Menlo: A new approach to preventing security breaches

Posted on : 30-06-2015 | By : john.vincent | In : Cyber Security

Tags: , , , , , , , ,

0

At Broadgate, we are always looking out for disruptive technologies. Recently we were introduced to Menlo Security, and we think they absolutely fit the bill.

Menlo emerged from stealth mode officially on June 8th and are hoping to take a share of the $70 billion or so that businesses spend annually on cyber security tools. The thinking behind Menlo is very different to the current protect the perimeter, endpoint or detect the vulnerability once it has entered the corporate network.

What Menlo came up with is something that is being called Adaptive Clientless Rendering. In practice, what that means is that the Menlo solution isolates and re-renders all the web content in the cloud and delivers a non-executable, malware-scrubbed copy down to the user. Once received, end users can interact with the content, links, documents and websites within their browser as they would normally BUT without any risk from malware contained within those assets.

Sounds a bit too good to be true? Being naturally sceptical you can imagine that we were very interested to see this in action so we’ve had it running internally for several weeks now. So far, very good!

So what might be the key business problems which Menlo addresses? A few use cases are;

1) Safe Access to Uncategorized Web Sites – Isolating uncategorized Web sites via the Menlo Security Platform enables users to safely access more of the Web while reducing the risk of malware.

2) Safe Viewing of Web Documents – Menlo can eliminate the risks from weaponized documents (.pdf, .doc, .xls, .ppt) by isolating them in the Platform. Administrators can optionally allow users to download “safe” PDF versions of rendered documents (with all active content removed) and can also allow download of original documents for designated users.

3) Eliminate Java and Flash from Endpoints – Potentially harmful content such as Java and Flash is executed within the Platform, delivering a high-fidelity experience to the user without delivering any active content that can infect the endpoint. Administrators can remove Java and Flash on users’ browsers but still allow access to Java and Flash apps without the risk of malware.

4) Safe Email and Anti Phishing – The platform isolates and eliminates malware from sites accessed by clicking on links in emails. Additionally, the Email Isolation Service blocks user inputs to unknown Web sites and thus prevent users from revealing their personal information.

5) Protect Online Applications Against Bots – Operated as a “reverse proxy,” the platform can protect Web applications against fraud perpetrated by bots and other malware on infected endpoints.

 

So how big is the problem of compromised web sites?

In January 2015, Menlo scanned the Alexa (an Amazon owned web analytics company) top one million sites to see which were vulnerable and/or compromised. In total, the team scanned over 1.75m URLs representing over 750,000 unique domains. The key findings were startling;

  • One in three of the top one million domains scanned were identified as “risky” – meaning that they were either compromised or running vulnerable software
  • More than one in twenty sites, or 6%, were identified by 3rd-party classification services as serving malware, spam or are part of a botnet
  • Over one fifth (21%) of sites were running software with known vulnerabilities
  • Of the “uncategorised” sites, 16% were running vulnerable services

Whilst  organisations continue to invest in better tools to protect the perimeter, internal network and endpoints (which of course, need to continue), it is perhaps time to start thinking differently in terms of addressing the source of the problem. The real answer of preventing web based attacks will come from new tools which can completely stop the exploit before it gets near the target. We believe Menlo is one of those products.

 

If you would like to find out more about Menlo, or arrange a demo, please contact jo.rose@broadgate consultants.com or call 0203 326 8000 to speak to one of our security consultants.


The CIO Guide to a successful Information Security Practice

Posted on : 30-06-2015 | By : jo.rose | In : Cyber Security

Tags: , , , , , ,

1

Our colleagues at Corix Partners have recently published on their blog a series of articles highlighting the eight key management rules CIOs and CISOs should follow to build and deliver a successful Information Security practice. We publish below a summary of the series which deconstructs in-depth eight views commonly held by Information Security practitioners and explores the Governance and Leadership dynamics which surround Information Security.

1. Think of Information Security as a Control function and not as a Support function

Information Security within a large organisation is often simplistically seen as a support function, and, as such, many stakeholders expect it to help streamline or ‘enable’ the business. The reality is, Information Security needs to be seen as a control function – and rules (that may be perceived as restrictive) are a necessary part of ensuring its effectiveness. CISOs must have the management skills to effectively communicate the threats facing the information assets to all stakeholders across the business – and they must get everyone on the same page when it comes to ensuring the appropriate controls are put in place to protect these assets.

2. Create a sense of reality around the threats and do not focus only on IT aspects

A commonly held view among Information Security communities is that businesses don’t care enough about Information Security – and decisions are often made from a convenience or cost avoidance perspective. However, a disproportionate focus on technical details and IT issues by the security teams themselves is often to blame for the disengagement with the subject. It’s down to the CISO to effectively communicate to the business the real threats faced by information assets, how this could translate into real consequences across the organisation – and how protective controls can prevent this from happening. If the level of Risk (resulting from the presence or absence of controls) is presented in a language that the businesses can understand, the CISO will build a meaningful dialogue with them that should drive the right decisions.

3. Focus resources on the proper implementation of key Controls and sell success

It’s often believed that Information Security is a chronically underfunded practice, and budgetary limitations are a barrier to its success. However, research by the World Economic Forum (‘‘Risk and Responsibility in a Hyper-connected World’) has shown that many large organisations in fact spend more than 3% of their total IT budgets on cyber security. Despite this, few have reached an acceptable level of cyber security maturity. Instead of requesting budgets to fund new technical initiatives, CISOs should tilt the magnifying glass and focus the resources they do have on the proper implementation of key controls – which have been mapped for a long time and alone can be highly successful in preventing most cyber attacks. Implementing demonstrable controls will give the business confidence that real protective measures are being put in place and that the spend is justified.

4. Pin tactical initiatives against a long-term Information Security roadmap

Within Information Security communities, the CISO is frequently regarded as a ‘firefighter’, working mostly in a reactive manner around cyber security incidents and attacks. This approach is often further fuelled by management’s short-term obsession with audit and compliance issues. While reacting to breaches or acting on regulatory demands will always remain a priority, especially as cyber threats continue to evolve and regulation increases, the key focus should be on addressing the root cause of the underlying problems. The CISO must pin tactical initiatives against the backdrop of a long term transformative Information Security roadmap and think beyond mere technical and tactical solutions. But to be truly successful, the CISO must also have the gravitas to influence lasting change and the personal skills to drive security transformation.

5. Assign Information Security Responsibilities and Accountabilities

Countless security awareness programmes follow the train of thought that Information Security is everyone’s business – across the organisation. While it’s true that everyone in an organisation can do something at their level to protect the business against threats, it cannot be ‘everyone’s responsibility’ – as this attitude can quickly derive towards becoming ‘nobody’s responsibility’. The CIO must ensure that the CISO is accountable for ensuring that the appropriate controls are in place across the organisation, backed by a sound Information Security Governance Framework. They must ensure that accountabilities and responsibilities are cascaded down to all relevant stakeholders across all silos (e.g. HR, Legal, Business units, third-parties etc.).

6. Operate Information Security as a cross-silo practice and not just as a technical discipline

Information Security practice is regularly considered a purely technical discipline. However, information exists in both digital and physical forms and more importantly – is constantly manipulated by people during the business day. While technology should undoubtedly play a strong role, in many industries, a stronger focus on the other elements of Information Security is often required. In order to implement an effective Information Security practice, CISOs need to establish a controls based mind-set across all silos of their organisation.

7. Operate Information Security as an ongoing structured practice and not just a series of technical projects

Information Security practitioners always seem busy with technical projects. In fact, Information Security should be there to provide continuous and long-term protection to the business. Therefore, it should not be approached just as a series of tactical projects with a set start date, end date and check-list of deliverables. All technical projects and tactical initiatives within an organisation’s Information Security practice should be seen as forming part of a structured practice and aligned with a long term Information Security strategic roadmap – aiming to achieve an Information Security vision and deliver lasting change across the organisation.

8. Operate Information Security to focus on People and Process supported by Technology, not just the implementation of the latest Technical Products

In order to ‘keep up with the hackers’ as technology evolves and cyber attacks become increasingly more advanced, many believe that business protection is derived primarily from the implementation of the latest technical products and solutions. While it can be tempting to believe that the latest technology products are going to be the ‘silver bullet’ needed to keep the business safe, in reality there’s often more to consider. It’s critical that the Information Security practice addresses any weaknesses in the organisation’s functional structure (people and processes), before turning to technical products as potential solutions.

Thanks to JC Gaillard and Neil Cordell for this contribution. The full series, ‘The CIO Guide to Information Security Practice: 8 Key Management Pitfalls to Avoid’ can be found on the Corix Partners’ blog.

NEW Broadgate Product Launch: “Assurity”

Posted on : 30-06-2015 | By : john.vincent | In : Cyber Security, Innovation

Tags: , , , , , , , , , , , , ,

0

Since forming Broadgate in 2008 we’ve helped a number of our clients in addressing the challenges posed by the increased internal and external security threat to their organisation and data. Our projects have included deployment of Malware threat platforms, Data Loss Prevention implementation, Cyber Intelligence and Identity and Access Management solutions.

Our experience during this time was that there is a need for a more business focused approach, so we developed our own assessment methodology, which we have now officially launched as a product called ASSURITY. The product addresses three key challenges facing us today;

1) Understanding your business critical assets

2) Calculating your risk exposure

3) Prioritising areas requiring focus and investment

The product is differentiated in the market through not only the comprehensive inputs and modelling, but also by providing quantitative analysis in the form of a Cyber Value at Risk.

 

ASSURITY is a three step process, as outlined below;

Assurity assessment methodology

Step 01

We profile the organisation from many different data points. This is a critical part of the process as it allows for a more meaningful assessment of the actual risk. C’Level executives can use the product to inform their change programme and investment decisions. It is an iterative approach during which the relative weightings for each criteria are reviewed and discussed with the client to understand carefully the business risk appetite.

Step 02

The assessment is conducted by ingesting a number of different sources from documented artefacts, processes, data and technology into the Assurity product. From this we can assess the current maturity level, a quantified risk level, the potential impact to an organisation of a data breach or security event and also the likelihood of it occurring.

Step 03

The results of the assessment are presented in a form which clearly shows the focus areas for investment, change or where in the organisation is protected at the appropriate level. We map the results to the GCHQ 10 Steps for security and translate into language which allows C’Level executives to make informed decisions.

What are the benefits of ASSURITY?

1) Information security assurance – Demonstrating to your clients, suppliers, regulators, shareholders and insurers

2) Optimising security budgets – Avoiding unnecessary investments typically results in a 30% reduction in redundant operational security expenditure, support and maintenance

3) Qualified cyber value at risk – Financial value of corporate assets at risk is defined for input into broader business risk modelling

4) Improved compliance – Security health check defines current information security level

 

In the ASSURITY report, we  focus on four main areas;

 

Cyber At Risk Score

The Cyber At Risk Score takes a number of internal and external feeds to create a value from which organisations can have a more informed discussion regarding the likelihood of a security breach. We use this across the product to help quantify the impacts against the profile of the organisation.

Gap Analysts against Target Maturity

During the profiling stage we determine the appropriate maturity benchmark for the organisation.  This can be based on the internal risk appetite, industry average or other determining factors, and is used to identify shortfalls, strengths and focus attention and investments.

Maturity Assessment Heatmap

Here we plot the scores from 10 assessment areas against the Likelihood and Impact of an event. Importantly, we also assign a quantified value at risk which we have determined through the profiling exercise and the current maturity level. This allows C’Level executives to target and prioritise the investment areas.

Strategic Roadmap

The output from the ASSURITY product also forms the basis for the required change programme. We split the initiatives into Quick Wins which have the most immediate impact or target the most vulnerable areas. We also provide the long term remediation plan and ongoing continuous improvement projects to meet the required target baseline.

 

The ASSURITY product differentiates from other methodologies by being the most complete and accurate assessment that organisations can undertake to really understand their security risk exposure.

If you would like to find out more about the product and to arrange a demo, please contact jo.rose@broadgateconsultants.com or call 0203 326 8000 to speak to one of our security consultants.