The new reality for Canadian businesses

The Personal Information Protection and Electronic Documents Act or PIPEDA applies to the collection, use or disclosure of personal information by every Canadian organization in the course of a commercial activity.

The Office of the Privacy Commissioner of Canada introduced new data breach reporting requirements that came into effect on November 1, 2018. This requirement was introduced due to “The number and frequency of significant data breaches over the past few years” and the “Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manager personal information” according to Commissioner Daniel Therrien.

The reporting requirement works in conjunction with the Privacy Act for the Federal Sector and the Personal Information Protection and Electronics Document Act (PIPEDA) for the private sector.

This new requirement applies to allow business within Canada and those that organizations that collect the personal information of Canadians.
With this new requirement, organizations must:

  • Report to the Privacy Commissioner’s office any breach of security safeguards where it creates a “real risk of significant harm;”
  • Notify individuals affected by a breach of security safeguards where there is a real risk of significant harm;
  • Keep records of all breaches of security safeguards that affect the personal information under their control; and
  • Keep those records for two years.

The definition of real risk of significant harm is humiliation, damage to reputation/relationship, and identity.

While the requirement refers to the reporting of a data breach, it also identifies the need to improve the security posture of every organization to ensure that the likelihood of a breach is minimized. There are numerous traditional security tools that are designed to protect our network such as firewalls and endpoint protection, however given the number of breaches that have occurred it is evident that they are not enough – organizations need to be proactive and vigilant. This requires a tool that is designed to review all activity within the organization as well as provide the ability to compare that activity day to day, such as an SIEM or analytics tool.

Where Snare Comes In

The Snare Product Suite by Prophecy has been designed to provide clear, concise and accurate reporting of all activity within your network.

Snare Agents are feature-rich, reliable, lightweight log programs that can be installed on Windows, Linux, Solaris and OSX, plus two agents for text-based logs, as well as the MS SQL agent, and then send in near – real time the events/activity on your devices.

Snare Server provides for data collection and reporting in real time, providing critical information required to monitor your organizations network infrastructure. Additionally, it provides for the ability to store and retrieve event data for historical review.

The Snare Analytics product provides organizations with a single pain of glass to review activity over time, check that systems are patched to prevent attacks from out of date software, unusual activity, escalation of or improper use of admin privileges which will allow you to identify and responds to a potential breach before it escalates.

Want to find out more about how the Snare Product Suite can assist, call today for more information book a one-on-one demonstration or request an evaluation.

State Governments manage and must protect a wide range of citizen information from cyber security threats, including credit card records, personal health information, employment records, revenue and tax information and election systems. With much of this information available online, State Departments and Agencies are a primary target for cyber-thieves. A 2017 cybersecurity report compiled by Verizon found that public-sector entities were the third-most common breach victims, behind financial and health care organizations.

Based on the number and severity of past cyber security breaches, States are keenly aware and have or are taking action to secure their networks and databases. According to a 2018 NASCIO Report – State CIO Top Ten Policy and Technology Priorities for 2018, security and risk management is the number one priority of State CIOs. While State Governments have acknowledged the security threat, different States are addressing the threat in different ways.

The Challenges: In addition to the increase in cyber security threats, States are challenged by limited budgets and competition for information security human resources. State Executives must determine how to protect not only State-level networks and information systems, but dozens of State Agencies that they oversee. While it is not cost effective for every State Agency to separately fund and manage their own information security systems and staff, States CIOs must determine what level of security services and support they can and should provide to their State Agencies.

Steps Taken: Over the past decade, State Legislatures have created state-wide Offices of Information Technology (OIT), and mandated the staffing of Chief Information Officers (CIO), and Chief Information Security Officers (CISO). A 2018 Deloitte-NASCIO Cybersecurity Study reported that all 50 states now have a statewide CISO or equivalent. Based on information sourced from 50 State Web Sites, 23 States now offer Managed Security Services, with the majority of States providing Security Governance, Compliance Audits and InfoSec Training and Consulting. The most frequently offered Managed Security Services are:

  • Security Information & Event Management (SIEM)
  • Incident Management and Response
  • Firewall, Proxy and VPN Services
  • Intrusion Detection/Prevention (IDS/IPS)
  • Vulnerability/Pen Testing
  • Encryption/SSL/TLS/Certificates
  • Malware, Spam & Virus Filtering
  • Forensic Investigations

Alternative Business Models:

In addition to staffing State CIOs and CISOs with specific duties and responsibilities, an increasing number of States are consolidating oversight and management of State Agency IT resources under a single statewide Office of Information Technology. But there are different business implementation models offered by different States.

Education & Governance (only) Model, where State CISOs establish, oversee and facilitate statewide security management programs to ensure government information is adequately protected. Examples of responsibilities of the CISO position under state laws include:

  • creating statewide security policies and IT standards,
  • requiring information security plans and annual assessments or reporting, and
  • requiring periodic security awareness training for employees

National Associations, including: NASCIO, National Conference of State Legislatures, National Association of State Chief Information Officers, and the Multi-State Information Sharing & Analysis Center, contribute significantly by identifying information security threats and best practices.

Brokerage Models differ depending on whether they are Sole Sourced or Multi-Vendor Sourced. The Texas Department of Information Resources (DIR), for example, contracted with AT&T to provide a comprehensive suite of Managed Security Services that give state agencies, local governments, school districts and other public entities access to resources to protect systems and data. Agencies can go to the DIR portal, identify the services they need and place an order for them.

An alternative model is to source a mix of security services from multiple vendors and coordinate the provision of these services to State Agencies. A 2018 NASCIO State CIO Survey showed 4 States already function as a broker of services, 5 see themselves migrating to primarily a broker of services and 16 see themselves offering some brokered services as well as providing services directly.

Managed Security Services: A number of States offer a range of managed security services to their State Agencies, most notably: Idaho, Iowa, Kentucky, Louisiana, Missouri, New Jersey, Pennsylvania, Tennessee, Vermont, but business models vary depending on whether they have centralized info security resources, including IT infrastructure, security systems and Infosec human resources, or whether infrastructure is centralized and Infosec resources are distributed, reporting to a centralized State OIT or reporting to a specific Agency.

Security Solutions for State OIT’s:

State Offices of Information Technology must balance the need for information security, with the availability of limited budgets and human resources, and the security software and services available from vendors that support their particular business model. Snare by Prophecy International is a Vendor Partner to State OITs – with over a decade of providing syslog collection, filtering and forwarding for Security Information & Eventlog Management (SIEM). Snare Security Solutions address the two primary challenges faced by State OIT organizations, offering cost-effective, easy to deploy, and easy to use solutions. Snare’s Business Intelligence Platform, built on an elastic.index, combines and correlates syslog events with a host of IT (ITSM, Patch and Backup Histories) and 3rd Party (STIX Malware Threats, Firewalls, DNS, IDS/IPS) security sources for threat-hunting forensics. It includes a prebuilt KPI monitoring dashboard and a smart user interface, so users can build and share queries and reports through a multi-tenant premise or cloud platform. Offered as an op-ex subscription, Snare complements any State’s primary SIEM platform, integrating with Active Directory and supporting Single-Sign-On.

View a pre-recorded demonstration of Snare Business Intelligence Dashboard by our Chief Product Officer here. To learn how Snare leverages Splunk, QRadar or another SIEM platform, go here.

In previous blogs, I’ve tongue-in-cheek (mostly) suggested our organisations would be a lot more protected from nefarious actors if we simply disconnected and went back to pen and paper. I may have also suggested that having employees makes enterprise security quite challenging. And Wi-Fi, visitors, BYOD, and IoT are also threat vectors: perhaps we should also get rid of them. Imagine the money we’d save.

OK, let’s assume you do need your internet connection, staff, and applications. How do we secure it all?

In earlier blogs, I’ve discussed a range of topics that look at different aspects of IT security and offered some thoughts on how best to go about building a secure and resilient organisation.

However, there’s a new kind of threat management technology emerging (we are one of the pioneers who invented it, so indulge me). It takes all of the feeds from small-footprint logging agents installed on every device and application in an organisation (think PCs, laptops, servers, and remote desktops) and intelligently profiles and flags areas of concern.

I’m not talking about SIEM here either in case you’re wondering. SIEM (security information and event management) collects the logs from our Snare agents and other syslog feeds from devices and applications, and then provides alerts and automatically remediates (in some instances) or identifies other security problems that need to be fixed.

You can see the hole. SIEM focuses on the data streams coming from the security apparatus but it doesn’t do a great job of building contextual insights from other data sources.

This is where threat intelligence comes into play.

A threat intelligence solution scans and collects everything that generates a log or provides intelligence on business operations.

It captures and secures log information coming from IT ticketing systems, configuration management databases (CMDB), change management systems, and structured threat information expression (STIX) data feeds to gain intelligence from threat actors, LDAP sources, group policy, system and application patching information, and backup status, as well as the traditional logs from Windows domain controllers, servers, desktops, mobile devices, webservers, and syslog feeds from firewalls, routers, switches, IP phones, and wireless access points.

So, pretty much anything that can have a logging agent installed on it or provide a syslog feed.

Effective logging agents (like ours at Snare) even log when someone tries to wipe a log to cover their tracks. Every log entry ends up on a highly secure central log server in near real-time. Even if an attacker deletes device logs, the agent already collected the logs and sent the logs to the central system. So, all of the malicious activity before the logs were deleted from the system was already captured and stored away from the system under attack.

As the logs are kept secure on another system away from the system under attack, we have the forensic of what occurred. The threat intelligence system will generate an alert (either on the dashboard or sent to a recipient) and, when you compare the log records, the anomaly of missing device logs will show up as someone trying to cover their tracks.   Then this information can be correlated with other systems and user activity as part of the incident management process.

Once you have logs for everything, the challenge is making sense of that information. Until now, it’s been pretty difficult and often expensive.

Threat intelligence software helps to overcome that problem. It presents a cascading series of preformatted dashboards which provide visual alert cues to the health, or otherwise, of the network, devices, and applications generating logs.

The power of threat intelligence comes from two main areas:

  1. It collates vast amounts of log data into meaningful information. This information can be visualised on dashboards calibrated out of the box to highlight potential problems using predefined key performance indicators (KPIs) to find potential security incidents. Regardless of what kind of application, system or device is generating the log, it can offer summary and detailed insights, drilling down to the raw data.  Once baselines are established, you can customise further, perhaps desensitising certain alerts and filtering out other noise to reduce false positives. Or, you can increase sensitivity on systems or applications that have highly restricted access in certain security zones.  Additionally, you can easily plug in new log sources at any time from other applications that provide better context of activity or devices such as the new vending machine in the hall which polls an internet connection once a day.
  2. Threat intelligence looks across the entire log universe in your organisation, pulling data from many sources to help connect the dots on what is occurring. It looks for patterns and behaviours which indicate that an attack (internal or external) is being attempted, policies are breached, strange or unauthorised user activity is occurring, or a device or application isn’t behaving as expected. By reducing false positives, security teams can spend more time on real and important incidents.

While most security platforms will pick up obvious outside hacking behaviour like DDoS or multiple random user login attempts, they won’t see more subtle things like a successful change to a firewall policy conducted at an uncharacteristic time of day, or a legitimate user asking for password resets when their account is suspended while on leave (common practice for people in financial roles), or users being granted administrative access, or when an admin generates multiple user accounts or passwords over and above what they normally do, or when a switch or system is remotely switched off and on again multiple times, perhaps in an attempt to load a compromised boot file.

In short, threat intelligence solutions collect, store, and analyse everything. And, they increasingly apply machine learning to make connections within the data that simply wouldn’t be apparent to other systems, or even to highly skilled analysts as they often suffer information overload. Finding the proverbial needle in the haystack is the key.

The irony is we’ve been insisting on capturing logs for decades, and who knows how many opportunities have been lost because we simply couldn’t act on the information in real-time or understand it in the wider context of how our organisations operate. As organisations have grown and more systems are on the network the logging load has increased exponentially.

This threat intelligence capability is being coined as next-generation SIEM technology in the market. It’s pretty obvious that it will become pervasive technology very quickly as the market needs more context with security log data that is a result of incidents.

Traditional SIEM is not going anywhere soon and clearly has a role to play but, increasingly, you will see the same information going to a next-generation SIEM with threat intelligence capability in the platform, which can also take some of its data feed from the traditional SIEMs.

Unless you’ve been out of contact with civilisation for the last few years, you’ll know about the Internet of Things (IoT).

Just to catch you up, it’s the advent of a myriad of devices which are not only connected to the internet but also, in many cases, generate data.

What sort of devices? Think about any smart device, or any monitored device or any internet-aware device. It could be any or all of the following, which can be found in most organisations:

  • vending machines that notify the operator when stock is low, cash boxes are full, or change is required
  • remotely-monitored exit signs that light the way to your fire exits.
  • IP phone systems
  • multifunction printers (a recent exploit has been uncovered which allows bad actors onto enterprise networks via unsecured fax lines connected to certain multifunction printers)
  • smart whiteboards and projectors
  • security swipe card systems
  • elevator and other building management and monitoring systems
  • unmanaged end user devices connected over the enterprise Wi-Fi network (a reasonably recent example was an internet-connected thermometer in a fish tank in a casino’s lobby, which let hackers access the company network and steal high roller data. I assume the fish denied everything. Or maybe they were just being koi. (Sorry.))
  • CCTV systems which may connect to third-party security providers
  • smart TVs, fridges and other appliances in the corporate kitchen, even though the ‘smart’ component often isn’t even used in a business kitchen setting.

And, as we know, where there’s an internet connection, there’s a threat vector.

The problem with IoT is the unstructured and unmanaged nature of these connected devices. In many cases, the manufacturers of these more general devices are mostly focused on the specific functionality of their appliance and may not even consider wider enterprise security ramifications.

Internet connections for many devices may be active by default, and often not able to be patched or managed as they are hard-soldered onto circuit boards. And, in some cases, you may not even know that a device is internet-aware and could be acting as a gateway onto your corporate network.

It’s fair to say that, for many organisations, worrying about being hacked via the smart TV or the Wi-Fi sound bar in the company boardroom is not top of mind.

So what’s the answer?

First, if you haven’t thought about it already, be aware that this is a threat vector. It’s one that only deliberate attackers would attempt to use, which makes any kind of breach probably quite serious.

Consider that it takes serious and direct effort to try to break into an enterprise network via a smart fridge or the CCTV system.

Second, identify and isolate these devices with network segmentation. Use any of the available technology tools to find devices that transmit or attempt to connect to the network or the internet, and determine the best course of action from there. If they need to remain connected (or you can’t turn the connectivity off) then make sure they can only access quarantined parts of the network. If they’re wired devices, ensure patch panels are wired correctly and network leads aren’t accidently plugged into a secured or other production networks.

If devices transmit and receive wirelessly, ensure they can only communicate over guest or utility-rated network connections.

Third, (or maybe first depending on your approach) ensure your IT security management procedures and policies address IoT. Develop protocols and procedures around the receipt, activation, screening, and management of internet-enabled devices which are consistent with adding any other network-enabled devices. Make sure facility managers know about these protocols and procedures, as building management systems are increasingly the focus of external attacks.

Fourth, train people and ask them to acknowledge the policies you have in place. It’s important that staff, contractors, and visitors understand the implications of connecting any kind of device to any active network in the organisation and don’t do it without -permission.

Last, put technology in place to monitor, log, and notify you if there is suspicious activity on your networks. Many organisations are doing this anyway as part and parcel of managing IT security, but this is becoming more important in an IoT world. Logging tools and threat intelligence solutions are the cornerstone here.

While IoT offers many benefits when it comes to productivity, convenience, cost savings, and many more areas, it does open a whole new front when it comes to fighting cyberattacks and protecting organisational assets.