SECURITY SPOTLIGHT FORUM NOV 2018 ROUND UP- SMART APPROACH TO CYBERSECURITY
As the region’s trusted security advisor, Help AG plays an ongoing role in raising awareness about the latest cyber security trends in the Middle East. Our Security Spotlight Forum (SSF) event, hosted in premier venues across Dubai, Abu Dhabi, and Riyadh, has become an excellent platform for achieving this on a quarterly basis.
As the scale and complexity of cyber threat grow, while both IT budgets and resources struggle to match pace, there is a need for organizations to be more efficient, effective and proactive in their approach to security. With this in mind, we set to educate attendees on how they could adopt the ‘SMART Approach to Cybersecurity’ at our SSF in November. We focussed on the technologies that hold promise to make our world a little smarter by automating, integrating and benefitting from collective intelligence.
And while normally, we aim to keep our blogs short, we didn’t want to leave out any of the precious detail so if there’s a specific aspect of this approach to security you’re keen to learn more about, here’s a quick reference for what’s ahead in this post:
- Help AG: The SMART SOC
- Symantec: The power of the packet fuels your investigation and incident response
- Splunk: The Phantom of the SOC
- F5 Networks: DevOps and beyond
- Infoblox: Threat Intel and orchestration of your defense
- Help AG: Live Hacking: Fileless attacks – What they are and why they’re such a problem to detect.
So, with that being said, let’s dive in!
Help AG: The SMART SOC
Integration, correlation, and automation have been key elements of Help AG’s Managed Security Service (MSS) since its inauguration in 2016. In this session, Simon Willgoss, Head of Managed Security Services discussed how and what we automate in our SOC. He also outlined the upcoming automation roadmap that will ensure we continue to deliver the best MSS in the region.
Historically, the SOC has been responsible for Security Controls. The tools would make all sorts of noises as they generate events but these were largely ignored unless there was a problem somewhere. In the last 15 years, the focus has shifted. Now, these controls, specifically, the events generated by the controls, give crucial insight into the system’s security posture.
The goal is therefore not just to manage the Security Controls but more importantly, to help an organization detect and respond to threats, attacks, and incidents, leveraging sophisticated tools and threat intelligence. And this is where Security Orchestration Automation and Response (SOAR) comes in.
MSS helps curtail IT security operational costs while increasing the productivity of existing IT personnel, and offering 24/7 management for your security devices by field experts. This, in turn, leads to increased profitability by minimizing risks and downtime caused by breaches and attacks. Security logs are tracked, analyzed and archived by competent analysts, allowing the organization to improve security best practices while focussing on its core business.
With UAE-based MSS Infrastructure, CSOC and analysts; and 24/7 security expertise combined with an average uptime of 99.999%, Help AG makes for the best bet when it comes to MSS.
Symantec: The power of the packet fuels your investigation and incident response
Packets don’t lie! Network packets hold a treasure-trove of visibility and being able to map a security event to the actual packet data is invaluable. In this session, Symantec discussed its Security Analytics platform, and how integrating that to your security platforms will turbo-charge your investigative capabilities.
Symantec Security Analytics closes the security gap by combining security visibility, security analytics, and real-time intelligence for immediate detection and effective incident response. This gives security professionals clear and concise answers to the critical post-breach security questions, including Who did this? How? When? What was accessed?
In addition, Security Analytics integrates with best-of-breed network security products to pivot directly from an alert to obtaining full-payload details of the event, before, during, and after the alert. The open web services RESTful API enables integration with network and endpoint security solutions such as Symantec, HP ArcSight, IBM QRadar, FireEye, Splunk, Cisco Sourcefire, Guidance Software, CounterTack, Carbon Black, Reversing Labs, Tripwire, Ziften, and many others. Combined with the Symantec SSLV Appliance, the Security Analytics platform eliminates blind spots in incident response.
Like a security camera or DVR for your network, Symantec Security Analytics delivers enriched, full-packet capture for full network security visibility, advanced network forensics, anomaly detection, and real-time content inspection for all network traffic. Armed with this detailed record, you can conduct forensic investigations, respond quickly to incidents, and resolve breaches in a fraction of the time you would spend with conventional processes.
Splunk: The Phantom of the SOC
We all know Splunk as an excellent data analytics platform for both IT, Operational and Security events. In fact, Splunk chews up data like kids consume a packet of Oreo.
Did you also know that Splunk recently acquired the market leader in SOAR? Splunk Phantom’s SOAR technology helps customers work smarter and respond faster, aiding SOCs to orchestrate tasks and automate complex workflows.
The Phantom platform combines security infrastructure orchestration, playbook automation, and case management capabilities to integrate your team, processes and tools together. Phantom’s flexible app model supports 225+ apps and 1,200+ APIs, enabling you to connect and coordinate complex workflows across your team and tools. Powerful abstraction allows you to focus on what you want to accomplish, while the platform translates that into tool-specific actions.
Phantom enables you to work smarter by executing a series of actions — from detonating files to quarantining devices — across your security infrastructure in seconds, versus hours or more if performed manually. Phantom event and case management can be used to rapidly triage events in an automated, semi-automated, or manual fashion. Confirmed events can be aggregated and escalated to cases within Phantom, which enable efficient tracking and monitoring of case status and progress. All SecOps activity can be measured and reported through the platform to provide human oversight and auditing. Phantom also leverages machine learning via Phantom Mission Guidance and Phantom Mission Experts to augment your team with helpful suggestions.
F5 Networks: DevOps and Beyond
DevOps is fundamentally changing how we think about development life cycles and it is challenging the traditional thinking around how security can be deployed. We are living in an application-driven world and these apps are now at the centre of every company’s strategy: this is the heart of the Digital Transformation. The way the app is being developed has changed completely. Now, development is moving to DevOps, which is the practice of operations and development engineers participating together in the entire service lifecycle, from design through the development process through to production support.
In this session, F5 Networks introduced attendees to the concepts, terminology and important technologies associated with DevOps and explained how F5 Networks supports the orchestration and security of a DevOps application framework. F5 Application Services 3 Extension (referred to as AS3 Extension or more often simply AS3) is a flexible, low-overhead mechanism for managing application-specific configurations on a BIG-IP system.
F5 also spoke about the Super-NetOps initiative, an industry training and community-based program aimed at evolving network operations functions and enabling application services to be delivered through a service model rather than a traditional, ticket-driven approach. The goal of the Super-NetOps program is to help network operations professionals address this challenge by learning the skills necessary to standardize critical application services and provide them within automated toolchains. This will enable teams to reduce time to service from days to minutes while ensuring all applications meet necessary compliance, policy, and performance standards.
Infoblox: Threat Intel and orchestration of your defense
In this session, Infoblox presented its threat intelligence solution and the framework it uses to integrate this to firewalls, and SIEMs while also discussing how SOAR platforms can look up their platforms.
Through a highly interconnected contextual ecosystem, Infoblox Ecosystem Exchange enables integrated solutions that extend security, increase agility, and achieve situational awareness for more efficient operations, on-premises and in the cloud. It provides visibility across the entire network (including virtualized or cloud deployments), automates IT workflows, enables faster remediation of threats and increases the value of existing investments in security and networking.
It has been often observed that ineffective threat intelligence leads to poor incident response and slows remediation. Infoblox ActiveTrust Suite uses highly accurate machine-readable threat intelligence data via a flexible and the open Threat Intelligence Data Exchange (TIDE) platform to aggregate, curate, and enable distribution of data across a broad range of infrastructures. TIDE enables organizations to ease consumption of threat intelligence from various internal and external sources, and to effectively defend against and quickly respond to threats.
TIDE provides data based on observed malicious Internet destinations with which devices have attempted to communicate, and detailed threat information around those endpoints to enable security teams to quickly understand the nature of the threats they are experiencing. The sources of threat intelligence are reviewed, the data correlated, and whitelists applied to significantly minimize false positives.
Help AG Live Hacking: Fileless attacks – What they are and why they’re such a Problem to Detect.
In what was one of the best-received sessions of this SSF, Mukhammed Khalilov, Manager Security Analysis, performed a demonstration on bypassing end-point security solutions and advanced social engineering via obfuscation and attachments with embedded trojan payloads.
This demonstration focused on exploiting trusted Microsoft signed applications to launch the malicious code. The second part of the demo showed how one can embed malicious codes, obfuscated within trustworthy documents, and deliver payloads via secure channels. During the demo, the trojan payload was executed in the memory of the machine without writing to the disk. Finally, a back door was set up via HTTPS channel with an impersonated SSL certificate.
The demo showcased some of the skills and techniques our analysts use during their penetration testing exercises, but furthermore highlighted the need for a layered security approach within information systems, with emphasis on the proper selection of security controls and professional deployment.
Help AG is the only company in the region to have reported over 70 zero-day vulnerabilities.
As you can probably tell from reading this post-show report, we covered a lot of ground in just half a day. This is why our customers unfailing look forward to attending our SSF to ramp up their knowledge on key cyber security topics in the quickest and most effective manner.
We hope you’ve found this summary useful and as always, our experts are ready to help you solve all the cyber security challenges your organization faces. We promise more great topics in the year ahead and hope you join us at our next SSF! Keep following us on our social media channels to stay updated.