Security A to (almost) Z
CYBERSECURITY is a moving target, and what you think you know today may change tomorrow. Knowledge is power, though, so channel pros need to stay on top of trends and developments in one of the industry’s most important segments in order to keep their customers safe.
Security expert Mike O’Hara uses a simple analogy: “You wouldn’t cross Fifth Avenue during rush hour without looking both ways. Yet people every day do what I consider to be the digital equivalent of crossing Fifth Avenue at rush hour against the light without looking. They go online with little understanding of what threats are out there.”
To help guide your customers safely across the cybersecurity thoroughfare, here’s a primer on “everything you ever wanted to know about the newest security concepts and product categories but were afraid to ask.” Our experts add their thoughts on the good, the bad, and the ugly.
Terms and Tips
artificial intelligence/machine learning: in the context of security, a system that helps identify, analyze, and mitigate cyber risk by consuming and learning from large amounts of structured and unstructured data sources
“People are starting to understand that [the] reactive mode of cybersecurity just isn’t cutting it,” says O’Hara, adding that “predictive defense” leveraging machine learning will be a big trend over the next five years, and that MSPs should start partnering with vendors that are building AI into their platforms.
It’s a concept that MSPs who use RMM solutions that can predict things like hard drive failure should be able to relate to, O’Hara says. Similarly, AI-based security products will enable MSPs to proactively identify and mitigate attacks.
baseline: establishing a customer’s current IT infrastructure, processes, performance, management, and security solutions
Before providing security services, MSPs need to first identify what’s currently in place (a baseline), says Jay Ferron, chief technology officer at Interactive Security Training. “If they don’t know the services that are running, if they don’t know the configurations of their customer’s environment, they’re never going to know if somebody’s hacked or changed something that wasn’t authorized.”
browser isolation: sandboxing your browser so it doesn’t interact with the rest of your system
This is absolutely something people should be doing, O’Hara stresses. “What do you call an application that runs on Internet Explorer 6?” he asks. “You call it a Windows application, because it’s still tied to the operating system.” That hasn’t changed with the switch from IE to Microsoft Edge, O’Hara continues, so isolating the browser from the rest of the platform is critical.
cloud access security broker (CASB): on-premises or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers (Gartner)
“CASB was a category name made up for solutions that would sit in your gateway and monitor all your connections to Salesforce, for instance,” says Richard Stiennon, chief research analyst at IT-Harvest. A CASB “could enforce corporate policies about access to Salesforce, and it could also encrypt data that’s being put into Salesforce. Then, of course, those gateways could add all sorts of other applications as more and more software became SaaS delivered.” The downside is that a CASB can cause congestion and performance issues, he adds.
Stiennon expects emerging cloud security platforms to overcome these issues, citing Zscaler as an example. “Every user connects through Zscaler to the apps they need, from any device or location.” Stiennon says this approach helps not only with mobile device security, but eventually Internet of Things (IoT) security as well.
data loss (leak) prevention (DLP): identifying and monitoring sensitive data to prevent unauthorized access
Organizations set rules around what types of data cannot be transmitted outside the corporate network, such as credit cards and Social Security numbers, Stiennon says. DLP tools such as those from Symantec, SecureTrust, McAfee, Check Point, and Digital Guardian catch and block that exfiltration.
endpoint detection and response (EDR): solutions that detect security incidents and contain them at the endpoint, plus provide contextual information and remediation guidance
Lawrence Cruciana, president of Corporate Information Technologies, an MSP in Charlotte, N.C., employs an EDR solution from Cylance. “This system allows us to place granular controls and collect granular application information from all of our managed endpoints. We can look under the covers of thousands of systems and deploy if-then-else type protocols to support overlapping security controls and response to specific security incidents,” he explains.
Before rolling out an EDR solution, though, channel pros should experiment with it first by setting up a virtual environment to avoid triggering an onslaught of false positives, advises Mike Bloomfield, president of Tekie Geek, an MSP in Staten Island, N.Y. “Nothing is worse than getting a call by a client that you rolled out your new endpoint protection, and their legacy application is now being killed on every computer and quarantined.”
governance/compliance management: monitoring and controlling sensitive or personal data according to local, state, national, and international regulations
Many SMBs need to comply with PCI-DSS (credit cards), HIPAA (healthcare), SOX (financial), and other regulations, along with the newest regulations around privacy—the European Union’s General Data Protection Regulation and California’s Consumer Privacy Act of 2018.
Ferron says MSPs should learn what regulations pertain to their customers’ businesses or partner with an expert. Governance tools such as RSA’s Archer Platform are available as well, Ferron says, but they are expensive. “Do I see this space coming where there’ll be an MSP-hosted governance module where one MSP can put all of their customers in this one engine and get a snapshot of where they’re at? Yes, but I haven’t seen any really good ones yet.”
Internet of Things Security: protecting back-end networks and devices connected to the IoT
According to the 2019 Official Annual Cybercrime Report from researcher and publisher Cybersecurity Ventures, sponsored by the Herjavec Group, “IoT (Internet of Things) devices were the biggest technology crime driver in 2018.” The report says that will continue through 2019 and the foreseeable future.
“We’re in the birth stages of security for IoT,” says Stiennon, noting that part of the problem is the proliferation of devices and lack of standards. Indeed, research from the IoT Security Foundation finds that fewer than 10 percent of consumer IoT companies follow vulnerability disclosure guidelines.
Work is underway to address such problems, though. For example, the foundation in December issued Release 2 of the IoT Security Compliance Framework, and vendors will be rolling out IoT security products in growing numbers soon too. Stiennon points to startup firm Phosphorus as an example.
intrusion detection system (IDS): monitors network events and analyzes them for signs of possible incidents, violations, or imminent threats
intrusion prevention systems (IPS): performs intrusion detection and then stops the detected incidents
The “father” of IDS/IPS is an open source solution called Snort, Ferron says. “Almost everybody’s got a variation of Snort.” He recommends MSPs install some type of IDS/IPS in their customers’ environments or outsource the function to a company like Vigilant.
managed security service provider (MSSP): monitors and manages security devices and systems, and typically operates (or outsources) a 24/7 security operations center (SOC)
MSSPs are focused subject matter experts, says Cruciana. Unlike MSPs, “they aren’t necessarily concerned with the health of your stack, or how your system is configured, or is your database server running the most optimal way. To a client, IT is anything that has a wire sticking out of the back of it. In the true security space, there are very few wires. There’s more protocol and procedure and administrative controls. And those two worlds really haven’t met.”
O’Hara expects they will. Before long, he predicts, an MSP who doesn’t offer managed security will be like a locksmith who does physical tumble locks but not car key systems.
network anomaly detection: continuous monitoring of network traffic for unusual events or trends
Traditional cyberdefense presumed that everything outside the network is not trusted and everything inside is, says Cruciana. Network anomaly detection solutions, by contrast, take nothing for granted, basing their actions on long-term observation of what is and isn’t normal in one specific environment. “[It] doesn’t presume that a printer is just a printer,” says Cruciana.
His product of choice is KineticFuse’s ThreatWarrior. “This allows us to look at all of the network traffic both north-to-south (inside to outside) and east-to-west (machine to machine/machine to server) within our managed networks. It uses an unsupervised neural network to learn each client’s network, behavioral patterns, and typical use characteristics. This evaluates all network traffic equally and identifies things that don’t belong without the use of pattern-based signatures.”
orchestration: a method of connecting security tools and integrating disparate security systems
According to a report from Cisco, Small and Mighty: How Small and Midmarket Businesses Can Fortify Their Defenses Against Today’s Threats, SMBs are implementing more security products from multiple vendors. The research finds that 77 percent of midmarket businesses say it’s challenging to orchestrate alerts from these many solutions, leaving many uninvestigated.
Cisco therefore recommends choosing security products with openness in mind. Recommended questions to ask include: “How will they integrate with others in terms of sharing data and threat intelligence? Is there management console integration? If a vendor says products are built to fit and work with others—does this happen out of the box or will the buyer have to do considerable API work?”
password manager: a software application that encrypts multiple passwords and provides secure access to them with the help of a master password
While there are a numerous solutions like Keeper available for password management, Stiennon says the industry is waiting to see what Cisco does with its acquisition this past October of Duo Security, which provides cloud-based unified access security and multifactor authentication.
A growing trend in password management, he adds, is “zero trust,” meaning “that I can no longer trust a service provider to have my data. That means I’m going to encrypt it myself.” He is working with a startup called PasswordWrench that uses two-factor authentication with a password manager and does not require a phone or SMS.
“Nothing is worse than getting a call by a client that you rolled out your new endpoint protection, and their legacy application is now being killed on every computer and quarantined.”
MIKE BLOOMFIELD, PRESIDENT, TEKIE GEEK
policy: a set of rules regarding the use and access of an organization’s digitally stored data
Cruciana says policy is the most important security tool because “security” means something different to everyone. “To allow for commonality of understanding between our clients, their stakeholders, and our team we use policy that is grounded in open standards and frameworks,” he says. This includes the NIST CyberSecurity Framework (NIST CSF), the ISACA Control Objectives for Information and Related Technologies (COBIT, v5), and the Penetration Testing Execution Standard (PTES) frameworks. “We encourage and support our clients in developing such policy frameworks to help both us as their MSP and them as an organization contemplate and define what information security means within their organization,” Cruciana says.
privileged access management (PAM): managing and controlling access to sensitive or critical data
According to Cruciana, PAM essentially minimizes trust. “I’m going to define roles for users, and the users are permitted to run this particular set of applications in an elevated mode, but nothing else,” he says. “This permits the implementation of a least-privilege end-user environment.” The result, he continues, is fewer users with too many or overly permissive rights and therefore a smaller attack surface.
ransomware: malware designed to deny access to a computer system or data until a ransom is paid; typically spread through phishing emails
According to Cisco’s Small and Mighty report, 77 percent of SMBs say ransomware attacks like WannaCry are among their top security concerns. The report also notes that “small/midmarket businesses are more inclined to pay ransoms to adversaries so that they can quickly resume normal operations.” Cisco recommends employee security awareness education, implementing BDR, keeping patches up to date, staying on top of malware protection technology, and tightening up security and breach response practices.
risk assessment: determination of what security risks a company’s critical assets face and how much funding and effort is required to mitigate them (SecurityScorecard)
According to Ferron, a risk assessment involves determining which risks, such as regulatory requirements and potential fines, SMB customers need to be concerned with. “One of the areas that I see coming up as a very big thing is the whole concept of data protection, data classification, and then spending the money and the time to protect that which is more important as compared to just protect everything, because you can’t,” he says.
Cruciana adds that MSPs can use the NIST CyberSecurity Framework to quantify a customer’s cyber risk and then based on maturity level add specific risk-based controls. Solutions such as RapidFire Tools’s Network Detective can help as well.
security information and event management (SIEM): provides real-time analysis and correlation of security alerts coming from applications and network hardware
The advantage of a SIEM, says Cruciana, is technicians can address a single issue rather than numerous disparate event sources. “We use AlienVault’s USM [Unified Security Management] product to incorporate security activity data from our various security tools and provide correlative analysis between each discrete tool.”
supply chain attack: infiltration of a system via an outside partner or provider
Maxim Frolov, managing director of Kaspersky Lab North America, says software and hardware supply chain attacks, such as AppleJeus, Olympic Destroyer, ShadowPad, and ExPetr, will remain a major concern in 2019. “Organizations will need to come up with new approaches, including more strict requirements for service providers [and] hardware and software makers to reduce the risks.”
threat hunting: proactively and iteratively searching for and isolating threats that have evaded advanced security systems
Traditionally a manual function, threat hunting can now be automated with the help of tools from security vendors like Carbon Black. According to a 2017 SANS Institute survey, 82 percent of all SOCs are investing in advanced threat hunting programs. Ferron advises MSPs to sign up for real-time threat notifications too. “There are organizations out there that the MSP community can join that tell them about this stuff,” he notes. InfraGard is an example.
unified threat management (UTM): typically an appliance combining firewall, anti-virus, and IDS/IPS in a single platform
“UTM is what the new firewall industry has turned into, says Stiennon. “It’s the logical way to do network security.” Fortinet, Palo Alto Networks, and SonicWall all offer examples, he says.
web application firewall: an application firewall for HTTP applications
Research data suggests that these systems, which come in both virtual and physical form factors, are more needed than ever. According to The State of Web Application Vulnerabilities in 2018 report from Imperva, the overall number of new web application vulnerabilities in 2018 increased by 23 percent from 2017, and more than half of web application vulnerabilities have a public exploit available to hackers. In addition, more than a third of web application vulnerabilities don’t have an available solution, such as a software upgrade workaround or software patch.
The ChannelPro Network is dedicated to providing IT consultants, VARs and MSPs who serve the IT needs of small and midsize businesses (SMBs) the news, insights, resources and best practices necessary to help them grow their businesses and better serve their SMB customers.