Post-Event Report: Help AG Security Spotlight Forum, Jan 2020
Security Spotlight Forum (SSF) is Help AG’s flagship cybersecurity event at which we get attendees up to date on the latest innovations in various aspects of cybersecurity, while also providing an excellent platform for networking among our partners and customers. It also gives us an opportunity to engage closely with our customers, understand their pain points and recommend the appropriate solutions and services according to their requirements.
The recently concluded edition of SSF, held in Jan 2020, was centered on Incident Response. Organizations invest in security solutions, policy programs and people skills in order to increase levels of protection and minimize the risk of cyber incidents. Still, cyber incidents do happen as there is no such thing as 100% guarantee in the area of cybersecurity. Sessions at this forum were about what happens when a cybersecurity incident does occur.
Cyber Incident Response is about preparing for, handling and learning from Cyber Incidents. Even before you have an Incident, and long after you have dealt with a threat, there is important work to be done. During this forum, Help AG along with our best-of-the-breed partners unveiled what Incident Response looks like, and how one can prepare, handle and learn from the process.
Here below, we share some of the key takeaways from these informative presentations.
Help AG: Decrypting Incident Response
In this session, Help AG delved into how organizations need to prepare, not just in terms of technology but also processes and governance to ensure they are ready to tackle any type of cyber incident. Following that, our incident response team provided real-world insights into how incidents need to be handled, and what is the best way to go about ensuring effective and efficient response, while minimizing exposure and loss for the organization.
Organizations need to understand the fact that incident response readiness needs to begin much ahead of the occurrence of an incident, in order to minimize damage, and maximize resource use. There is the necessity to have a well-tested, executable incident response plan, which can be put to use when the necessity arises, and this forms an important component of the broader business continuity plan. Help AG Cybersecurity Consulting team delved into several aspects of the ‘Preparation’ stage of Incident Response (according to the SANS nomenclature), followed by Help AG MSS and IR team that shone the spotlight on the remaining stages, i.e. Identification, Containment, Eradication, Recovery and Lessons Learned. A very important fact that the team highlighted was how just having the best of technologies doesn’t suffice for an effective incident response readiness. While tools have their importance, the more crucial part is the human expertise- Incident Responders need to be experts in many areas, specialists in multiple domains, this is where enterprises need to rely on trusted advisors like Help AG. In Mid-2019, Help AG accelerated the evolution of our existing Incident Response Triage workflow to cover incidents of many types, and this was quickly followed by our partnership with Munich Re, to extend Incident Response Co-ordination and Technical Services for cyber insurance policy holders in the region.
Munich Re: Cyber insurance: Cyber protection hand-in-hand with IT security
Munich Re, the world leading expert on global & local risk solutions shared its views on economic losses from cybercrime, concerns of relevance for enterprise risk management. They shed light on cyber insurance as the “final layer of defense”: the risk management tool in case even the best IT security measures are bypassed.
Needless to say, the amount of economic losses from cybercrime are increasing at alarming proportions. While there are a number of solutions available in the market, unless carefully chosen, the entire purpose of the same might be defeated. Talking about UK for example, we rather see a market which is about 3% of the total US cyber market being about 150 million USD premium, including also large corporates. But in comparison to the US, for the companies Munich Re has been talking to, they see a much higher annual SME premium growth of about 35% where the growth rate is driven by GDPR and official authorities (like the FCA, Financial Conduct Authority & the PRA, Prudency Regulation Authority). Enterprise cyber insurance in the Middle East provides coverage for data restoration, incident response, cyber extortion, and business interruption. As a “final layer of defense”, cyber insurance transfers remaining cyber risk to insurers. Munich Re went on to explain, how in partnership with Help AG, they offer help to enterprises during cyber incidents. The enterprise clients get support from a team of experts, comprising technology gurus, legal specialists and media advisors, to minimize the harm to their business
BSA: Cybersecurity Through the Eyes of Law
BSA, the leading law firm in the Middle East market, gave an overview around the legal frameworks in place around cyber incidents, and how enterprises can best leverage their legal rights and minimize losses from a cyber incident.
The development of technology in today’s world and the excessive and recurrent use and collection of individuals’ data to analyze trends, consumers behavior and other purposes lead different jurisdictions to implement advanced data protection regulations that will regulate and control the way that data can be collected, used, stored, transferred and dealt with. Overall in the UAE there are several laws that deals with this including UAE Constitution, UAE Federal law No. 3 of 1987 (concerning the Penal Code as amended), Federal Decree Law No. 5 of 2012 (on combating cybercrimes also known as the Cybercrime Law as amended), Federal Law by Decree No. (3) of 2003 (regarding the organization of telecommunications sector) to name a few.
BSA went forward to discuss an overview of the process of cybercrime cases in the UAE and explained the same with some examples from experience. To conclude, they shared some recommendations, that include but aren’t limited to employee training, thorough understanding of risk exposure, identification of obligations and model of addressing data, and insurance.
Attivo Networks: Unraveling the Magic of Smart Deception
Today, CISOs know that breaches do, and will, happen. What’s needed is a way to detect all threats quickly and accelerate response. In this session, Attivo experts discussed why deception is a new integral component of any successful advanced security posture strategy and the foundation for detection of threats from attackers and malicious insiders. Deception technology provides a threat defense of traps and lures designed to deceive attackers into revealing themselves. Engagement-based attack analysis, forensics, and 3rd party integrations accelerate incident response.
Most perimeter & end-point security solutions cannot reliably detect several attack vectors, like zero-day exploitation, stolen employee credentials, spear-phishing, etc. These and other detection loopholes necessitate the need for a more proactive approach instead of a reactive one. The Attivo ThreatDefend Deception Platform is a modular solution comprising Attivo BOTsink engagement servers, decoys, and deceptions, the ThreatStrike endpoint deception suite, ThreatPath for attack path visibility, ThreatOpsTM incident response orchestration playbooks, and the Attivo Central Manager (ACM), which together create a comprehensive early detection and active defense against cyber threats.
SentinelOne: Because Traditional Controls Don’t Work well in the Modern World
A well-run security program is when multiple products work together, and the sum of their output is greater than the individual parts. SentinelOne actually enables integrations with 300+ built-in APIs. This means it can integrate with many of the security products you already own in order to save you time and automate processes.
SentinelOne’s Automated EDR provides rich forensic data and can mitigate threats automatically, perform network isolation, and auto-immunize the endpoints against newly discovered threats. As a final safety measure, SentinelOne can even rollback an endpoint to its pre-infected state. With 44% of businesses facing ransomware infections in the last 12 months, recovery and rollback is a convenient capability.
Another USP of SentinelOne is its simplicity- one lightweight agent provides the functionalities of EPP, EDR, HIPS, File Integrity Monitoring, and Vulnerability/Risk Management. Managed console can be hosted in the cloud, on-premise, or in a hybrid model. SentinelOne is the first to allow security teams to use the MITRE ATT&CK framework as the new threat hunting standard. Through integrating the MITRE framework with its ActiveEDR and Ranger IoT capabilities, SentinelOne continues to deliver on its commitment to deliver the cybersecurity platform of the future, empowering security teams with unprecedented actionable threat context and visibility.
Vectra: AI in Security Operations: What we have learnt so far
Time and talent are key factors in preventing a data breach. An effective SOC provides the benefit of speed of response time to a security incident. IR teams should receive alerts quickly and be able to discern between false and true positives efficiently, with a focus on lowering dwell time. AI accelerates detection & response, reducing time to detect and contain, hence significantly lowering costs.
Vectra spoke of implementation of the SOC Visibility Triad. Falcon and Cognito provide visibility and detection capabilities in the endpoint and network environments, respectively. Each of these products build upon visibility and detection data to provide initial analytics and immediate alerts. All this information is then passed on to the next stage – Analytics and Correlation. In this stage Splunk Enterprise Security analyses the endpoint and network visibility and detection results, and correlates it with data from user, vulnerability, and application management systems, as well as other security information including threat intelligence feeds. In the coordination and response stage, Splunk Phantom receives the prioritized response from Splunk Enterprise Security as well as endpoint and network alerts generated by Falcon and Cognito based on their respective analytic capabilities. Phantom invokes automation and orchestration playbooks that leverage the data provided by Falcon, Cognito, and Splunk Enterprise. These playbooks coordinate an attack response across endpoint, network, user, and application management systems. The responses are executed at machine speed to mitigate attack spread and breadth but can also include human decision points to throttle the level of automation to appropriate levels for the situation. The high degree of integration and interoperability between Falcon, Cognito, Enterprise Security and Phantom enables customers to implement the SOC Visibility Triad in a very practical and manageable operational configuration.
The Final Word
Once again, Help AG Security Spotlight has proven to be the best platform to share knowledge amongst industry peers. In this edition, we have shed the light on the crucial elements that make up a sound incident management practice within the organization; where we tackled topics ranging from preparing for the inevitable when all is quiet, to incident response and handling, all the way to cyber insurance and the legal aspects of cyber incidents. It’s recommended to start your Incident Response Planning much before an incident occurs, along with going for the right cyber insurance coverage as well as staying abreast of all the necessary legal frameworks. Incident handling, being a very specialized subject, is best left to the experts- while it’s essential to have a good team in place, it’s advised to partner with a leading Incident Response Provider that will ensure you have the best in terms of people and technologies. All that being said and done, the importance of investing in right technologies can never be over-emphasized. Organizations need to keep in mind that Incident Response Readiness is an ongoing process and should encompass people, processes and technologies to be fool-proof and future ready.
We hope this summary provided an insight into the spotlight and will serve as a motivation for you to attend the next edition to learn and network with your industry peers. We look forward to seeing you there and until then, stay connected to Help AG Middle East through our social media channels, LinkedIn and Twitter for all updates related to our solutions, services, cybersecurity trends, expert insights and events.