Welcome to Spearhead Networks

News

 Software as a Service is Changing the Rules

Web security used to be simple. Block offensive content and viruses and everything else is a HR and management issue. Unfortunately, with Software as a Service (SaaS) being attractive to workers and business unit managers, IT and risk personnel need to be equally concerned about what is leaving the network through the web, in addition to what is entering.

Web Now The Preferred Channel for Criminal Attacks

An added concern is that web is now the preferred channel for criminals to conduct attacks, deliver malware. Today, exfiltrating data and web filtering is no longer the simple proxy-with-filtering it used to be. Aside from managing user access to the web, a strong web filtering solution should also:

  • Detect custom malware while being able to assess downloaded files quickly. End users will not tolerate a long wait while their file is sandboxed. Whitelists, file reputation, certificate checking and other ways of safely approving of a file needs to improve the end user experience
  • Detect and manage Software as a Service usage, allowing IT and Risk managers to see when a new SaaS application has been adopted without the permission or knowledge of IT staff. This can also be employed by implementing a separate cloud access security broker which can automatically ingest logs from your existing proxy.
  • Detect and manage end user behavior. A relatively new field but an increasingly important one, User Behavior Analytics or UBA, watches users for unusual behaviors which may indicate that they have been compromised or are disgruntled. For example, a sales person who normally only accesses a dozen records a day, mostly his own, suddenly starts accessing 5 records per second across all team members, may be copying off the database to move employers, or could have been compromised.

As the lines between ‘internal network’ and ‘external network’ starts blurring, Web Filtering and Cloud Access Security Brokers will become increasingly important. Maintaining control over your information can only be achieved by having a thorough and accurate understanding of how web applications are used by your staff.

Effective Digital Transformation Must Incorporate Security

Companies are increasingly seeking digital transformation to improve the customer experience and to cut costs. Self-service and increased communication through the web has allowed customers to take control over their own records and interactions with organizations. Unfortunately, it has also allowed criminals to take the same control.

Using the web to interact with your customers means that criminals can pose as your customers as well. This lets them extract private information, including payment card information as well as issue instructions with the authority of your customer. Rarely reported though common is for orders of high value goods being sent to a criminal drop site using a legitimate customer’s account.

Confidence in The Security of Your Web Applications is Critical

Confidence in the security of your web applications is critical to successful digital transformation, whether this is gaining permission from your board or CIO to digitize a process or convincing customers to adopt the newly digitized process.

This is true whether you’re selling through the web or you’re a council accepting development applications online.

Web Application Firewalls Are Required

Web application firewalls can provide this confidence, especially when the application has been developed specifically for you or is a customized version of off the shelf software. These types of applications are much more likely to have critical vulnerabilities such as SQL injection and cross site scripting, which may allow criminals to copy your entire database.

While penetration testing is a good control method to detect known vulnerabilities, your website could be frequently changing, and attacker’s methodologies are definitely frequently changing. This means what is considered safe today may end up being vulnerable tomorrow.

How Web Application Firewalls Work

Web Application Firewalls (WAFs) can mitigate this issue: They can either blacklist attacks, or whitelist good input. Even when your application changes and a new SQL injection is introduced, the web application firewall will block it. If the type of criminal attacks changes and the web application firewall has never seen traffic like this before, it will also get blocked. Thus, the WAF becomes a stable guardian in a rapidly changing world.

If you are about to implement digital transformation for your organization, or thinking about it, contact SpearHead Networks to see how we can help you secure and accelerate your transition.

According to the Symantec 2017, Threat Report, email is back to being the weapon of choice for criminals. One in 131 emails now directly contain malware, the highest since 2012. This statistic excludes emails that contain links to malware distribution and phishing sites and executive phishing (CEO fraud) scams.

Today, Email Security Requires Sophisticated Approaches

Email security is no longer as simple as filtering for known malware and blacklisting spam relays. Criminals are now releasing malware variants every three hours and with higher payouts from crime, they can afford to keep buying and burning clean IP addresses to send out phishing scams.

With executive phishing netting millions of dollars, smart criminals can afford to invest more individual attention and money as well as keep persisting to get their attacks through.

For example, in a campaign boasted on the dark web, a criminal managed to convince a CFO to transfer a large sum of money to the criminals account. It took some work from researching the CEO and CFO, reconstructing newsletters, to adding new rules in the CEOs mailbox and finally sending emails containing a hidden string in white text to the CFO to make an urgent money transfer.

A sophisticated and highly targeted attack like this won’t be detected by a traditional email security gateway; however, modern email security gateway can detect this level of criminal behavior.

To cope with modern threats, an email security solution should be able to:

  • Filter known viruses and spam
  • Sandbox all attachments with customizable software versions and anti-sandbox-detection capabilities
  • Detect forged ‘from’ addresses, using SPF or similar technologies
  • Rewrite URLs to prevent criminals changing content at ‘click time’.

Exceptional solutions should:

  • Use global threat intelligence solutions to improve detection rates
  • Include forensic capabilities such as reporting all users who have received the same email
  • Rebuild documents into fresh, safe templates removing malformed structures and malicious code.

Access SpearHead Networks ’s Sophisticated Measures

Your organization can no longer afford an email security gateway that only blocks nuisances; it needs to block highly motivated, skilled and funded criminals.
This is where SpearHead Networks can help.

If your applications are delivered with vulnerabilities attached – it won’t matter how good your network security is. This is true whether they’re hosted on-premise or in the cloud.

While patching will resolve the majority of vulnerabilities found on your network, others can have a bigger impact such as careless administration and use of IT equipment. These need to be managed as much, if not more than patches.

Examples of non-patch related vulnerabilities include:

  • A new printer is installed without changing the default password. This printer caches printed documents with the last 100 documents printed available to anyone on the network
  • A web developer turns on the ‘TRACE’ method on a production website to debug a problem and forgets to turn it off. Criminals can do ‘Cross Site Tracing’ on your website, allowing them to trick your visitors into thinking they’re seeing your trusted content when they’re really viewing the criminal’s content
  • A user installs a piece of software with a light database in the backend. The database has a well-known default SA password, and supports passing through shell commands. This creates a back door into your domain.

These types of events occur too frequently to be detected by an annual penetration test. Periodic vulnerability management, ranging from daily to quarterly per year, is an excellent measure to ensure your network doesn’t fall into an insecure state between penetration tests.

If you can’t say for certain that “all vulnerabilities on my environment create only minimal and tolerant risks” contact SpearHead Networks and find out what the true risk your vulnerabilities actually are.

While you may be moving to the cloud to better serve information and services to customers, partners and employees, anywhere, anytime, and on any device, there are situations where you need to secure the following:

  • Legacy applications that have no cloud equivalent yet
  • Information too sensitive to be trusted in the cloud
  • Applications held in-house because of migration difficulties

These applications can still be delivered as a cloud-like service, accessible anywhere, from any browser using secure application delivery. The most basic of these is the Secure Sockets Layer (SSL) and Virtual Private Network (VPN), but more advanced application delivery methods can be used.

For Full Network Connectivity Use SSL VPN

Where full network connectivity is desired, or all the applications are web based, a SSL VPN is recommended. SSL VPN will allow any user to connect to the corporate network with any web browser, from any network.
However, An SSL VPN is not appropriate when organizations need to deliver thick applications.

For Thick Applications Use Security Application Delivery

For thick applications, we recommend Security Application Delivery. These appliances run the application on-premise in virtual machines. Sensitive data never leaves the corporate network and the application remains quick and secure. Attackers on a compromised device can’t tunnel back into the corporate network.

Secure Application Delivery is one of the most popular methods to give your staff and partners cloud-like flexibility and convenience while maintaining on-premise levels of security. If you’re looking to achieve this kind of end user experience, contact SpearHead Networks to discuss your requirements.

Your infrastructure creates a lot of logs. Hidden inside these logs can be evidence of wrongdoing – be it external criminals or employees planning or committing fraud.

How do you extract evidence of illegal behavior when it’s buried and concealed within millions, if not billions of records of perfectly legitimate business activity?

How To Effectively Sift Through Buried Wrongdoing

There are a number of ways to sift through data to ascertain security exposure: Security Information and Event Management (SIEM), Security Operations Centre (SOC) and Threat Hunting are all variations of the same concept. That is, a process for storing logs and other forensic evidence, and ignoring the good to investigate only the bad. Knowing which one is right depending on how your evidence is generated and what your tolerance level for breaches is.

Using SIEM For Basic Security Control

A SIEM is mostly an automated log solution with out-of-the-box and customizable correlation rules. If out of the box, the rules don’t take into account your risks, the value of your assets and how your business processes interact with you. However, IT but can make some fairly good assumptions about detected hacking activity.

A SIEM, for example, can detect when an account has had multiple failed log-ins, followed by a successful login. It can then follow the activity of the user after the login is ready for a security analyst to determine whether someone forgot his or her password or the account was ‘brute forced’.

 Use SOC To Maximize Security Control

However, a SOC goes further to provide real time response to events. Rather than logging and correlating all activity after successful login, the SOC operator can determine the most reasonable course of action: Call the employee? Lock the account or watch the account activity in real time?

Use Threat Hunting to Weed Out Highly Sophisticated Attacks

Threat Hunting uses the same infrastructure but takes it further again. After the SIEM has missed a relevant event or a SOC operator has dismissed an event as benign, threat hunting looks for patterns of behaviors that may indicate a compromise. Was an admin account created through a command prompt? That’s not common. Is a computer visiting a blank website every 60 seconds? That’s more likely a remote access Trojan phoning home than a user with precise timing.

Choosing the right security control depends on the following:

  • A SIEM is a great way to boost your preventative security controls. It’s for your organization if you are only expecting general and untargeted threats, and you’re unlikely to suffer catastrophic losses should a threat slip through. Setup costs tend to be reasonable, and ongoing operational efforts are minimal.
  • A SOC is a bigger investment if you store sensitive information. If a criminal is extracting your entire credit card database on Friday night, you will not want to wait until Monday morning to act. Running a 24 x 7 SOC can be expensive if you do it in-house. However, you can outsource these services to gain substantial economies of scale.
  • Threat hunting is for your organization if you’re at serious risk of being compromised. For example, criminals wanting to sell fake but verifiable degrees can compromise university registrars. The criminal is more interested in inserting falsified records than extracting information. To protect you against this type of attack requires ongoing access. Organizations that expect stealthy, persistent attacks such as banks and governments are also ideal users of threat hunting.

 

Ask an Expert For Help

The forensic review of security information, whether through a SIEM, SOC or threat hunt, provides valuable intelligence on how well your preventative security controls are coping with contemporary threat landscapes. If you feel you aren’t getting the most out of your current preventative security controls, contact SpearHead Networks to help you deliver the appropriate level of information security assurance.

Next-Generation (NGFW) or Unified Threat Management (UTM) firewalls form the core of all security architecture. Whether the firewalls are designed to create a simple trusted, versus untrusted zone model or implement a micro-segmentation model, firewalls are still the primary security control that limits attackers reaching and compromising your valued information assets.

Firewalls Should Provide A Sophisticated Protection Layer

Firewalls must provide more than basic protection and should understand traffic at a protocol and business-use level. To proactively block persistent attackers and manage bandwidth and traffic prioritization, firewalls should integrate with, and enhance authentication systems and be able to integrate with intrusion prevention systems.

A good security strategy should include the use of firewalls and their Next Generation features to discern, detect, prevent and remedy security vulnerabilities.

With organizational data scattered everywhere from on-premise networks, across the cloud to mobile devices, a firewall needs to do far more than create a Trusted and Untrusted network zone and then pass traffic between the two.

Firewalls need to integrate with your IT strategy by:

  • Presenting on-premise applications to the Internet and giving your users secure corporate access to any authorized applications, from any device, anywhere, any time.
  • Providing visibility to how cloud services are being used (authorized and unauthorized) by tracking use of Software as a Service.
  • Taking advantage of global threat intelligence feeds to stop attackers before they even scan your network.
  • Defending your applications by blocking attempts to exploit known vulnerabilities.

Maximize Next Generation Firewalls

Trying to implement these features as technical projects without integrating them to a security or IT strategy can lead to ineffective policies and practices.

Make the Most of Your Firewalls with SpearHead Networks

As a full-service security, consulting firm, we can help you integrate your next generation firewall with other security controls and align the policies with your business objectives.

Whether you need an audit or a health check to ensure your current system is meeting your organization’s security goals, or you want a full overhaul and redesign of your firewalls, SpearHead Networks can help you make the most of your firewalls.

With multiple business stakeholders, how do you create a sustainable way to control access to your network?

The concept of a network perimeter is becoming less relevant in a corporate environment. As employees demand the right to bring their own devices into the network, as well as IoT devices demanding network and internet access, the organization is losing control of what is part of the ‘trusted’ network.

Careful – You Can Be Hacked On Trusted Devices

Traditional hacking methods involved breaking through a corporate firewall. This led to a mentality of trusted employees using trusted devices being subject to very few security controls, while all those on other networks being subject to heavy scrutiny. It wasn’t long before hackers found it easier to take over a trusted device to bypass that scrutiny. It’s no longer enough to assume that a trusted staff member is the only one using a device on your network.

Trusted Devices Need Better Scrutiny and Control

When a device joins a corporate network, you need to know that the device is authorized to join it and has a level of security that is compliant with security policies and is not infected with malware or remote-control Trojans. Network access control assists this process by profiling and querying new devices. It needs to perform security checks to ensure that it is correctly patched and is running up-to-date malware protection and other security controls. Until a device is proven to be compliant, its ability to communicate on the network is severely curtailed.

Managing BYOD Proliferation is Easy With SpearHead Networks

Providing support to users used to be a heavy commitment with network access controls. Helping users, which were not compliant with the security policy remediate the non-compliance and restore connectivity was a substantial, operational task. However, modern network admission control solutions allow integration with a huge array of infrastructure, simplifying the assessment and management process. By querying authentication sources, anti-malware solutions, vulnerability scanners and other sources of information, many decisions and actions can be automated without human interaction.

SpearHead Networks can assist you in controlling a sprawling BYOD or IoT environment. Our experience will ensure your organization builds a network access control system that is largely invisible to most users, and user-friendly when self-remediation actions need to be taken on the rare occasion.

Intrusion Detections and Prevention Systems (IDP) can be a very effective way of blocking inbound hacking, especially when they feed into a Security Information and Event Management (SIEM) or Security Operations Centre (SOC), to provide patterns of behavior. Current IDPs are much more advanced than early models, which were simple, pattern-matching engines against packets. The simplicity of the early generations resulted in low performance, false alarms, and difficulty using the local security intelligence generated by the IDP.

Block IPs of Hackers Before They Start Scanning

Modern IDPs act more like virtual patching systems. When configured correctly, they are able to understand the vulnerability of the services they are protecting, and selectively apply blocking to malicious traffic. Some modern IDPs can also ingest real time global threat intelligence, so that organizations can benefit from a worldwide network of intrusion detection sensors, allowing organizations to block the IPs of hackers before they even start scanning.

IDPs can generate a rich feed of local threat intelligence for use in a SIEM or a SOC. Attackers follow a predictable ‘Cyber Kill Chain of identifying assets before scanning for vulnerabilities and attempting to exploit them. This early warning can tell us a lot about an attacker and what they’re interested in. When a high level of confidence that the traffic is not legitimate has been reached, the IDP, the SIEM, or a SOC operator can automatically or manually adjust firewall rules to block the attacker.

IDPs Provide Effective Security Controls

IDPs can also be an effective security control against internal attacks by disgruntled staff or attackers who have internal access through compromised credentials or remote-controlled end user devices – see diagram below. Monitoring inter-VLAN traffic internally can give early warnings and ability to block stealthy attacks and self-propagating malware such as WannaCry and Petya.

Integrate IDP Into Your Security Strategy

To get the most out of your IDP, it needs to be integrated into a security strategy. You need to understand the risk scenarios to respond to or face an overwhelming volume of alerts. You also need to determine how local and threat intelligence can be used to aid decision-making – to confirm an attack or dismiss it as a false alarm. Once an intrusion attack has been confirmed, the IDP plays a critical role in deciding how to respond, whether this is scripted by API or by a security operator.

SpearHead Networks can help you design an IDP that integrates with your existing infrastructure, or uplift of your capability. Whether you currently don’t have an IDP, or you have one but it’s just there to tick compliance boxes, or even if you are struggling to maintain it, SpearHead Networks can help you simplify the process and get optimal value from it.

Why is Identity and Access Management Important?

The average person regularly uses passwords to 27 systems. Within an organization, they also change roles multiple times while abandoning applications they no longer need. Sometimes they leave and there may be some accounts not disabled. Before long, an organization has lost visibility of the access they are granting, and the ‘principle of least privilege’ is a distant dream.

Integrating Simple & Integrated Sign-on for Increased Security

Identity Management software can go a long way to solving this issue. Integrating single and same sign-on across multiple applications and systems can simplify providing and retiring access when an employee starts, moves roles, or leaves the organization. Just taking care of Identity management will make your IT department’s role easier and will improve your employee’s experience while increasing security.

For organizations with higher security, more granular controls may be appropriate. This is where the Access management and the Identity Governance parts become relevant.

 

Manage Risk When Giving Access to Your Enterprise Applications

While identity management confirms to applications that an authorized person is logging in, access management, controls what that identity is permitted to do. For example, a sales person, when identified, is permitted to log into the company CRM but are they permitted to access their own customer’s information or should they be permitted to access every customer’s information? Are they permitted to access a single record at a time, or access the entire database in one go?

Minimize Employee Fraud and Protect Your Company’s IP

This is where, policy-based decisions require Identity Governance. SpearHead Networks can help your business information owners understand the risks providing access to an application and the risks providing privileges within that application. We can also guide you on employee fraud and how to use identity and access management systems to prevent and detect it.

Chances are you have unused active accounts as well as privilege creep with active employees. If so, we can perform initial discovery audits to help you understand the magnitude of the problem. We can also provide consulting on what type of identity and access management system is right for you.

Talk to us about Vulnerability Management Today

We’re also experts in Networks Security Training and Awareness