SecurityHQ’s award winning, Incident Management and Analytics platform is a comprehensive Cyber Incident Response and Analytics platform, designed to help customers and Managed Security Service Providers track, visualize, respond to, and recover from cyber incidents.

‘SHQ Response Platform acts as the Emergency Room, and the Risk Centre provides the Wellness Hub for all cyber security monitoring and actions. This has included a complete rewrite on how risks are visualized and how customers work with their security team.

The Risk Centre is designed with the purpose of preventing emergencies before they arise. To make this possible, SecurityHQ has combined its intellectual property and knowledge on risk mitigation and cybersecurity, and merged this with several recognized sources in the industry, including the National Institute of Standards and Technology (NIST), the National Cyber Security Centre (NCSC), and MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), to provide actions on how to identify, map, and raise risks.’ – ‘SHQ Response Rewrites the Rules on Cyber Risk Visualization & Collaboration’

Building SHQ Response

Built to simplify the complexity of cyber security for stakeholders, CISO’s, SOC Analysts, Threat Hunters, Incident Responders and Auditors, the platform is built on, and incorporates, the following three industry leading frameworks:

• VERIS – Vocabulary for event recording and incident sharing, to use common terminology for describing security incidents in a structured and repeatable approach.
• MITRE ATT&CK – To track tactics and techniques used by the adversary. Investigate & prioritize incidents, categorizes incidents against MITRE ATT&CK, & assign risk level, based on CIA attributes, asset criticality, and impact. View incident graphic card, which showcases real-time Incident Information, including time-line perspective tab, graphical representation tab, and MITRE Tactics Tab.
• NIST Cybersecurity Framework – To support customers to detect, respond to, and recover from cyber incidents. Manage risks in accordance with NIST 800-30, and identify maturity and high impact mitigations, linked to NIST 800-53.

Through this, users can map threats, assets, and vulnerabilities to derive risks, track mitigations, task assignments, and progress. As well as link compliance incidents to risk, to reduce repetitive incidents creating noise.

‘SHQ Response Platform is unique in the industry as it follows a combination of different sources and is always viewed within the context of the customer. The Risk Centre itself is what makes this such a unique offering, as the user is now able to calculate the impact of security threats to the business, the likelihood of risks happening, identify all the different tactics and techniques, and highlight how best to mitigate these risks, all from a single location.’ – Chris Cheyne, SOC Director & CTO, SecurityHQ

Cyber Incident Analytics and Visualization

The platform provides access to real-time interactive visualizations and advanced analytics with meaningful and actionable views of incident trends, deviations, anomalies, and concern areas, with seamless access to incident tickets.

Smarter Orchestrated Response

Supports customers to automate and accelerate incident response to contain threats and take remediation actions based on pre-agreed SOPs and playbooks.

Anytime-Anywhere Collaboration

Incidents will occur at any time. SecurityHQ Response Mobile app allows management of incidents on the go. The mobile app helps customers to securely access the SecurityHQ data from their mobile phones while on the move, and improve cyber response collaboration between SOC, CISO and customer’s internal stakeholders.

‘SecurityHQ Response’ mobile app and desktop is used to support customers, SOC and MSSP partners to collaborate cyber response anytime from anywhere.

Smart Integration & Automation

Clients and partners have access to a library of APIs supporting a variety of ITSM ticketing systems to ensure seamless business continuity.

Generic APIs integrated with third party ticketing systems at the customer/partner end are used to simplify the collaboration between teams. Through this two-way-integration, the customer teams may collaborate with the MSSP SOC teams via their respective systems.

Simplifying Incident Handling and Metrics

SecurityHQ makes the incident handling process accessible to both technical and non-technical staff, to show real-time metrics on incident management KPI’s for speed of response and incident lifecycle management.

IBM Security Stack Made Accessible.

The product of  SHQ Response is real qualified security incidents, with analysis, risk assessment and response recommendations. This is the output of intelligence, correlation, and automation. SecurityHQ Response makes this accessible to technical and non-technical stakeholders to reduce costs, improve SOC operations and enhance service delivery of Managed Security Services.

‘We have not seen any platforms out there that are doing this. We see a lot of risk management platforms, but they do not deal with the detail of cyber security risks in a very good way. The SHQ Response Platform has simplified cyber security, by enabling customers to be part of their security journey. It was built so that businesses could learn more about potential threats, and solve cyber related issues, together with their designated security experts.’– Feras Tappuni, CEO, SecurityHQ

For more on how the platform works, speak to one of our specialists here.

The post The Value of a Managed Incident Response Platform appeared first on SecurityHQ.

In this blog, we explore the significance of NIST in the cybersecurity landscape, with a particular emphasis on NIST 830 and SP 853. 

The Role of NIST in Navigating the Threat Landscape

The National Institute of Standards and Technology (NIST) plays a pivotal role in providing companies with a chance to develop a comprehensive cyber security posture, to prevent or lessen the impact of cyberattacks. Through the development of the Cybersecurity Framework in 2014, NIST provides a comprehensive and structured approach to assess, manage, and mitigate cybersecurity risks effectively. 

Although the framework was designed to protect the critical infrastructure and operations of the United States Department of Defense, it is now widely used by many organizations.

Gartner states that, as of 2015, almost 30% of the organizations in the United States were relying on the framework to safeguard their digital assets, and this number was projected to shoot up to 50% by 2020. Today, the framework has been downloaded 1.7 million times and is used by companies of varying sectors, sizes, and locations. The continually increasing number of organisations adopting the NIST Cybersecurity Framework highlights the effectiveness and relevance in addressing the ever-growing cyber threat landscape.

Essentially, the cybersecurity framework follows a risk-based approach that involves identifying the highest compliance risks and targeting them to continuously improve an organization’s cybersecurity posture. The five functions of the NIST Framework include:

• Identify – To achieve an understanding and identification of all assets.
• Protect – To outline the right measures to safeguard to make sure that the delivery of key infrastructure/services is achieved.
• Detect – With a goal to implement the right mechanisms to identify occurrences of cyber security incidents.
• Respond– To conduct the right approach/activities with regards to an identified cyber security incident.  
• Recover– To identify the right activities to maintain resilience and restore impacted capabilities/services.  

As cyberattacks such as ransomware, supply chain attacks, and phishing attacks continue to evolve, the NIST Framework remains a critical resource in navigating the complexities of cybersecurity and ensuring resilience in an interconnected world. By adopting the above-mentioned functions and aligning them with their cybersecurity measures, organizations can effectively strengthen their defenses against malicious attacks. 

Special Publications by NIST

As one of the key stakeholders responsible for promoting robust risk management, NIST has introduced special publications that have significantly changed the course of cybersecurity by encouraging organizations to streamline their cybersecurity strategies. Two of the most important publications by NIST include:

NIST SP 800-30

NIST SP 800-30, titled “Guide for Conducting Risk Assessments,” lays the groundwork for conducting risk assessments by offering a catalogue of security and privacy controls to organizations to allow them to implement those practices to fortify their defenses. The document provides a comprehensive outline for conducting risk management that entails defining vulnerabilities, interpreting the level of risk in the infrastructure, monitoring the potential threats, and implementing remediation strategies. 

NIST 800-53

NIST 800-53 provides a comprehensive record of security and privacy controls, curated by the Information Technology Laboratory (ITL), for federal information systems in the United States. Titled “Security and Privacy Controls for Information Systems and Organizations,” the publication assists federal agencies and organizations in effectively securing their information systems and protecting sensitive information from various security threats and vulnerabilities. With an aim to maintain secure information systems, NIST 800-53 also outlines the importance of continuous monitoring and regular updates to the security controls to confront the evolving threat landscape. 

Achieving Compliance with SecurityHQ

While the NIST cybersecurity framework is curated to streamline cybersecurity strategies, it can be challenging for organizations to achieve compliance and fortify their defenses. At SecurityHQ, we are committed to empowering businesses to build a secure future by simplifying cybersecurity. This is why we offer a wide range of comprehensive solutions tailored to the unique needs of each organization. 

To embark on the journey of a resilient digital future, contact us today.

The post Building a Resilient Digital Future: NIST’s Impact on Cybersecurity appeared first on SecurityHQ.

To delve into the true nature of the Dark Web, a solid understanding of the Internet is crucial. Unlike sites such as Google, Amazon or Bing, the Dark Web does not have a search engine. And the websites URLs are composed of characters and numbers that are anonymous.

To access the Dark Web, a TOR browser is required. This is a web browser that anonymises your web traffic, so that the identity of the user remains hidden. If you look hard enough, and on the right forums, these sites are abundant. Once in, activity can be hidden by communicating with encrypted messages.

Organised Crime Groups & APTs

There are many different reasons why people use the Dark Web. But when it comes to cyber related crime, hacking groups are there to trade information, such as credit card details, and sell their services. Advanced Persistent Threats (APTs) have been seen using the Dark Web as a platform to sell ‘Ransomware as a Service’ and to recruit new members. Download this webinar on the ‘Global Threat Landscape Forecast’ to watch SecurityHQ experts explore the latest and most sophisticated APT groups targeting business in 2023. The Dark Web is the place cyber security experts go, to see what information has been released, who has been targeted, what organisations have been breached, and where the information has been posted.

Most organised cyber-crime groups, however, are on the Dark Web with one goal in mind; to extort money. Transactions are made via cryptocurrency accounts, and just like any other business, these crime groups have suppliers and specialists. And they do their research. These businesses have teams, and access to the latest vulnerabilities and/or list of soft clients, with a list of customers ready to buy, and payment mechanisms in place.

How Businesses Can Protect Themselves

Security agencies and intelligence communities are busy, working for the greater good. But that won’t help the average small/medium sized enterprise being targeted.

Most security is built on the architecture of perimeter security. Imagine a castle, with a moat, surrounded by high walls and defences. In the IT world, these walls are your firewalls, your IDS, IPS, AV and the like. Now imagine you sitting in this castle looking over the walls, towards the dark woods and beyond. What if you could go out there and observe your attackers and threats, hidden in the undergrowth? What if you could set up listening stations, traps, and decoys, to gather your own intelligence on cyber threats, and find out if they had any intelligence on you?

In cyber security, we call this Threat Intelligence. With Threat Intelligence you can customise and actively hunt against your own profile, monitor your own digital footprint on the Dark Web, and understand what the plans are. With this information you will be equipped to tackle what comes next.

As a Managed Security Service Provider (MSSP), SecurityHQ has a duty of care to protect our customers, to understand the threats targeting them, and the vulnerabilities that put them at risk. To speak with one of our experts, and to understand how we can implement Threat Intelligence to find out what is known about you and your company on the Dark Web, talk with a member of our team today.

The post Defense Against the Dark Web- Threat Intelligence to Enhance Business Security Posture  appeared first on SecurityHQ.

This is done by merging essential characteristics of Vulnerability Assessment and Penetration Testing.

Penetration Testing is used to hunt for, and highlight, vulnerabilities in your network, applications, and devices by emulating real-life external and internal attacks. Testing is conducted in a controlled environment, without compromising routine business activities.

Vulnerability Assessment is used to highlight vulnerabilities across all digital platforms, including internet, applications, systems, cloud, and hardware. The objective of performing vulnerability assessments is to proactively highlight vulnerabilities that exist in your environment, allowing you to apply appropriate mitigating controls ahead of time.

VAPT combines the two, to rapidly identify, classify, prioritise, and respond to potential threats.

• Meet compliance requirements more efficiently and successfully.
• Safeguard business from potential damage/costly fines.
• Secure assets from both internal and external malicious and accidental threats. 

Identify Loopholes in Your Systems

VAPT is often an underrated but necessary part of your cyber security defence. It is much like going to the gym, forcing yourself to do that workout can be tedious, but if you want to stay fit and grow stronger, then it is essential. The same applies for your cyber security posture, if you want it to stay healthy, and grow with the business, then VAPT is a must.

To keep data secure, the right assessments need to be conducted. VAPT identifies loopholes in your system and applications that threat actors may take advantage of. This is done via a methodology derived from leading frameworks and guidelines such as:

–             OSSTMM, OWASP, NSA Security Guidelines.

–             Vast experience from expert security analysts, on hand, 24/7.

–             Utilisation of automated tools (commercial, propriety and open source) and manual testing to identify and exploit vulnerabilities.

Key Benefits of VAPT

1. With VAPT the user can access a high-level overview of security gaps and the business risk associated.
2. The user can review an in-depth analysis of identified vulnerabilities and put in place remediation steps and validation of remediation measures.
3. Receive a detailed view of threats facing business posture and put in place the right risk management before data is exfiltrated.

Having conducted incident response investigations across a wide range of industries, and with clients across the globe within the sector, SecurityHQ are best placed to work with organisations both large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on how to improve your security, or if you have a question about a service, speak to an expert here.

The post The Necessity of Vulnerability Assessment & Penetration Testing (VAPT) appeared first on SecurityHQ.

In this blog, we look at some of the necessary penetration testing security testing approaches. Starting with a look into what is Secure Code Review, followed by an observation of Web Application Security Testing, Network Penetration Testing, Cloud Penetration Testing, and Red Team Penetration Testing.

1. What is Web Application Security Testing?

Web Application Security Testing is used to identify vulnerabilities and safeguard against threats, by identifying possible vulnerabilities that could lead to attacks like SQL injection, cross-site scripting, I/O data validation and exception management.

Applications such as heavy client web-based mobile apps, or micro services, exposed over the internet are arguably one of the easiest entry points for an adversary. This is because it is easy to stay hidden when acting as a legitimate user and perform malicious activities.

These applications will have functionalities and other connectivity’s which run dynamically, making it a focal point to perform security assessments.

To identify and safeguard against these threats, use a 6-phase approach to Web Application Security Testing

1. Engagement
2. Reconnaissance
3. Scanning
4. Vulnerability Assessment
5. Exploitation
6. Reporting

These assessments should be performed against OWASP Application Security Verification Standard Project (ASVSP) Guidelines covering SANS 25, OWASP Top Ten and all threat classes from Web Application Security Consortium (WASC).

The advantage of performing a Web Application test, before production deployment, is that it is application focused and overcomes the shortcomings of code review capabilities. Business logic vulnerability verification, Vertical and horizontal Privilege escalation testing for different roles and False positive validation using industry standard DAST tools are a crucial part.

2. What is Network Penetration Testing?

Network penetration testing uncovers the exposure of an organizations assets, and attacks where an adversary aims to gain unauthorized access to systems.

Network Penetration testing can be carried out from the position of an internal or external attacker trying to gain access to the network and can involve active exploitation of security vulnerabilities and misconfigurations based on industry standards such as NIST, OSSTMM and PTES.

Wireless access points can also be considered to fit in this assessment, due to its nature of exposure. The difference in this type of assessment is that it is not specific to code or application functionality, but all the services exposed by an organization increasing the attack surface.

SecurityHQ uses comprehensive testing methods and tools while performing network penetration testing, to get the best results

3. What is Cloud Penetration Testing?

We have seen a massive adoption of cloud technologies across various business verticals, which brings in the need to divert the focus of traditional penetration testing to a cloud system specific one.

The scoping of cloud penetration testing differs based on the type of service (PaaS, SaaS, IaaS) being acquired by the organization. As per Gartner, top cloud vulnerabilities occur due to security misconfigurations, most commonly IAM misconfigurations and exposed S3 buckets. For more on this, read this blog on Compromised AWS S3 Buckets .

4. What is Red Teaming?

Red Teaming aims to simulate real-life attacks using a combination of several attack methodologies. The approaches are to simulate an external adversary and perform social engineering covertly to gain initial access to an internal system, or as an internal attacker to perform an adversary simulation to gain unauthorized access to sensitive IT systems, active directory, business sensitive application/database.

This type of assessment is carefully scoped between a vendor and the organization, to test the resilience of the security controls tested and implemented using the above testing methods. Apart from the expertise required by any red teamer, MITRE ATT&CK framework is the most used knowledge base use for tactics, techniques, and procedures. For more on this framework, read ‘How the MITRE ATT&CK Framework has Revolutionized Cyber Security’.

5. What is a Secure Code Review?

In addition to Penetration Testing, Secure code review should be conducted in order to provide a more complete analysis/coverage.

Analysing the source code of applications is essential to detect existing security flaws or vulnerabilities. By highlighting these vulnerabilities, it is easier to implement remediation, design changes, and reduce the effort and costs involved later down the line. The approach to analyze the code usually involves the scanning of the code using the best tools, such as Gartner Magic Quadrant tools.

Once the source code is scanned, here we analyze for flaws such as logic errors, sensitive information, and check style guidelines against well renowned OWASP standards. Incremental code reviews are very effective but strictly at code level only.

Recommendations to Enhance Your Cyber Security

While it does enhance your cyber security posture, complying to certain standards does not instantly make you, your systems, or your people, secure. Not only do you need to make sure that you have the right security measures in place, but you need to follow the right approach to security, with the right people. Be selective about the vendor you choose, and build a long-term relationship with that vendor, to work together to gain better results that fit with your organisations profile and expectations.

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these threats, speak to an expert here.

Or, if you suspect a security incident, you can report an incident here.

The post 5 Approaches to Your Pen-Test Program appeared first on SecurityHQ.

How to Compare EDR Solutions

1. An EDR solution should be able to analyse all the events from a machine, and it should be able to provide the user with Indicators of Attacks (IOAs), and from this, apply behavioural analysis on all processes. The right EDR solution should know what a normal process for any vendor is, not just vendors of a particular solution.
2. From an analyst perspective, EDR should have the highest number of detection rules and signatures possible. Whichever EDR has maximum signatures, the better it is, because that gives you the maximum ways of identifying a threat.

So, if you compare EDR solutions, and run a malware attack simulation, you can see how many detections are gathered in terms of tactics and techniques. The solution with the highest number detected, will be the best. For instance, in the MITRE Engenuity ATT&CK evaluation, in which the EDR capabilities powered by SentinelOne, were tested alongside other capabilities, SentinelOne was able to detect all the TTP’s and then, from this, map the behavioural analytics.

‘The MITRE ATT&CK framework is, in essence, a knowledge base of adversary tactics, techniques, and procedures (TTPs). These TTP’s are based on real-world observations, used by various threat actors, that have been made globally accessible to be used as the foundation for threat models and methodologies. It is important to highlight how innovative this framework is. It has shifted the balance with regards to cyber warfare and created a means of allowing security teams in all sectors, from anywhere around the world, to see the different stages of adversarial attack, and help raise awareness of the mechanisms which can be used by attackers to launch attacks.’ – How the MITRE ATT&CK Framework Has Revolutionised Cyber Security

The Importance of Threat Intelligence Integration

Not only should EDR have the capabilities to detect and analyse maximum traffic, but it should also have a strong threat intelligence integration. This means that it should be digesting a lot of logs from that intelligence and data from everywhere. To do this, you need to have a team conducting proactive threat hunting, who are looking at real time attacks that are happening around the world.

Not all EDR solutions provide a way to do threat hunting, so they won’t all allow you to query for anything complex. But there are some solutions that provide this capability. And with this, they should also provide you with a way to create your own custom queries, and custom alerts.

Historic Logs and Cloud Storage

You need to have historical visibility. With real-time monitoring, you should be able to look at the historic logs to let you know what has happened in the past. The more historic logs you can keep, the better, because you never know when you may require which logs. To maximise the retention, these logs should be stored on the Cloud.

For on-premises you have a single box in your organisation, that then talks to the Cloud, and the data is stored in your organisations itself. It is great that the data is not leaving your organisation, but it is the single point of failure. For more on Cloud security, read our blog on ‘How Managed Security Service Providers (MSSPs) Are Responding to Cloud Acceleration’.  

The Importance of a Dedicated Team

To run EDR properly, a dedicated team operating 24/7, who can look at all the alerts, review the configurations every month, and actively search for alerts that are coming on the console, is required. This is necessary to ensure that nothing is missed, to make sure that things are updated, the exclusions and inclusions are being created, so that everything is running as expected.

EDR will give you an alert when there is a signature, but there could be a lot of other elements that EDR might have detected, but not alerted you on. It alerts when it identifies a story/incident, to show how, for instance, a user jumped from one machine to another, and from this machine they ran PowerShell, and into that PowerShell they ran some script, etc. This would create an incident. But when a user jumps on a machine, that alone will not create an incident or alert.

People should realise that EDR is not just the alerts that are given, but the investigation behind them. That is why you need a team who are actively looking at these elements for you.

What Solutions on the Market Can and Can’t EDR Replace?

EDR cannot replaceFirewall, it does provide the functionality, but Firewall is very specific. It is always recommended to have the Firewall to do the firewall jobs and keep the EDR separate. EDR can, however, replace any existing antivirus solution. So, while it can’t replace Web Application Firewall or any perimeter device, it can replace any existing endpoint related solution.

Action Plan Moving Forward

You cannot stop threats, or attackers from creating new payloads and ways to penetrate your security controls. The only thing to do is to strengthen security you have in place. This means Zero Trust. Every company should follow the zero-trust module, there should not be any relaxation in that. Download our white paper on ‘Ransomware Controls – SecurityHQ’s Zero Trust x40’ for more on this and for practical tips and tricks.

Every organisation should have their own zero trust module, and they should always go through an assessment where they treat everything as compromised, and address and review the plan of action for recovery and worst-case scenarios. That way teams are prepared for every event.

Containment of a threat is the easier part because it is just isolating the machines from the network. But how to recover from it, that is where most organisations fail.

For more information on EDR and how it works, speak to an expert here.

Or if you suspect a security incident, you can report an incident here.

The post EDR Essentials From an Analyst Perspective appeared first on SecurityHQ.

As a leading MSSP (Managed Security Services Provider), SecurityHQ has experienced this shift across practically every sector and, in response, is highlighting the new threats that are emerging out of this shift. To see how MSSPs, and services, are continually evolving, read this interview with CEO, Feras Tappuni.

The Positives and Negatives of Cloud Adoption

A Positive to Business – Cost Reduction!

Now that this model of service is gaining confidence, has been tried and tested, even smaller companies are choosing to make the shift to cost-effective models of Cloud operation.  

A Negative for Business- Greater Threat Surface!

While costs may be reduced, a change in Cloud configurations and administration means that there are many new opportunities for adversaries to detect vulnerabilities, and to exploit misconfigurations in Cloud environments.

Businesses must take into consideration the follow key points, to reduce their threat surface when making the shift to Cloud.

A Shift to API Monitoring

With many additional intercommunications between applications and automations, Application Programming Interfaces (API’s) are more powerful than ever. Almost all admin activities and enumeration activities are possible via API calls. One such Example can be enumeration of all S3 Buckets:

The following command uses the list-buckets command to display the names of all your Amazon S3 buckets (across all regions):

aws s3api list-buckets –query “Buckets[].Name”

Typically, developers use this a lot. However, with some modelling and learning we can catch some bad actors here.

Federated Accounts

With hybrid Cloud models, often during transition phases, we may see attackers ambushing trust relations where the cloud accounts are likely still integrated with traditional identity management systems, such as Windows Active Directory. It is important to monitor behavioral use cases, to watch and catch adversaries moving laterally to Cloud resources.

Misconfigurations

This age-old technique of leveraging misconfigurations is still relevant. Although many Cloud computing solutions today allow auto fixing of the overly permissive policies or configurations, the business continuity and pressure to get things working will always have a higher priority.

Watch out for default security group configurations, which allow unrestricted outbound access. This is an easy channel for adversaries to conduct data exfiltration.

Firewall Controls

With Cloud infrastructure, the pricing model greatly depends on storage being utilized. In many cases, you may notice that logs are one of the biggest consumers of storage than the application itself. Traditionally, for on-prem models, the perimeter security firewalls were crucial to be monitored and further internal activity revolved around application and access logs generated by the systems themselves.

With Cloud monitoring Virtual Private Cloud (VPC), traffic is an essential element to monitor, especially traffic between different security groups. This can be optimized by logging crown jewels as these flow logs tend to be noisy.

There are several use cases that can be built around the VPC logs to detect traditional access attempts and excessive failures, which may indicate a broken service or an attack as well.

Correlation

Correlation is key element when it comes to Cloud-based models. We cannot just have one single data domain to check for. Typically, in Cloud infrastructure, with AWS as an example, you will get data correlation from the following data sources:

Network Checks: IAM, Cloudtrail, VPC, S3 Bucket, Route53

Host Checks: IAM, Cloudtrail, Process Creation

Application-Level Checks: AD Logs, DB queries, Cloudtrail, Cloud watch, any vendor application logs

An Attackers Eye View

An attacker will usually following the below sequence.

1. Check for exposed services
2. Exploit a vulnerable or misconfigured service
3. Escalate privilege
4. Move laterally
5. Detonate – final objective

It is just that indicators or trails of attack which are left, are different when it comes to Cloud-based attacks. Which means it becomes increasingly important to know how the client is set up on the cloud. This is crucial for investigation especially with serverless computing.

Having conducted incident response investigations across a wide range of industries, SecurityHQ are best placed to work with businesses large and small, and across numerous technical environments to reduce the impact of a cyber security incident. For more information on these Cloud related threats, speak to an expert here.

Or if you suspect a security incident, you can report an incident here.

The post How Managed Security Service Providers (MSSPs) Are Responding to Cloud Acceleration appeared first on SecurityHQ.

The aim of both is to enhance your cyber security, develop your systems, and protect your data, processes, and people. However, knowing which strategy to take can be a hard decision to make, especially if you are unsure of what each approach requires in the first place.

What Is a Security Operations Center (SOC)?

A Security Operations Centre (SOC) is defined as a ‘centralised unit that deals with security issues on an organisational and technical level’. It acts as a facility that stores the information used to monitor and analyse a network or business’s security posture. It usually comprises of a team of analysts who detect, analyse, and respond to cyber threats, alerts, and incidents.

What Is an Managed Security Service Provider (MSSP)?

A Managed Security Services Provider, otherwise known as an MSSP, is a provider who supplies a multitude of different security services, such as MDR, XDR, Firewall Management, Vulnerability Management, EDR and more, to enhance the security of a business. Usually at the heart of an MSSP is a SOC, which is available 24/7, run by expert engineers and analysts and costs a fraction of the price for customers to make use of, then it would cost to build an inhouse SOC. An MSSP can ensure that you are legally compliant, help mitigate threats, and reduce costly disaster repairs if attacked. But, most importantly, an MSSP will support your foundations, so that businesses can keep on growing, without the constant worry that security will cause its collapse.

Both strategies will enhance your security posture. But choosing the right one usually comes down to the skills, people, processes, and price involved. There are many benefits to both options.

Key Benefits of Building Your Own SOC

For organisations with a larger budget, creating a SOC can be an appealing concept. With a sizeable financial plan, building your own SOC will give you a great deal of autonomy and control of how you want your SOC team to run and the features used to support your business.

Some key benefits include the following:

• Build Your Own Team. It takes a minimum of 11 security experts to run a SOC, 24/7, 365 days a year. The people are at the heart of each security operation and usually is comprised of level 1 to level 4 analysts. By running your own SOC, you hire your own team of experts to manage and deliver your security, which means you have all the autonomy in forming your team and creating positions responsible for various networks.

• Partner with Who You Want. Being responsible for your own environment means that you hold a large amount of control over what you want to implement, and the technology partners you want to merge with.

• Logs are Held Locally to you, and you would have the ability to tailor your SIEM solution to your specific needs.  

• Recurring Revenue – if you have your own SOC, clients stay with you, often for years.

Key Benefits of Using an MSSP

However, if you do not have the time to create, hire and train a whole SOC team, or you do not have the budget for such a venture, an MSSP is a more realistic option that can provide the same results and save you time and money in the process.

The benefits of partnering with an MSSP includes:

• Experts SOC analysts. Highly trained analysts are not only rare, but expensive. By using an MSSP, and the experts that are dedicated to assisting you, you save money and the time it would take to hire and retain talent.

• Round the Clock Service. An MSSP provides full security 24/7, every day of the year, regardless of holidays, working schedules or natural disasters. 24/7 means supported by humans, not automated machines so that you have someone to help no matter when or where.

• Rapid Response and SLA. Your MSSP should have a hotline number if you suspect an incident. They should also have an App you can contact the team directly on, and a designated service delivery manager to call upon once signed up. Your provider must have an SLA agreement, and that must detail the speed of response and the commitment to that.

• Disaster Recovery. Be it natural disaster or cyber threat, the right MSSP will help you plan for all instances. That way data remains secure from both sides, and business can carry on as usual, regardless of the circumstance.

• Continual Support. If your employees are continually dealing with security issues themselves, and can’t get on with their actual jobs, an MSSP provides fast answers to security questions, to respond to threats in lightning speed.

• Proactive not Reactive. With an MSSP, experts will be able to push your business to continually make the right updates, and pro-actively search out issues, before the issues are found by the wrong people and used against the business.

• Third-party Partnerships Maintained. Your MSSP should already have the right processes in place as part of the package. This not only saves you time tracking down providers but ensures that the right tools are used in the right way.

• Realistic Budget. The right MSSP will discuss and provide options for your security needs, alongside your own workforce, and explore what yearly planning looks like for your business to save money and improve efficiency. They should also provide a fixed pricing, you need a single point of contact not only technically with delivery, but also commercially.

What to do Going Forward

Whatever solution you opt for, always keep in mind that the output should improve business efficiency by saving you time, by utilising the right resources, and put into action the services most appropriate for you.

If you don’t know where to start, or what to look for in an MSSP, read more in Choosing Your Managed Security Service Provider (MSSP). 7 Steps to Consider.

Or, if you are unsure on what route to take and would like more details, contact the SecurityHQ experts here.

The post The Advantages of Partnering with an MSSP or Building a SOC Internally appeared first on SecurityHQ.

Which means that every organisation, regardless of size or sector, needs a strategy to protect and govern their critical databases to safeguard against both internal and external attacks and threats.

But many businesses are not prepared to tackle, spot, or respond to a data breach, despite knowing how sensitive and valuable their databases are. Infact, according to IBM’s report on the ‘Cost of a Data Breach’, the average cost of a breach is $3.86 million. And, as stated by IDG Research Services, ‘78% of IT leaders lack confidence in their companies cyber security posture’.

How Managed Data Security Can Improve Business Security

Managed Data Security protects critical databases, prevents leaks, and ensures compliance across heterogeneous environments, data warehouses and big data environments. It works by protecting structured and unstructured databases and enhances constant monitoring of structured and unstructured data tra­ffic.

It is used as a method to govern and control integration with IT management and additional security solutions. That way data protection is comprehensive and clear for all.

Eff­ective Compliance with validation activities, via a centralised audit repository, combined with an integrated workflow automation platform is necessary. Managed Data Security maintains this compliance element so that businesses can carry on with their activities, knowing that automation is speeding up their processes and improving time efficiency.

According to  Ali Al- Rubaya, Service Delivery Manager, SecurityHQ ‘Managed Data Security is an incredibly valuable tool to business, as it can be used to control and monitor auditable events from the chosen databases. This can be used, for instance, to monitor user behaviour in terms of the authentication against a database/databases, any inbound and outbound suspicious network traffic, and the detection of data exfiltration of large data transfers. By spotting potential malicious transfers quickly, businesses can respond to threats faster and, as a consequence, take actions to mitigate the threat and protect their data.’

The Benefits of Managed Data Security

There are multiple benefits of Managed Data Security, including the ability to:

• Track sensitive data in your environment.
• Provide complete visibility and detailed analysis into database transactions.
• Examine and implement policies, including access controls to sensitive data, database change control, and privileged user actions.
• Automate compliance auditing processes.
• Assess database vulnerabilities.
• Detect and track configuration flaws.
• Track movements of end users.
• Create a single, reliable, and integrated audit repository of heterogeneous systems and database.

What’s Next?

Once you understand the risks around databases, who is using them, when they are using them, identifying the risks around them, then the implementation of User Behaviour Analytics (UBA) can be used to categorise patterns of user behaviour, to understand what constitutes normal behaviour, and to detect abnormal activity.

By understanding those patterns, businesses gain greater visibility to create context driven use-cases, so that if an unusual action is made on a device on a given network, such as an employee login late at night, inconsistent remote access, or an unusually high number of downloads, the action and user is given a risk score based on their activity, patterns, and time.

To learn more about how UBA or Managed Data Security works, contact us here to speak with an expert.

The post How Managed Data Security Can Benefit Your Business appeared first on SecurityHQ.

The Security Challenge

A lot of organisations do not have a dedicated security team. At most, they might have one or two dedicated individuals. For the majority, IT still runs the show, but these IT teams still don’t understand security. Which means they need to be told what to do. Very few organisations can afford to have two separate teams. A business must be at a certain scale to afford an IT team and a Security team simultaneously.

Most organisations, around 60% in fact, still don’t have a Security Operations Centre (SOC). And even those that claim to have a SOC are not fully functioning, as about 25% only operate during business hours. On top of that, an even smaller percentage are monitored by individuals 24/7, to handle alerts that are coming in. Automation 24/7 is no good if a real-life human cannot respond to the alerts accurately, and in rapid time.

Most businesses have invested in Firewalls, Intrusion Detection Systems, etc, so they have the tools set, but have not configured them, and are continuously going through the process of upgrading and changing them. What’s more, they have no escalation capability. They might have some form of capability to detect but have very limited capability to respond.

‘At best, these businesses identify, mitigate, and fry the machine. That is not cyber. That is like putting a band aid on an open wound, it’s not the surgery needed. Most are now realising that they are out of their depth if an attack were to take place. Every week we deal with around 15 customers to walk them through the process of what they need to do in such an event. And they all want the same thing – 24/7, an SLA, fixed cost etc. Over a year ago we had a lot of questions about our tool set, now businesses don’t care, they just want it dealt with. If you are in a restaurant, you don’t want to go into the kitchen, you just want your food brought to you and to enjoy what’s yours.’ – Feras Tappuni, CEO, SecurityHQ

But this lack of understanding regarding tooling is an issue for businesses looking to invest. There are lots of shiny new toys in the security world, but many are old toys, dressed up as new, for a far greater price.

The Real Deal Behind XDR

At SecurityHQ, we get vendors asking about XDR daily, ‘Is it worth it?’ and ‘Why is it being pushed?’, mainly because the definitions of XDR online are so ambiguous.

There are acronyms over existing acronyms. Blurred definitions and jargon used to push the latest talking point. A year ago, everyone was talking about Endpoint Protection (EPP). This year the focus is on Threat Intelligence, and next year it will be something else. Which means that businesses push their services to align with the latest buzzword.

But to keep up with new threats, businesses now require different combinations of detection and response capabilities, this is where XDR comes in. SecurityHQ offers XDR with multiple feature options, to ensure an enhanced security posture specific to the client. Combined Network Detection and Response, Endpoint Detection and Response, SIEM, User Behaviour Analytics, and 24/7 SOC capabilities for real-time Detection and Active Response. Receive 360-degree visibility that is constantly evolving and adapting to your hybrid, multi-cloud, IT environment, across your logs, Endpoint, and network, to increase speed of detection and remediation of both known and unknown threats.

Actions Going Forward

One of the positives that has come from remote working is that people are not being completely blinded by all the nonsense and noise generated at grand security events. Everyone claims that they do something different when they don’t. But they look at what’s happening in the booth next to them and they need to compete. And that’s just the way companies out market one another – that is not going to change. So, you need to be wary of that when selecting an MSSP or security service.

‘It’s the same thing, you have vanilla, you have chocolate, you have strawberry flavours, but it is still all ice cream. Don’t get confused because it has sprinkles on it. They are not even real sprinkles, you get those already, but you are going to pay a lot more for the same thing.’ – Feras Tappuni, CEO, SecurityHQ

For more information on XDR, or for any other security related questions, talk with one of our security experts, here.

Or, to report an Incident, reach out to us here .

The post XDR -Security Jargon or the Real Deal? appeared first on SecurityHQ.