08 November 2018
With the subject of network security continuing to dominate the IT agenda, RAHIEL NASIR looks at some of the latest solutions to help safeguard enterprise data.
It is the number one topic in the IT industry: network security. Hardly a week goes by without splash headlines screaming about yet another data breach.
For instance, even as I write, the Information Commissioner’s Office (ICO) has just fined Heathrow Airport Limited (HAL) £120,000 for failing to ensure that the personal data held on its network was properly secured. This relates to an incident in October 2017 when a member of the public found a USB memory stick which had been lost by a HAL employee. The stick, which contained 76 folders and more than 1,000 files was not encrypted or password protected.
ICO said that although the amount of personal and sensitive personal data held on the stick comprised a small amount of the total files, of particular concern was a training video that exposed 10 individuals’ details including names, dates of birth and passport numbers, as well as the details of up to 50 HAL aviation security personnel. The stick was passed to a national newspaper which took copies of the data before giving it back to HAL.
ICO director of Investigations Steve Eckersley said: “Data protection should have been high on Heathrow’s agenda. But our investigation found a catalogue of shortcomings in corporate standards, training and vision that indicated otherwise.”
The investigation found that only two per cent of HAL’s 6,500-strong workforce had been trained in data protection. Other concerns noted included the widespread use of removable media in contravention of HAL’s own policies and guidance, and what ICO described as “ineffective” controls preventing personal data from being downloaded onto unauthorised or unencrypted media.
Heathrow Airport carried out a number of remedial actions once it was informed of the breach, including reporting the matter to the police, acting to contain the incident and engaging a third-party specialist to monitor the internet and ‘dark web’.
Of course, HAL is not the only organisation to have been recently named and shamed by ICO. Boost Finance (trading as findmeafuneralplan.com), BUPA, direct marketing firm Oaklands Assist UK Ltd., credit agency Equifax, and marketing agency Everything DM Ltd., have all been hit with fines totalling £975,000 – and they were just for the months of September and October.
Most of the above incidents were due to sloppy IT security regimes rather than the result of a cyber attack. But even in the case of an external forced entry into their networks, enterprises need to make sure that they adopt a belt and braces approach to securing all data, or else risk ending up on ICO’s penalties list.
The appliance of security
In an effort to stay one step ahead of the hackers, IT vendors have had to up their game when it comes to developing new products for safeguarding enterprise networks.
For example, Zyxel has recently released a range of firewalls that uses the cloud which is claimed to make “cutting edge cyber security simple” for SMEs. The company said its new ATP (advanced threat protection) line-up even defends against zero-day attacks that “fly under the radar” of conventional security solutions.
Designed as an all-in-one gateway solution, the new ATP firewalls feature several additional layers of security to detect and block threats. Chief among these is scalable, cloud-based sandboxing. According to the vendor, this executes unknown and potentially dangerous data packets in a safe, concealed environment to determine whether they should be let in or not. Zyxel said many threats don’t make it to the sandbox. Like most security solutions, it says ATP assesses incoming data packets by checking the integrity of their signature. However, in addition to receiving regular updates of newly flagged signatures from trusted sources such as Bitdefender, the ATP firewalls also receive a continuous stream of updates for every new threat identified by every other ATP firewall worldwide.
For a complete solution that can neutralise threats in every form, Zyxel said the ATPs are fortified with six additional layers of protection. These include: web security (content and botnet filters); app and email security; intrusion detection and prevention; geo-blocking; a managed APservice; and SecuReporter, an upcomingcloud-based service that analyses securitydata to offer insights that are said to besimple to understand and use.
There are two appliances available in the range: the ATP200 offers throughputsof 1,800Mbps and is more tailoredtoward small businesses with one to 50employees; while the ATP500 is aimed atboth small and medium-sized enterpriseswith up to 100 users and has a throughputof 2,600Mbps.Netgear is also targeting SMEs witha router that it has designed for remoteand site-to-connectivity while protectingdigital assets in a single solution.
The BR500 is said to enable smallbusinesses or remote branch installationsto offer instant access to the office intranetvia a secure VPN from anywhere in theworld. It is the first secure business routermanaged by NETGEAR Insight whichenables remote employees to access dataon their office networks with a singletouch on a smartphone or a click on alaptop. Insight which is available as eithera free app for iOS and Android mobiledevices, or as a web portal accessiblefrom any internet browser.
According to Netgear, the new device isdesigned specifically to enable businessesto instantly protect their networks witha secure VPN and firewall “rapidly andcost-effectively” through the InsightCloud Portal or mobile app. It comes witheasy setup, one-step ‘Instant VPN’, andanywhere remote/cloud monitoring andmanagement.
The vendor adds that Insight Cloudenables full monitoring of all securityfeatures as well as remote managementof the router, as well as enabling networkmanagers to view real-time VPNconnections and the security status ofconnected devices. As well as monitoringhardware status, temperature, port speeds,CPU load and memory utilisation, InsightCloud can show the number of usersconnected to the VPN, their method ofauthentication, current traffic, visiteddestination from guest portal, sitesconnected (for site-to-site VPN), volumeof data exchanged, and timestamp ofthe connection. It can also be used forfirewall rule configuration and update,NAT traversal, port forwarding and FTP.
In addition, the BR500 can interconnectup to three offices as if they wereconnected locally, regardless of their geographical location. Netgear said this makes connecting multiple offices for employees to share IT resources, such as file-servers, NAS or other business critical assets, easier, with users experiencing access to the local business network as if they were in the office.
Meanwhile A10 Networks has just its Thunder 7445 ThreatProtection System (TPS) with the released promise of offering the industry’s highest performance one rack unit and highest density of throughput per RU appliance. It claims the appliance offers 220Gbps throughput and 330Mbps.
A10 describes the new appliance as a “flexible and robust” DDoS protection solution that offers “surgical precision” in detecting and mitigating against the full spectrum of attacks. It says Thunder TPS provides a unique approach to full-spectrum DDoS defence, placing detection capabilities within targeted infrastructure, including its application delivery controllers, carrier grade networks and converged firewall solutions. A10 reckons this provides advanced context, flow and packet level visibility to stop today’s most sophisticated targeted attacks. The company goes on to boast that the Thunder TPS delivers 6Mfps flow-based detection which is 22 times greater than the capacity of rivals, and can actively support up to 3,000 protected zones simultaneously which is claimed to be 15 times greater than traditional systems.
Other features include what’s described as “automated wartime protection”. A10 says this improves attack response times with proactive, intelligent automation featuring five levels of programmatic mitigation escalation and de-escalation. According to the firm, automated service discovery eliminates cumbersome manual provision and removes the need for frontline personnel to make time-consuming changes.
Always-on adaptive learning provides real-time adaptive traffic learning, with more than 27 tracked traffic indicators to eliminate detection errors. The appliance also integrates Proactive Dynamic AttackPattern Extraction (DAPE) to thwart zero-day attacks.
In September, New Zealand-based Endace claimed a first with the launch of the 9200 Series EndaceProbe. According to the specialist provider of high-speed network recording, traffic playback and analytics hosting, the new platform is the world’s first petabyte network recording appliance. With built-in compression and patented technology that auto-truncates encrypted or non-compressible packets to maximise storage, it’s claimed the 9200Series can record more than a petabyte of network traffic at a sustained 40Gbps.
In order to conclusively investigate and respond to security threats and performance issues, Endace believes many organisations rely on recorded network packet history. It said the new EndaceProbe 9200 Series delivers a 5x boost in packet storage density, “dramatically” extending the depth of network history that can be recorded for analysis.
The platform features new search algorithms that are designed to enable fast searching across multiple stacks of EndaceProbes and petabytes of network history. As a result, Endace said that security analysts can now find ‘needlein- the haystack’ packets in seconds rather than hours, anywhere on the global network.
Like all EndaceProbe analytics platforms, hosting capability is built into the 9200 Series, allowing customers to host their choice of security and performance monitoring solutions from open source solutions, their own custom applications or Endace partners.
Earlier this year, G+D Mobile Security also claimed an industry first with the launch of a solid state drive with an embedded Secure Element (eSE) to store critical data. The German-based company said the product addresses the need for maximum, tamper-proof security of data stored on an SSD.
It features CryptoCore SSD which, says G+D, enables sensitive and confidential data to be stored easily and with the highest level of security. An eSE also ensures that sensitive data can only be accessed by authorised applications and people. CryptoCore SSD stores sensitive and confidential data on a tamper-proof chip embedded in the SSD. As a result, G+D said critical data are separated from conventional user data. It claims the risk of using ‘infected’ non-critical data to gain access to or manipulate security-relevant data is therefore “significantly reduced” without any extra effort on the part of the user.
G+D said typical users and applications that will benefit from its use are, for example, the health sector, aerospace industry, legal services such as lawyers and patent offices, as well as all other security-driven industries. CryptoCore SSD is compatible with Windows, Linux, MacOS and various smartcard middleware products, and is a certifiable and standardised component. G+D said it can be retrofitted, centrally managed, and provides the ability to make regular and long-time updates of the eSE. This is said to lead to lower maintenance costs for IT security and reduced total costs of ownership, while the system lifecycle is increased.
The SSD solution has a M.2 (Key B), a specification for internally mounted computer expansion cards and associated connectors. The interface is commonly used in industrial applications.
It is offered with G+D’s Sm@rtCaféExpert 7.0 JavaCard-based smart card OS which supports a range of crypto features such as AES, RSA, elliptic curves, and SHA 512. For increased robustness and protection against environmental influences, the modules are epoxy resin coated.
Black Box reckons its bringing to market new KVM switches with cyber security features that didn’t previously exist. The US-based digital solutions provider – which describes itself as a “pioneer” in KVM technology back in the 1990s – said it now offers a comprehensive line of secure KVM switches that safeguard against accidental transfer, unauthorised access or compromise of critical data. It claimed the switches deliver peripheral access with “military grade” security against cyber threats.
The switches have been designed to provide complete mechanical, electrical and optical signal isolation to ensure that absolutely no data is leaked between the ports. Black Box said each connection uses its own isolated data channel to ‘exclude’ the outside world. For added security, the switches also feature an always-on tamper-proof hardware design, including external hologram tamper-evident seals and long-life internal anti-tampering batteries, along with keyboard/internal cache wiping and non-reprogrammable ROM.
All Black Box secure KVM switches comply with PSS PP v3.0 (Protection Profile for Peripheral Sharing Switch) and are certified by the US’ National Information Assurance Partnership.
The issue of security hindered adoption of cloud services during the early days. But many of those fears have now been laid to rest and cloud migrations have been ramping up – according to research conducted by the Cloud Industry Forum last year, the UK’s overall cloud adoption rate currently stands at 88 per cent, with 67 per cent of users expecting to increase their adoption of cloud services in 2018.
As a result, many specialist vendors of software security have been focusing on developing products that specifically target cloud security. For example McAfee has just unveiled two new products expanding its MVISION portfolio which, said the firm, is “a first-of-its-kind solution that allows customers to deploy security on their terms as they move to the cloud”.
The new products include MVISIONEDR (endpoint detection and response) which has been designed to enable security teams to act faster and with higher precision so they can do more with their current staff and skill sets. According to McAfee, many organisations typically suffer from “information overload” when it comes to most EDR systems. It said this is because such systems generate volumes of data and alerts that require skills – that are often in short supply – to interpret and investigate before action can be taken.
It’s claimed MVISION EDR implements human machine teaming to enable analysts of all skill levels to be more effective and efficient. It is said to utilise “advanced” analytics that leverage Mitre’s ATT&CK framework to identify and prioritise suspicious behaviour from contextually rich endpoint data. McAfee said these analytics help guide and automate in-depth investigations to reduce the tactical strain on security analysts, and enables rapid response with direct actions and broader integration to the security ecosystem.
The second new offering is MVISIONCloud. McAfee said that as information moves from protected on-premises corporate networks to the cloud, it can be very difficult for organisations to secure both sanctioned and unsanctioned
services, protect sensitive data across the cloud, and stop the most advanced threats. The vendor reckons it has solved this problem with MVISION Cloud. It said this offers centralised management and brings together data protection and threat prevention across public cloud services spanning the SaaS, IaaS and PaaS spectrum.
MVISION Cloud is designed to provide visibility and control across all cloud services. It uses a combination of APIand proxy-enabled approaches, with DLP policy that can be extended from devices to the cloud. McAfee said this includes content scanning, logging and activity monitoring and threat and malware detection. It added that the new platform protects against malware and external and insider threats through UEBA (user and entity behaviour analytics) driven by machine learning built for the scale and elasticity of cloud environments.
Earlier this year, cyber security and application delivery services specialist Radware launched its Cloud MalwareProtection Service. The company said this has been built to detect, alert and block zero-day malware that eludes existing anti-malware defences and steal data.
The new cloud-based service includes audit tools that continuously test the user’s network for gaps in malware protection, as well as real-time reporting to help organisations comply with GDPR and other regulations focused at private data protection. It relies on traffic analysis to detect communication anomalies indicative of evasive zero-day malware activity. Radware said its service leverages “advanced” machine learning, patented algorithms, Big Data analysis, and a global community of more than two million enterprise users to identify and block malicious traffic that is consistent with data theft.
Cloud networking provider Aerohive made its entry into the secure access market earlier this year with the launch of A3 which is billed as the industry’s first hybrid cloud-access management solution. The authentication, authorisation and accounting (AAA) platform is said to offer a comprehensive portfolio of access-management functionality to enable onboarding and security for IoT, BYOD and standard wired and wireless clients. Aerohive reckons A3 delivers a complete, secure access solution, such as automated device provisioning, device profiling and network access control, self-service onboarding, and even guest access. It added that all this is done without the “operational complexities” associated with rival offerings.
A3 aims to deliver a complete, integrated cloud product for effective network security and client management, combining streamlined workflows, an “intuitive” UI, and what Aerohive said is its “cloud networking competency”. It is designed to be compatible with network equipment from all major vendors, but is said to feature unique, value-added functionality when deployed as part of an Aerohive SD-LAN/SD-WAN platform. These include, for example, integrated private pre-shared key (PPSK) management as well working with the vendor’s HiveManager management platform.
Aerohive believes its solution is also unique in its ability to be deployed on-premises, akin to more traditional AAA and access management solutions. It will also be available as a cloud service accessible from the Aerohive Cloud Services platform. The company adds that it will be possible to configure a combination of the two, with certain functions distributed to remote premises and others centrally managed from the public or private cloud.
Privileged access management (PAM) company Bomgar has now completed its acquisition of BeyondTrust (see News,September issue), and says the integration of its remote access solutions with BeyondTrust’s PAM platforms will allow users to authenticate to a managed device and logon without ever knowing the credentials or assigned privileges of the devices they are accessing. “Essentially, their identity will translate from remote access seamlessly through privileged access to any target that they have permissions to access,” said Bomgar.
Prior to the merger of the two companies, BeyondTrust announced what it said was a first-of-its kind privilege management solution for network, IoT, ICS and SCADA devices. PowerBroker forNetworks expands the company’s privilege management support which includes Windows, Mac, Unix and Linux endpoints, servers, applications, and now any device managed via SSH or Telnet. BeyondTrust claimed that by using the product, customers can realise the benefits of end-to-end least privilege “faster and with less complexity” across nearly all environments, including critical network devices.
PowerBroker for Networks is an agentless solution that controls what commands users can run, records sessions, alerts, and provides a complete audit trail of user activity on network devices via the command line. Since most network devices do not allow for the installation of agents, or are manufacturer-specific, BeyondTrust believes its solution fills an important gap.
Delivered with a modular design, PowerBroker for Networks features is said to “easily” scale to hundreds of thousands of nodes without overburdening the network or administrators with overhead. BeyondTrust said organisations can manage large, distributed, and heterogeneous infrastructures while delivering optimal performance and without limiting activity. The firm added that the solution fully integrates with the central PowerBroker console, enabling customers to benefit from a single policy, management and reporting interface.
Because the software supports any device that utilises SSH or Telnet to enable management, BeyondTrust said it can be utilised across a diverse network and offers a number of features. These include enabling full, granular control and auditing of all commands and sessions to network devices. Real-time session monitoring warns, or warns then terminates, a session when questionable user behaviour is detected. PowerBroker for Networks also integrates with security information and event management (SIEM) solutions for complete security intelligence, generating logs and sending them to syslog to be picked up by a SIEM system.
Other features include alerts to prevent or stop unwanted activity for faster cyber security response, integration with password management solutions such as PowerBrokerPassword Safe to seamlessly retrieve passwords for automated sign-on through a proxied connection, and centralised control of policy and audit data for decentralised devices and administrators.
Speaking at the time of the launch of PowerBroker for Networks earlier thisyear, BeyondTrust COO Brad Hibbert said: “Network devices – such as routers, switches, firewalls, IoT, ICS, and other SCADA devices – are critical for organisations to function, yet present open doors for external attackers and malicious insiders if not properly monitored. To improve security on these devices, organisations must have control and visibility over privileged user activity.”
Bitdefender has come up with a complete endpoint prevention, detection and response platform aimed at all organisations. Called GravityZone Ultra3.0, it is said to be the industry’s first single-agent, single-console endpoint protection solution to combine prevention and hardening with “advanced” EDR.
Like McAfee with its MVISION portfolio above, Bitdefender also believes that EDR systems have proved challenging for users to deploy. According to the firm, enterprise adoption of such solutions have so far been limited due to “the realities faced by today’s, resource-constrained security teams trying to manage large volumes of security alerts with disparate, marginally integrated solutions”.
To solve these problems, Bitdefender said it built GravityZone Ultra from the ground up to help to help organisations coping with complex infrastructures by keeping protection, detection and response manageable. It has been designed to eliminate the need for multiple agents, simplifying deployment and operations across all enterprise endpoints, including Windows, Linux and MacOS, in physical and virtual infrastructures, and across data centres and public cloud environments.
GravityZone Ultra works as a single, homogeneous solution with integrated workflows and advanced forensics. All this is said to, enable IT teams to effectively deploy and seamlessly manage EDR as a new layer of defence in concert with the platform’s prevention capabilities.
According to Bitdefender, IT organisations can now use advanced EDR features such as pre- and post-compromise forensics, intelligent scoring of suspicious activity, attack-technique visualisation, real-time Indicator-of-Compromise (IoC) search, and automated resolution, all from within a single platform. This is said to help administrators identify incident origins more quickly, and uncover and close vulnerabilities across the organisation. Bitdefender claims new real-time and historic IoC search using natural language queries enables administrators to efficiently target and disable threats on any platform. It added that visualisation of attack techniques based on Mitre’s adversarial tactics, techniques and common knowledge tags are used to identify traces of attacks or suspicious activities, while an intelligent, automated ‘Severity Score’ dramatically reduces the overhead that plagues other solutions.
The company continued by saying that by combining GravityZone Ultra’s advanced prevention capabilities and its new features with attack timeline and sandbox output, threats are either blocked or incident response teams are able to react quickly to stop ongoing attacks before they do damage. This further protects and closes the loop for enterprises in their daily battle against sophisticated cyber threats, vulnerabilities and risk exposure.