You need to know

I spend my days trying to share knowledge and insight around the subject of detection. Most of the world’s efforts in cyber security is about prevention, but if you have been breached, then you want to know it, and ASAP. So detect and notify.

When it comes to cyber security there is no silver bullet. It is like looking after your personal health. There is no once off treatment that will make sure you stay in good shape forever. Even if we do everything right, there is still no guarantee that something will surprise us, when we least expect it.

I am currently considering taking one of those Scan For Life procedures, just to check that all is ok. I would rather detect early on that something is wrong, then one day get caught off guard, and be in real trouble.

Detection technology is there as a proactive measure, to tell us if our other defenses have been compromised or bypassed.

Hacking is on the rise, and this problem is not ever going to stop. Like taking care of your body, and your health, it requires constant work to stay in good shape. With detection measures in places, we can try and figure out early on that there are cracks in our armor, and this will allow us to try save the day.

A smoke detector is a good example of a proactive measure that we are all familiar with. Just look up at the ceiling in your office, and the chances are you will see a smoke detector. If one of these detectors triggers an alarm, it means we can save people’s lives, our work, and the building. Smoke detectors sit there quietly, but if they ever do make a noise, then it means we need to act.

The space that I am active in is called “Deception Technology”. There are many different products in this domain, and they all aim to detect if your network has been breached. If there is a threat you need to know about it right away.

It is a simple idea, and it has a very important function. The problem it is addressing is fundamental: is there unsanctioned movement on your network? Are there intruders moving laterally on your infrastructure, looking for your assets? If so, you want an alert (an indication of something suspicious). You need to know.

It seems like a no brainer. Who would you say no. Especially when you consider the price of some of these technologies – they are generally affordable and simple to deploy. But, one of the big pushbacks I have heard enough times is this, “We are not ready. We won’t know what to do if we get an alert.”

I explain to people, every day, that in most cases, you will able to disconnect that computer or network segment, and breathe easier. If you are alerted to an intrusion then most of the time, the remedy is simple. Of course, if you discover that the rabbit hole is deep, then it may require some forensic investigation. The point is, if your health was threatened, in some way, you want to know about it. If you go for a scan or a blood test, and you get a warning, then at least you know. Sure, you may not know what to when receiving that news, but like the smoke detector going off, you know you need to do something. In this case, call the fire department.

What I can’t seem to understand is how people often push this aside and say “We will wait, we are not ready to deal with this.” But, again, surely you want to know right away. Find out and then you can deal with it. In the worst case, call me – I will find someone who can try and help you. But to not know seems like a strange outcome to accept and rationalize.

If your IT infrastructure or your physical health is compromised, you want to know. I can’t understand how people would not want to know. Not knowing would just would be irresponsible, in my view.

Here is another example that anyone who drives a car should relate to. If you go to fill up your car at the petrol station and someone points out that your tires look smooth and may need to be changed, then yes, you may not change then right away, but at least you now know, and you can drive a bit slower and be more careful on the road. And yes, if your tires are smooth you should change them. But to not know, or not want to know, is dangerous.

The heat is on

We all know what a car is. Chances are, if you are reading this, then you drive a car. We all should therefore know what an engine temperate gauge is. Of course we do. It is an early warning system.

I have had a car engine overheat twice in in the past 30 years. The first time when I was a student, on the way to Sun City, and it resulted in the engine having to be overhauled – it was not a cheap exercise.  Luckily, I won at the black jack table, and managed to pay for the engine to be repaired with my winnings. The second time I had an engine getting hot was a few years ago, and I pulled over, called for a tow truck, and skipped a big headache.

If your engine is overheating then is it too late? Depends … if you are alerted when the gauge starts to rise, then you can save the engine. But if you never know then it will probably end with the engine seizing. These days, modern cars will have warning lights that come on when the engine overheats. With my first car, we saw smoke coming out of the engine – we never noticed the needle starting to rise, and there were no warning lights back then.

If your car engine is getting hot you want to know about it. The last thing you want is for the thing to seize or explode. And likewise, if your computer network is heating up, you want to know about it. An early warning can save you from a disaster – know before it is too late.

In short: when the heat is on, be in the know. Don’t overheat or you may never recover.

A car is something we all are familiar with. A computer network not as much. Sure, we all know that the ultimate computer network, the Internet, is the infrastructure that allows you to read this article, catch an Uber, check into a flight, communicate with people around the globe, etc. But most folk don’t know how any of this works, and shouldn’t have to.

The IT folk that are maintaining and building this infrastructure should know, but when it comes to cyber security, it is often overwhelming to try understand where all the different products and services fit in. That is my experience dealing with corporates these past 2 years here in SA, and in other countries on the continent. We have a serious skills shortage.

Everyone knows that a firewall is fundamental, but what if wrong-doers bypass the firewall (it happens constantly) because of phishing attacks, illegal modems, un-checked USB drives, and the most simplest and cheekiest, a criminal just strolling into your office campus, charming their way past the front desk, walking into a meeting room, ordering coffee noggal, and then finding a LAN point and plugging in their laptop.

We need early warning systems. Notification devices that tell us if something is not right. Protection is one thing, but detection could save your ass.

The recent breach scenario at Liberty Life is not something you want happening to you. So, be proactive and deploy early warning systems. Lay down network traps. Honeypots can go a long way to making sure your engine never seizes.

Click here to learn more about a honeypot : https://vimeo.com/237585905

Visibility | Skills | Context | Agility

The risk of cyber attacks is growing constantly and this is something corporations around the world are coming to grips with. One major challenge is that most organizations do not have the ability to quantify this risk.

This is one of the reasons that so many companies have a blinkered approach of “nothing has happened, everything is running, so we are okay”.”

It has been said that there are three types of organisations out there:

  • Those that have already been breached and don’t know about it (my research suggest that these are in the majority).
  • Those that have been breached and have some idea of the scope and consequences and will be counting the costs for years to come.
  • Those that will be breached.

All companies are challenged by the following :

  • Visibility

Having an accurate view on their security posture on an on-going basis. This includes a view on their compliance requirements (ISO, PCi, POPIA etc.) and how their people, process and technology decisions are enabling them to meet their compliance, legislative commitments, etc.

  • Skills

The lack of specialist skills to ensure they extract full value from their technology investments and also that these technology investments are doing what they should to assist in adherence to compliance requirements.

There are never enough truly specialised skills available, so one or two generalists land up having to do everything – this is quite commonplace and it is fertile ground for the bad guys.

We are human and cannot function 24x7x365 – the bad guys on the other hand never seem to stop.

We cannot digest and interpret the huge volumes of information from multiple sources to detect the “blip in the radar” that indicates something is afoot.

  • Context

Extracting actionable security insights from all the content flowing across the network, in time to make decisions that will stop incidents or at least limit the impact.

  • Agility  (Responsiveness)

The ability to detect cyber security incidents (incidents of attack and incidents of compromise) and the people and process to implement possible decisions made as a result of contextual insights.