen as difficult and time-consuming, often blamed for adding delays to product launches and revenue generating activities.
Passwords: The Achilles Heel
One of the most critical security risks to any organization are passwords, especially default passwords and passwords to privileged accounts. Privileged accounts have elevated access to perform administrative functions. They can be administrator accounts, service accounts, database connection accounts, application accounts and others. Most of these accounts were set up ages ago when an application or system was deployed. They typically have multiple integration points and because of the risk of “breaking something,” the passwords for these accounts are rarely rotated, likely shared and improperly stored.
In today’s ecosystem where privileged account abuse is the most common way for hackers to compromise a system, proper credential storage and accountability is paramount to risk mitigation. Relying on manual methods is resource intensive, error prone and leaves gaps.
The Varonis 2018 Global Data Risk Report highlighted 65 percent of companies have over 500 accounts with passwords that have never been rotated. These passwords have a higher likelihood of showing up in online password dumps and being used to infiltrate networks. Simply put – they’re a cyber criminal’s best friend.
Proper password management can be overwhelming to manage, but it doesn’t have to be. Current processes for requesting access to privileged accounts are manual and complex. Unfortunately, governance is often an afterthought, leaving many enterprises vulnerable to increased security risks and potential non-compliance with external regulations or internal corporate mandates.
XYPRO identified a need to address this risk within the HPE NonStop server world and we have entered into strategic partnerships with SailPoint Technologies, CyberArk, Centrify, CA Technologies, RSA and Splunk to cover these gaps.
Our newest solution, XYGATE Identity Connector (XIC) extends Identity Management and Governance capabilities to the NonStop server. Most organizations already have active projects to integrate their CyberArk and SailPoint investments into the rest of their enterprise of which the HPE NonStop is now included. Identity governance, privileged account management and multi-factor authentication requirements are addressed with the latest solution in the XYGATE suite.
The New Regulation Landscape
2018 saw the introduction of The General Data Protection Regulation, or GDPR. A major piece of legislation designed to address the protection and responsible use of each and every European Union citizen’s personal data. GDPR is not an EU only regulation; it affects any business or individual handling the data of EU citizens, regardless of where that business or individual is based. The penalties for non-compliance are stiff: Up to €20 million (about $24 Million USD) or 4 percent of annual global turnover, whichever is greater. GDPR went into effect in May, 2018.
According to Bart Willemsen, research director at Gartner – “The GDPR will affect not only EU-based organizations but many data controllers and processors (entities that decide what processing is to be performed and/or carry out that processing) outside the EU as well. Threats of hefty fines, as well as the increasingly empowered position of individual data subjects in controlling the use of their personal data, tilt the business case for compliance and should cause decision makers to re-evaluate measures to safely process personal data.”
The GDPR is similar in some ways to PCI DSS in that it aims for a comprehensive approach to data protection that goes well beyond technical controls. Even though the individual GDPR requirements aren’t as technically detailed, its security objectives are the same as PCI DSS: to protect, secure and track use of specific types of data. Compliance with its requirements requires both implementing security best practices and modifying processes and human behavior to comply with those best practices, including timely analysis of anomalies.
In 2018, California also adopted the California Consumer Privacy Act (CCPA). Like GDPR, CCPA focuses on protecting the information of a natural person who can be identified. These regulations require that businesses adopt organization-wide security measures appropriate to protect collected consumer data. We will likely be seeing more compliance regulations with regards to consumer data protection in the near future. The key again is implementing security best practices.
At XYPRO, we see data privacy as a large part of the security landscape going forward. In 2018, we enhanced our product suite to assist our customers with their data privacy and protection initiatives. We have introduced GDPR assessment functionality into our XYGATE Compliance PRO product, published numerous white papers and articles on the topic as well as participating in organizations and activities that can influence data protection regulations going forward. This will ensure the NonStop community has a voice in this area. We plan to continue these efforts in 2019 and beyond.
XYGATE SecurityOne: A Single Platform
In testimony given before the Senate Subcommittee on Science, Technology and Space, famed cryptographer and cyber security specialist Bruce Schneier said:
“Prevention systems are never perfect. No bank ever says: “Our safe is so good, we don’t need an alarm system.” No museum ever says: “Our door and window locks are so good, we don’t need night watchmen.” Detection and response are how we get security in the real world…”
Schneier gave this testimony back in July of 2001, yet nearly 20 years later, organizations are getting hit by incidents they didn’t detect, proving this premise is still valid and more critical than ever before. I’m surprised by the number of conversations I have with IT and Security professionals who still carry the “set it and forget it” approach to security. They believe protection and compliance is good enough. No matter what type of protection a system has, given enough time, an attacker will find a way through. The faster you can detect, the faster you can respond, limiting the amount of damage a security breach can cause.
Detection is not a simple task. Traditional methods are the setting up of distinct rules or thresholds. For example, if a user fails 3 logons in a span of 5 minutes, detect it and send an alert. In most cases that rule is explicit. If the failed logon events spanned 20 minutes, or worse yet, 10 days, it likely would not be detected. The limitation of relying on these types of rules is they can’t alert on what they aren’t specifically looking for (i.e. what they don’t know). Low and slow incidents and unknown unknowns – activity not normal on a given system – will fly under the radar and no one would be the wiser until it’s too late. The damage is done, the data is taken, the system is compromised, and customer confidence is lost.
Correlating events from multiple data sources proves to be a challenge for detection. The traditional method is to scour through event records, try to put the pieces together and then create a rule to detect that pattern in the future. The weakness is that can only be accomplished after an incident has already occurred. Then the rule is put together on the off chance the same combination of events will happen again. However, it’s not entirely reasonable to anticipate and define every possible incident pattern before it happens.
For data to be meaningful and actionable, it requires context. Contextualization allows the system itself to determine what is actionable and what is just noise. XYPRO’s XYGATE SecurityOne can evaluate each potential alert and, based on activity that happened previously for that that user, IP, system etc…, determine whether the reported activity is business as usual or a serious issue that needs to be paid attention to.
Context is Key
In 2018, XYPRO was granted US Patent 9,948,678 by the United States Patent and Trademark Office. XYPRO’s patent titled Method and System for Gathering and Contextualizing Multiple Security Events, covers the aggregating, correlating and contextualizing of disparate and unrelated security and system events. This proprietary technology provides faster detection of suspicious activity by intelligently combining security and non-security-related data while applying a layer of context which makes the newly enriched data much more insightful and actionable.
What will 2019 have in store?
- Targeted Ransomware. As long as Security best practices are not being followed, ransomware will continue being dangerous to business and a profitable source of income for cyber criminals
- More Compliance and Data Privacy Regulations – GDPR set the stage for government intervention of data protection regulations. Most companies are still playing catch up when it comes to data protection. We’ll certainly see more government oversight in this area.
- Virtualization – Virtualization, containers and serverless applications introduce a new paradigm to traditional security concepts. There will be advancement in this area as we understand more of its potentials and security gaps.
- Automation and Faster Access to Actionable Data – Data is no good if its not received quickly and its not meaningful to act on. Humans can no longer keep up with the volume and velocity of security data being received. This introduces a new problem. Context. Making sense of new data derived from old data. We’ll see more context-based solutions coming into play of the next year.
- Modernization, Integration and Digital Transformation – Consumers are disrupting the way business is being done. As organizations continue to evolve and adapt to the world around them, business models are changing. We will see more application modernization projects of on-premise core enterprise applications. New consumption models for services and organizations leveraging more of their investments by integrating everything into consolidated technologies rather than fragmented solutions.
HPE NonStop servers are a staple of many modern, mission critical organizations. The NonStop is central to activities that affect our lives on a daily basis; how we shop, pay, bank and communicate. As technology evolves around us, the NonStop server continues to modernize and XYPRO is thrilled to be a part of this evolution. XYPRO’s innovation efforts don’t stop there. We unflinchingly look forward, to identify where research and development investments should be made, always looking for ways to best serve our customers. This commitment has led us to new areas that provide even greater value and security to NonStop server users, integrating the NonStop with the rest of the enterprise and beyond. At XYPRO, we protect your data like it’s our own. Because it is.
Steve Tcherchian, CISSP