In the digital world, we face new kinds of challenges all the time. Solutions made for yesterdays’ problems are not helpful any more. Facing the cybersecurity challenges today, organizations and institutions mostly limit themselves by implementing single, isolated countermeasures. In order to maximize the opportunities presented by digitalization, there is a need for comprehensive and sustainable security concept based on monitoring, detection, and prevention.
This post summarizes the annual Atos Cybersecurity Forum, held at the beautiful Gottlieb Duttweiler Institute (GDI) on November 14th, 2017. This year’s key themes were cybercrime, prescriptive security, privileged account management, a case from healthcare industry, sophisticated cyber attacks and threat intelligence, IAM delivery in a large-scale environment, the way we buy cybersecurity, and red teaming.
Our Digital World – Facing and Tackling New Challenges
How long does it take to hack you in red teaming exercise? PWC’s Reto Häni spoke about cybercrime and the multifaced problems in the digitalizing world. Many companies do not have a full incident response plan, and hacking almost any company is only a matter of time and resources. Digital revolution (cloud, IoT, big data) leads to growing cyber risk, as everything get more complex. The risk is tackled by more regulation.
Today’s organizations’ C-levels do not really know what to do. There is also the challenge of the communication: Security specialists speak a language not understandable to the top management.
Identity is the key to protect ourselves. There are different ways to prove an identity:
- Governmental e.g. passport
- Ourselves, e.g. face, fingerprint
- Global network of identities based on trust
To protect our identities we need to play all parts of the game:
- Strategy & Policy
- Protect and test
- Operate; improve and monitor
- Respond and react
- Remediate; learn and raise awareness
I am here to play!
Prescriptive Security and Next-Generation SOC
Gartner estimates that 60% of companies will be victims of a major breach by 2020, told Günter Koinegg, Head of Big Data and Security CEE, Atos. Mobile has become the main route for compromises, IoT hacks are already surging, crimes are more syndicated, and systemic vulnerabilities will be weaponized.
Integration and automation possibilities decrease because the security industry is very fragmented. There are hundreds of vendors providing solutions. The current approach is unsustainable. The average time to detect a breach is hundreds of days, the cost over €3 million, and resolution time from a day to many weeks.
Prescriptive Security orchestrates the automation of security actions to quickly resolve current, and anticipate future, threats at scale. Compared to traditional disconnected architecture, Prescriptive Security reduces time to respond from 24 hours to 10 minutes, and time to protect from 3 hours to 2 minutes. At the same time, the capacity increases from 6 Indicators of Compromise (IOC) a day to 210 IOC/day. Also, 85% less security technology is required on the endpoints.
Zoltan Bakos from BalaBit talked about compliance and user monitoring, from the privileged access management (PAM) perspective. In order to be compliant with all the laws and regulations (e.g. ISO 2700x, PCI DSS, SOX, etc.), proper control of privileged accounts are required.
Log analysis is not sufficient any more, only 1% of data breaches are discovered with the help of log analysis. A proper SIEM solution combined with Privileged Session Management and Privileged Account Analytics can help. Balabit’s solution can handle even 1500 simultaneous sessions per node, collecting all administrative sessions’ log information to use in SIEM. It makes sure only authorized users can access critical IT infrastructure.
Case: Managing Safe and Appropriate Access in Healthcare Institution
Jordi Cuesta from Evidian, part of Bull Atos Technologies presented Lausanne University Hospital’s IAM case. Their vision was to move from separate silos to Clinical Pathways, to a paperless, cross-functional hospital. They recognized the need to digital transformation.
The project’s first phase started with main processes, a small subset of users, and just a few applications. It was completed in 10 months only. In the second phase, full deployment was done. The main challenge was complicated infrastructure with over 200 core IT applications and 70 medical applications. There is also very high number of Joiners-Movers-Leavers (JML), e.g. up to 1 000 junior doctor movers.
Some key lessons learned were that Identity Management (IdM) is a key step towards a digital hospital. The project is complex and cross-functional, and needs innovativeness. A true IdM project is risky and complex, requires high level of change management, streamlining of processes, and complex technical integrations. The reality is often different from the models and theory. Success is only possible with active support from the management, having clear and achievable goals, and by not being too ambitious at the beginning.
Today, new joiners are ready to start working from Day 1, even when there are massive amounts of joiners and leavers two times a year. Accesses are updated consistently and timely with staff changes. Also, costs were reduced by 50%.
World’s Most Sophisticated Threats
Christian Funk from Kaspersky took the audience to the world of advanced threats, from Stuxnet to Dark Hotels. Different phishing techniques are easily hidden in e-mails and web pages, and Supply Chain Attack can deliver compromised software from seemingly genuine sources. Fileless malware is especially difficult to notice, traditional identificators are obsolete, and forensic analysis is extremely complex. Malware often has a sandbox detection mechanism, so it would be more difficult for the security companies to find them. For example, if your browser history is too small, the malware might not activate. In so-called Dark Hotel attacks, a Hotel’s WLAN Wi-Fi access is used to target the guests’ devices, proposing a software update (e.g. Adobe Flash-Player).
Case: Successful Delivery of IAG Programs in a Large Scale Environment
Nestlé’s IAM Security Architect Mathias Juan Perazzo walked through the award-winning Nestlé AMIGO (Access Management Identity Governance) program, delivered by Atos Consulting. Nestlé’s environment is complex and most probably one of the world’s biggest IT ecosystem and infrastructure. There are over 325 000 identities, 8000 applications, and hundreds of thousands of roles. They wanted to brand the program for people who do not understand IAM – or even security. A key thing was to align everything with business, setup a proper communication strategy, streamline ways of working, and automate as much as possible.
The lessons learned during the program include the importance of executive sponsorship, change management communication, standardization of processes, reducing complexity of integrations, and piloting instead of first-time-right method.
State-of-the-Art Cybersecurity – So What’s Different?
77% of businesses see digitalization as a core thing to survive. PaloAlto Networks’ VP Greg Day had a session concentrating on how we consume technology. Everything is shifting towards subscriptions, not investments. By the time your multi-year then-state-of-the-art cybersecurity solution project is deployed the world has changed so much that the return on the investment is low.
Think about Rubik’s cube. There are 43 quintillion different possibilities, but only one is correct. With a teachable algorithm, it has been solved in 5 seconds by a human and less than a second by a robot. As an analogy to cybersecurity, we need to think about solving multiple different cubes simultaneously, without a pre-learned algorithm.
If it takes you 146 days to notice a breach, how can you replay and audit what exactly happened then? Especially now that you only have 72 hours to report it to the authorities. You will need modern solutions and State of the Art cybersecurity. Greg lists 5 steps to that:
- Cyber Intelligence must be actionable
- Requires common threat indictor gathering and storage
- Security on demand/native/Intergrated, access to new capabilities
- Automated process management
- Common platform
PaloAlto Networks’ strategy is to identify the most “bang for the buck” by building defenses that protect most efficiently from most kinds of attacks at the optimal spot.
Red Teaming – What Is Really Important Today?
Cybersecurity is Just a Start. In the last session of the day, a hooded man from FIL RED TEAM came on stage. Red teaming means ethical hacking, i.e. the closest alternative to a real hack to test whether your defenses can prevent the breach or not. Red teaming uses not only technology, but also psychology and whatever means they can imagine to hack you — they just don’t actually steal or destroy your assets.
The hooded man told some great examples. With a cheap IR camera, a hacker can take a photo of a payment terminal by just standing in the queue behind the previous customer. From the residual heat on each key pressed, the hacker can see which numbers were pressed and in which order.
Other examples included companies that had put their secret plans in post-it notes on a window. It was very easy to take a photo even far away, and read all the notes. A hacker can send you an e-mail saying your credit card was misused and has been deactivated. You need to immediately call this toll-free number. While the number actually does connect you to your real bank and not a fake one, the call is split and also directed to the hacker, who then gets your credit card number. It is also extremely surprising how easily 30 to 50% of people give their password: For a box of chocolate!
Some key takeaways from this session were to test your browser’s security with tools like Panopticlick. Do not use open WLANs in cafes or hotels. Patch your devices always quickly, but only within a certainly secure network.
Amateurs hack systems, professionals hack people.
This summary was written together by Tapani Tanskanen and Stefano Jeitziner.
Identity and Access Management expert with 10 years of experience in delivering IAM projects in various industries with the motto “never forget the human and social factor!”.
Passionate about traveling, wine lover and self-considered as a foodie :P.
Certified CIAM, CAS Management and Leadership, B.Sc. in IT/Telecom Engineering.
Certified for CISSP®, CIAM, M.Sc. of Computer Science.
Latest posts by Tapani Tanskanen (see all)
- The Path to Next-Generation Security – Atos IAM & Cybersecurity Forum 2017 - November 20, 2017
- Authentication and Identification with Face Recognition - October 24, 2017
- Digital Transformation Requires Customer IAM - July 28, 2017